Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: Mason Schmitt <hr824 () sunwave net>
Date: 14 May 2003 12:37:07 -0700
On Tue, 2003-05-13 at 07:21, Julian Gomez wrote:
b) Remove the packages, and when the need arises, reinstall the packages -- I have to note here that alot of cross-dependencies make this hell. At least on RH, if there is opinion on different distributions which make this somewhat painless, closest thing which might be relevant, I think is FBSD's ports system (though I haven't used it myself) ?
I use Mandrake Linux for all our servers. I have found them to be much easier to harden (you really must check out "msec" I love it). I install only the minimum files needed for a particular server and then don't really worry about others that may be needed down the road because of Mandrake's wonderful urpmi. If you haven't checked out urpmi, you'll really appreciate it, unlike basic rpm installation, a la RH, it takes care of all dependencies for you. http://www.linux-mandrake.com/en/urpmi.php3 As well, no user on my servers is allowed to use the root password (no one knows the root passwords, not even me - they are in a safe in a sealed envelope), I use sudo for everything. Now, given that urpmi can only be run as root, I simply have entries in my sudoers file that give specific people access to urpmi. Since sudo logs every use of sudo and I have a separate log machine for log files, I can see every peice of software that gets installed using urpmi on my systems. Just a little bit more about urpmi. I mirror all distribution rpms, updates, contribs, in-house modified rpms, etc on a local secured box, that way I can update all boxes running on our network using urpmi's parallel install functionality. When I want to update a server I simply type "sudo urpmi --update --auto-select" urpmi figures out which files have updates available, computes all dependencies, downloads the necessary files from my server, checks to see that all signatures are valid and installs the files. Everything is logged to /var/log/urpmi. It's so easy :) BTW, I'm not a Mandrake employee, nor do I make any money from selling their product etc. I'm a sysadmin at a small cable internet company. My enthusiasm for Mandrake and their tools (all of which are GPL) is due to the pain and suffering I have endured with other linux distributions. Never again do I want to go through rpm dependency hell...
I'm beginning to really wish for a CD which would have all this spare software which can be loaded, do its work, and then unloaded directly, without having any permanent storage on the host's filesystem.
That's a cool idea. If you want short term use of an app, you could do this with urpmi: "sudo urpmi <package>", use the package for as long as you want, then do "sudo urpme <package>". Nice and simple with no headaches. Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Custom Unix server installations -- to harden extensively ?, (continued)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
- RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)