Re: Custom Unix server installations -- to harden extensively ?

[John Adams <jna () retina net>]

On Tue, 13 May 2003, Julian Gomez wrote:

> So, what do most of you all do :
>
>       a) Leave the possibly-relevant future packages, intact on the
>          system, and just perform permission tweaks ?
>
>       b) Remove the packages, and when the need arises, reinstall the
>          packages -- I have to note here that alot of cross-dependencies
>          make this hell. At least on RH, if there is opinion on different
>          distributions which make this somewhat painless, closest thing
>          which might be relevant, I think is FBSD's ports system (though
>          I haven't used it myself) ?
>
>       c) Leave the server, its screwed anyway because local users have
>          access :-)

What I usually do is work around this philosophy:

* All boxes are built from a single, universal jumpstart/kickstart server

* No single box should be so important that you can't blow it away and 
reinstall at whim. 

* The "personality" of the machine is saved on the centralized 
jumpstart/kickstart server. 

* No admins are allowed to modifiy individual boxes, unless those changes 
are put into CVS and can be easily recalled into a newly-jumped machine. 

* Remove all unnecessary packages.  You don't need them because you won't 
be building anythiing on the subordinate hosts. 

* Compile and build software on a single, centralized host. Push
packaegs/RPMs out to boxes when needed using SSH or NFS, but update the
relevant jumpstart/kickstart machine profile when you do this, so you know
what's installed where and can rebuild at whim.

> I'm beginning to really wish for a CD which would have all this spare
> software which can be loaded, do its work, and then unloaded directly,
> without having any permanent storage on the host's filesystem.        

For Solaris, use JASS. For linux, use Kickstart with a custom
configuration. Never underestimate the power of network based O/S
installs.

See, most of my thoughts here are based on the fact that a machine -will- 
go down, or that it -will- be compromised in such a way that requires a 
rebuild (think: web farm, app farm, database, etc.), or, that you have a 
need to replicate boxes at will (increasing the size of the web farm for 
capacity reasons, etc.)

This has always worked for me in the past and made my life as an admin 
very easy. No more do you have to fuss over a single box's configuration, 
or worry what version of what software you have installed where. The 
central box knows all. 
 
-john

-- 
J. Adams                                        http://www.retina.net/~jna

The secret of knowing where you are, is knowing what time it is. -- Anonymous


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards