[Infrastructures] Re: Host installs?

[Harry Hoffman]

Rainer,
  I share your philosophy. I guess what really worries me are that when too many
things are installed on a machine that patching, and hence security, become a
nightmare.
  While it may to said to patch all of your systems to the same level, this is
not always achievable. Some apps require certain OS patch levels (otherwise they
break), PeopleSoft being forefront in my mind.
  Also, security may be less of a concern within an organization that can easily
be "locked down". However, in academic realms, it's really quite difficult to as
some of the machines' sole purpose are to provide shell accounts to students.
This can turn one's hair gray very quickly.

Cheers,
Harry


Quoting "Heilke, Rainer" <Rainer.Heilke@atcoitek.com>:

*> This is actually the source of some disagreement in our group. I am of the
*> "Don't install anything beyond what you need" variety. The other two admins
*> are of the "install everything, disable what you don't use" type.
*> 
*> There are pros and cons to each approach. You lose some abilities in the
*> "repurpose" area with my approach, but then, we don't do this here any way.
*> When we move a server to a new role, we do a fresh install (and our Kerberos
*> and DNS servers are completely unique, as are a couple other servers). So,
*> when only one server provides X services, why do we install and run all of X
*> on all systems...? It is also true that HDD space is increasingly cheap, but
*> then, you are also installing all of the security holes.
*> 
*> Regardless which approach you take, make sure that all systems are as
*> similar as possible, using cfengine (isconf, whatever) to keep the
*> individual systems in sync with their roles and each other. Use tools like
*> cfengine to maintain order, and they can also act as documentation tools.
*> Some of the compromise involves the size of your infrastructure, smaller
*> ones typically being a bit looser, I would guess. This is all stuff I am
*> still thinking about, and trying to get the two others on my team to look at
*> with new eyes. The latter can be the greatest challenge.
*> 
*> Rainer Heilke
*> 
*> > -----Original Message-----
*> > From: Stephen Schaefer [mailto:SSchaefer@rfmd.com]
*> > Sent: Tuesday, February 04, 2003 7:08 AM
*> > To: infrastructures@roton.terraluna.org
*> > Subject: RE: [Infrastructures] Re: Host installs?
*> >
*> >
*> > This is a good answer for well understood, static environments -
*> > especially those exposed to the security threats of the internet, or
*> > indeed at any security boundary.  You do, however, gain from
*> > *uniformity* of systems, both from the ability to rapidly
*> > repurpose and
*> > from the decrease in management complexity.  That means on internal
*> > systems you install everything you use or are likely to use anywhere,
*> > which is almost everything (though probably not <a
*> > href="http://www.xbill.com">xbill</a> :-).  I do take the
*> > security issue
*> > seriously, and no one can afford not to when dealing with the
*> > opportunistic threats from the internet -- but you need to find the
*> > balance between your own internal capabilities and
*> > vulnerabilities that
*> > matches the level of threat you have.  That means assessing
*> > the attitude
*> > of you colleagues and establishing the right security boundaries.  A
*> > military unit has different requirements than a local auto mechanic.
*> >
*> >     - Stephen
*> >
*> > -----Original Message-----
*> > From: Daniel Pittman [mailto:daniel@rimspace.net]
*> > Sent: Tuesday, February 04, 2003 7:36 AM
*> > To: Harry Hoffman
*> > Cc: infrastructures@terraluna.org
*> > Subject: [Infrastructures] Re: Host installs?
*> >
*> >
*> > On Tue, 4 Feb 2003, Harry Hoffman wrote:
*> > > Hi All, When doing host based installs are most people installing
*> > > everything available from the vendor - ie Full+OEM->Solaris,
*> > > Everything->Redhat?
*> >
*> > Heck, no. That's the *last* thing you want to do.
*> >
*> > > Everything->Or are you only installing certain packages
*> > > (clusters) for any given OS?
*> >
*> > Not only do I select based on the purpose of the machine, I
*> > tend to trim
*> > the list down to exclude a number of packages that the vendor[1]
*> > installs in the "base" system.
*> >
*> > > Do most people not really care anymore, because disks have
*> > become so
*> > > large? If everything is installed then how do most people deal with
*> > > making sure services aren't started, cfengine?
*> >
*> > If you don't need it, don't put it on there. Aside from the issue of
*> > disk use, and of security holes as highlighted elsewhere, you
*> > complicate
*> > backups and hide important information in the mass of unused files.
*> >
*> >         Daniel
*> >
*> > Footnotes:
*> > [1]  Debian, primarily.
*> >
*> > --
*> > A companion, unobtrusive
*> > Plays the song that's so elusive
*> > And the magic music makes your morning mood.
*> >         -- Rush, _The Spirit of Radio_, 1980
*> > _______________________________________________
*> > Infrastructures mailing list Infrastructures@mailman.terraluna.org
*> > http://mailman.terraluna.org/mailman/listinfo/infrastructures
*> > _______________________________________________
*> > Infrastructures mailing list
*> > Infrastructures@mailman.terraluna.org
*> > http://mailman.terraluna.org/mailman/listinfo/infrastructures
*> >
*> _______________________________________________
*> Infrastructures mailing list
*> Infrastructures@mailman.terraluna.org
*> http://mailman.terraluna.org/mailman/listinfo/infrastructures
*> 


-- 
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffman@auckland.ac.nz
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************


-------------------------------------------------
This mail sent through IpSolutions: http://www.ip-solutions.net/