From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 09:58:44 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF6A81065670 for ; Tue, 11 Oct 2011 09:58:44 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4950C8FC12 for ; Tue, 11 Oct 2011 09:58:43 +0000 (UTC) Received: by wwe3 with SMTP id 3so9699373wwe.31 for ; Tue, 11 Oct 2011 02:58:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NeMgN1/PkiYaNcwKcK49VY8JtM2ebahyHlq+WyKJSyY=; b=HvF6xy0E/VXGZuJ6u3USgw9vTsWcDG1c8/bOfl9zNE5V/qbjRkdUc0LxKSrGhs4ND2 wNGhPOboUdbMwUQT7ecwbkhfCZgNLB+WtQ4HpF+QvIClUVqO/xVyXdE1aZnc/Id6kIH6 +euYTstlkqVg6I85IOGa+7E4aQG/BTze58ogM= MIME-Version: 1.0 Received: by 10.227.156.70 with SMTP id v6mr7473876wbw.27.1318325566209; Tue, 11 Oct 2011 02:32:46 -0700 (PDT) Received: by 10.180.103.5 with HTTP; Tue, 11 Oct 2011 02:32:46 -0700 (PDT) In-Reply-To: <86d3e4j777.fsf@ds4.des.no> References: <201110020411.p924BPqn037383@chilled.skew.org> <86d3e4j777.fsf@ds4.des.no> Date: Tue, 11 Oct 2011 05:32:46 -0400 Message-ID: From: Matthew Franz To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Mike Brown , freebsd-security@freebsd.org Subject: Re: Reasonable expectations of sysadmins X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 09:58:44 -0000 I've found this to be especially useful on PF+CARP pairs when making networking changes. Did the interfaces come up properly, did the routes, did the PF rules upon reboot? In some virtualized (non-BSD) environments some folks rebuild the image from scratch from packages and from a source of truce (puppet/chef repo) to be sure you can always have a clean build. - mdf 2011/10/11 Dag-Erling Sm=F8rgrav : > Mike Brown writes: >> Also, sometimes things go haywire after a reboot, especially after exten= ded >> uptime and updates to the kernel or core libraries, so I'm in the habit = of >> only shutting down when necessary. So if I don't see "and then reboot" i= n an >> update procedure - and most of the time, security updates don't require = it - >> then I don't do it. > > Actually, this is an argument in favor of rebooting regularly, or at > least after every major change, so you know the server will boot > unassisted if something happens (power outage, cleaning staff tripped > over the mains cable, etc.) =A0I once spent an entire evening coaxing a > mission-critical database server back up after a simple disk replacement > because a predecessor had performed an in-place system upgrade without > verifying that the new configuration would boot cleanly. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > --=20 -- Matthew Franz mdfranz@gmail.com