1. Change the hostname - understandable, but not something we can implement globally as it doesn't always make sense.
2. Alias for root - interesting idea. I'm discussing it with Liraz and we might implement it via an inithook, no promises though.
3. Change postfix myhostname - done. in 11.0RC we uncommented myhostname so postfix would calculate it on the fly. In retrospect I don't think this was the best solution, so I've updated it to be set to localhost.
4. Set the default locale - done. the default LANG is en_GB, but I've added /etc/default/locale. Specifying UTF-8 has performance issues (google it), and I can see a good reason for it. Open to discussion.
5. Install logrotate, logwatch, fail2ban, bsd-mailx - partly done. logrotate has been added to core. logwatch is currently in discussion together with postfix alias as they are related. fail2ban isn't a good global fit, but interesting project that should be documented. same goes for bsd-mailx.
6. Fail2ban apache-access - see 5
7. Enable fail2ban jails - see 5
8. NTP per VMWare recommendations - done. I wasn't aware of tinker panic 0, excellent workaround. I also update the ntp pool servers.
9. Securing file permissions and ownership - its a drush issue. It could be worked around by using setuid/setgid on the containing folders. Regarding using the root account, we have had this discussion somwhere on the forum, I'll try find a link and post it for reference.
Again, thanks for all the feedback! If you have more, let us know.
(Most) suggestions implemented and feedback
1. Change the hostname - understandable, but not something we can implement globally as it doesn't always make sense.
2. Alias for root - interesting idea. I'm discussing it with Liraz and we might implement it via an inithook, no promises though.
3. Change postfix myhostname - done. in 11.0RC we uncommented myhostname so postfix would calculate it on the fly. In retrospect I don't think this was the best solution, so I've updated it to be set to localhost.
4. Set the default locale - done. the default LANG is en_GB, but I've added /etc/default/locale. Specifying UTF-8 has performance issues (google it), and I can see a good reason for it. Open to discussion.
5. Install logrotate, logwatch, fail2ban, bsd-mailx - partly done. logrotate has been added to core. logwatch is currently in discussion together with postfix alias as they are related. fail2ban isn't a good global fit, but interesting project that should be documented. same goes for bsd-mailx.
6. Fail2ban apache-access - see 5
7. Enable fail2ban jails - see 5
8. NTP per VMWare recommendations - done. I wasn't aware of tinker panic 0, excellent workaround. I also update the ntp pool servers.
9. Securing file permissions and ownership - its a drush issue. It could be worked around by using setuid/setgid on the containing folders. Regarding using the root account, we have had this discussion somwhere on the forum, I'll try find a link and post it for reference.
Again, thanks for all the feedback! If you have more, let us know.