[Infrastructures] Re: Host installs?

Heilke, Rainer Rainer.Heilke@atcoitek.com
Tue, 4 Feb 2003 14:17:06 -0700 

> -----Original Message-----
> From: Harry Hoffman [mailto:hhoffman@ip-solutions.net] 
> Sent: Tuesday, February 04, 2003 12:43 PM
> To: infrastructures@roton.terraluna.org
> Subject: RE: [Infrastructures] Re: Host installs?
> 
>   I share your philosophy. I guess what really worries me are 
> that when too many
> things are installed on a machine that patching, and hence 
> security, become a
> nightmare.

This is, indeed, one of my problems. We tend to only patch those services we
know we run, unless we are doing one of our cluster-patch runs. Last week,
we noticed that the KCMS subsystem on Solaris had an exploit. We didn't
worry about it, as we don't run it (and, according to our install
documentation, it should be deselected). Yesterday, I was looking into
removing a test of SunMC, and found we had KCMS stuff installed. I went
through our systems, and found only 2 without any KCMS pieces installed, and
several with all 5 packages in the suite installed. I quickly did a pkgrm on
all of them! I'm still wondering about this, because I installed a couple of
these servers and was quite deliberate in deselecting the packages.

>   While it may to said to patch all of your systems to the 
> same level, this is
> not always achievable.

In fact, problems with getting outages means that some servers don't get the
patch clusters applied until the clusters are a month old. This is a whole
month of various systems hovering between two patch levels, and we are a
small shop.

>   Also, security may be less of a concern within an 
> organization that can easily
> be "locked down". However, in academic realms, it's really 
> quite difficult to as
> some of the machines' sole purpose are to provide shell 
> accounts to students.
> This can turn one's hair gray very quickly.

It can be pretty aging in a smaller shop, too. Here, _everyone_ that does
_anything_ on a Unix server has full shell (and X access through our login
server). We may be locked down from external threat, but they say that most
problems occur due to internal misconduct; and never underestimate the power
of stupidity. :-( I'm sure you are all too familiar with that one.

All the best,
Rainer