Re: Custom Unix server installations -- to harden extensively ?

[Mason Schmitt <hr824 () sunwave net>]

On Tue, 2003-05-13 at 07:21, Julian Gomez wrote:

>       b) Remove the packages, and when the need arises, reinstall the
>          packages -- I have to note here that alot of cross-dependencies
>          make this hell. At least on RH, if there is opinion on different
>          distributions which make this somewhat painless, closest thing
>          which might be relevant, I think is FBSD's ports system (though
>          I haven't used it myself) ?

I use Mandrake Linux for all our servers.  I have found them to be much
easier to harden (you really must check out "msec" I love it).  I
install only the minimum files needed for a particular server and then
don't really worry about others that may be needed down the road because
of Mandrake's wonderful urpmi.  If you haven't checked out urpmi, you'll
really appreciate it, unlike basic rpm installation, a la RH, it takes
care of all dependencies for you. 
http://www.linux-mandrake.com/en/urpmi.php3

As well, no user on my servers is allowed to use the root password (no
one knows the root passwords, not even me - they are in a safe in a
sealed envelope), I use sudo for everything.  Now, given that urpmi can
only be run as root, I simply have entries in my sudoers file that give
specific people access to urpmi.  Since sudo logs every use of sudo and
I have a separate log machine for log files, I can see every peice of
software that gets installed using urpmi on my systems.

Just a little bit more about urpmi.  I mirror all distribution rpms,
updates, contribs, in-house modified rpms, etc on a local secured box,
that way I can update all boxes running on our network using urpmi's
parallel install functionality.  When I want to update a server I simply
type "sudo urpmi --update --auto-select"  urpmi figures out which files
have updates available, computes all dependencies, downloads the
necessary files from my server, checks to see that all signatures are
valid and installs the files.  Everything is logged to /var/log/urpmi. 
It's so easy :)

BTW, I'm not a Mandrake employee, nor do I make any money from selling
their product etc.  I'm a sysadmin at a small cable internet company. 
My enthusiasm for Mandrake and their tools (all of which are GPL) is due
to the pain and suffering I have endured with other linux
distributions.  Never again do I want to go through rpm dependency
hell...

> I'm beginning to really wish for a CD which would have all this spare
> software which can be loaded, do its work, and then unloaded directly,
> without having any permanent storage on the host's filesystem.        
That's a cool idea.

If you want short term use of an app, you could do this with urpmi:
"sudo urpmi <package>", use the package for as long as you want, then do
"sudo urpme <package>".  Nice and simple with no headaches.


Mason

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards