Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: John Adams <jna () retina net>
Date: Tue, 13 May 2003 18:19:43 -0700 (PDT)
On Tue, 13 May 2003, Julian Gomez wrote:
So, what do most of you all do : a) Leave the possibly-relevant future packages, intact on the system, and just perform permission tweaks ? b) Remove the packages, and when the need arises, reinstall the packages -- I have to note here that alot of cross-dependencies make this hell. At least on RH, if there is opinion on different distributions which make this somewhat painless, closest thing which might be relevant, I think is FBSD's ports system (though I haven't used it myself) ? c) Leave the server, its screwed anyway because local users have access :-)
What I usually do is work around this philosophy: * All boxes are built from a single, universal jumpstart/kickstart server * No single box should be so important that you can't blow it away and reinstall at whim. * The "personality" of the machine is saved on the centralized jumpstart/kickstart server. * No admins are allowed to modifiy individual boxes, unless those changes are put into CVS and can be easily recalled into a newly-jumped machine. * Remove all unnecessary packages. You don't need them because you won't be building anythiing on the subordinate hosts. * Compile and build software on a single, centralized host. Push packaegs/RPMs out to boxes when needed using SSH or NFS, but update the relevant jumpstart/kickstart machine profile when you do this, so you know what's installed where and can rebuild at whim.
I'm beginning to really wish for a CD which would have all this spare software which can be loaded, do its work, and then unloaded directly, without having any permanent storage on the host's filesystem.
For Solaris, use JASS. For linux, use Kickstart with a custom configuration. Never underestimate the power of network based O/S installs. See, most of my thoughts here are based on the fact that a machine -will- go down, or that it -will- be compromised in such a way that requires a rebuild (think: web farm, app farm, database, etc.), or, that you have a need to replicate boxes at will (increasing the size of the web farm for capacity reasons, etc.) This has always worked for me in the past and made my life as an admin very easy. No more do you have to fuss over a single box's configuration, or worry what version of what software you have installed where. The central box knows all. -john -- J. Adams http://www.retina.net/~jna The secret of knowing where you are, is knowing what time it is. -- Anonymous _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
(Thread continues...)