Re: unix build recommendations for internal systems

From: Matt (usenet001@spamlovelyspam-monki.org.uk)
Date: 03/28/03

  • Next message: Michael Heiming: "Re: PowerBroker" 
    From: Matt <usenet001@spamlovelyspam-monki.org.uk>
Date: Fri, 28 Mar 2003 01:07:57 +0000

    The most important thing is too make sure the application is running as
    expected. You may find you app is unsupported by the vendor unless you
    have the software clusters suggested installed. In that case stick with
    what they recommend.
    Otherwise, lsof is your friend. Use it to see which libraries and files
    the app is using. It's possible that the app may open and close some
    libraries/files from time to time, in which case it may break, but
    generally apps tend to keep hold of the files. There are probably tools
    around that will show all the files that are used, but I can't suggest
    any off the top of my head.
    Try installing in a chroot jail, and copy the libraries you find you
    need by hand. Rather time consuming, and it can be frustrating, but
    you'll know you got a minimal system then.

    As for securing the system, if it's really critical data (e.g. accounts,
    staff details etc.), put in on a seperate network behind a router and
    firewall. If it's used by limited number of staff, put it in an internal
    DMZ, with the staff on the 'internal' side, and carefully control the
    data that their machines send and receive from the rest of the company
    and world.

    In all cases, standard practices apply. Shut down unneccasery services.
    Keep the system patched. Remove setuid root on all tools (unless one of
    them is an obsolute requirement for the app). If possible run a firewall
    on the box itself. Log everything possibly to a seperate syslog server
    and check the logs. Give users the minimum authorisation required, use
    secure authentication. Portscan the box. Use Nessus. And so on and so
    forth. Treat it like a machine on the Internet. There are plenty of
    guides on the web on this topic.

    I hope at least some of the above is of use.

    Matt
    (Also looking for work, but in the East Midlands: UNIX
    (Solaris,Linux,*BSD) Systems, networking, security)

    Bright wrote:
    > Sadly ... the actuality is that very few application vendors know what
    > packages are required for their application. They simply direct us to
    > install the 'User Cluster' or the 'Developer Cluster'
    > Indeed - even the OS vendor (in this instance Sun) doesn't know what
    > packages are required for some of the Sun supplied applications and
    > gives similar advice.
    >
    > A poor alternative is to install the requisite package cluster and
    > remove some packages.
    >
    > How do you find out what packages to install/remove?
    >
    >
    > grig@securesysconsulting.com (GG) wrote in message news:<8793f188.0302240916.23cf2e84@posting.google.com>...
    >
    >>Check out the benchmarks from the Center for Internet Security
    >>(cisecurity.org). They have host-hardening benchmarks and audit tools
    >>for almost all the major Unix flavors.
    >>
    >>GG
    >>
    >>"Colin McKinnon" <colin.mckinnon@DeleteMeUnlessURaBot.ntlworld.com> wrote in message news:<04T5a.1065$EN3.7980@newsfep4-glfd.server.ntli.net>...
    >>
    >>>On Mon, 17 Feb 2003 02:54:14 +0000, Bright wrote:
    >>>
    >>>
    >>>>But what is the received wisdom when it comes to "Internal" machines -
    >>>>these machines don't reside in the DMZ and are effectively isolated from
    >>>>external networks (such as the Internet)?
    >>>
    >>>I don't know about wisdom....I have read that 80% of compromises are
    >>>carried out by 'insiders'. This kind of suggests that internal security is
    >>>important too. I prefer to start from the point of a minimal level of
    >>>service and add functionality as the need arises - that way I can be the
    >>>guy who gave the users access instead of being the one who took it away.
    >>>
    >>>If you can get a strong security framework in place as early as possible
    >>>then it'll make life a lot simpler later on.
    >>>
    >>>Good luck,
    >>>
    >>>Colin
    >>>(looking for work in Scotland as Unix systems / network /database /security
    >>>administrator)

  • Next message: Michael Heiming: "Re: PowerBroker"

    Relevant Pages

    • Re: App Dependencies
      ... We do this all the time with SMS, a few options you might want to explore: ... You can nest programs (in packages) to ensure that a given ... used as target for the advertisement installing appC ... > zen where App D installed after App A then App B, ...
      (microsoft.public.sms.swdist)
    • Re: collecting remote system information
      ... There's a MS command line app some where on the MSDN site (complete ... There are a couple of packages on RubyForge that are cross-platform Ruby libraries for returning some of the basic information about the system. ... I just downloaded some of these for adding more information to one of the regular scripts that I run for gathering statistics about the running environment of some largely unattended scripts and to alert me if the status changes. ...
      (comp.lang.ruby)
    • Re: Win32 vs. .NET
      ... "compiles" on D7, but the changes required have been quite minor, and ... packages. ... *Always.* There is no way to make a D6 app work with a D7 ... With .NET, OTOH, your 1.1 app very likely will work with 2.0 ...
      (borland.public.delphi.non-technical)
    • Re: Python compiled?
      ... > Py2exe is surely a good compromise but it is not comparable to ... a Python app packages with py2exe and ... Windows app. ...
      (comp.lang.python)
    • Really Slow - Business Intelligence Dev Studio
      ... I'm having issues running the SQL server business dev studio to run ... some import packages. ... Every operation from opening the app, to opening a project and then ... but the app is totally unresponsive. ...
      (microsoft.public.sqlserver)
    Loading