From owner-freebsd-stable@FreeBSD.ORG Wed Jul 9 10:52:36 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEBCD37B401 for ; Wed, 9 Jul 2003 10:52:36 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 631A743F93 for ; Wed, 9 Jul 2003 10:52:36 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 30A231524B; Wed, 9 Jul 2003 10:52:36 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 2CE7C15247 for ; Wed, 9 Jul 2003 10:52:36 -0700 (PDT) Date: Wed, 9 Jul 2003 10:52:36 -0700 (PDT) From: Mike Hoskins To: stable@freebsd.org In-Reply-To: <200307090229.MAA09700@lightning.itga.com.au> Message-ID: <20030709105010.O59356@fubar.adept.org> References: <200307090229.MAA09700@lightning.itga.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Hardening production servers X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 17:52:37 -0000 On Wed, 9 Jul 2003, Gregory Bond wrote: > Even easier might be to maintain a list of files you don't want on the client > machines and then rm them after every installworld (you could automate this in > the /usr/src/Makefile). Great points, just wanted to add... You could also use config mgmt tools like cfengine, PIKT, etc. (see ports) to remove (and make sure they stay removed) these files on all servers. You would then get all the other benefits (and headaches) typically associated with config mgmt. (Syncing config files from a central source, notification of changes, etc.) We've had cfengine running for awhile... A bit of a learning curve, but it has proven to be worthwhile. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!