Hi,
as a 1 off on the production system ( which is the same build/OS/arch
as the dev machine just less features/packages installed)
I have
Installed squid start up scripts
Raised the file descriptors in the start up scripts using ulimit
command, to match the build environment.
On the build system/dev create a tar of
/usr/sbin/squid
/usr/lib/squid/*
/usr/share/errors/*
/usr/share/icons/*
/etc/squid/squid.conf
and ship it to the destination.
stop squid if running
unpack tar
run squid -z is need to create directories
squid
anything else springs to mind?
Regards
Mike Cudmore
GSI & Intranet Connectivity Team
>>> Henrik Nordstrom <hno@marasystems.com> 01/08/03 04:37pm >>>
ons 2003-01-08 klockan 14.36 skrev Mike Cudmore:
> I understand the need for same os'es and accept that this is
necessary
> for the binary that is moved top work properly.
>
> The os'es, architecure are and will be the same.
>
> I also intend to build multiple squids. i dont want to build
multiple
> dev boxes then harden them prior to going into production.
>
> Anyone else done this ?
All the time. Our production boxes have a tiny read-only root/system
filesystem (ca 8MB including kernel). Now way a compiling environment
fits in there..
It is not at all difficult as long as you ensure that the needed
shared
libraries are compatible.
If you need to support multiple different OS revisions then virtual
minimal OS installations can be used via chroot or similar
measurements.
Most package managers allows for manual installation into a virtual
root
directory.
But I see no real security issue why not have compilers on production
boxes.. If you are worried about security (I am) then mostly other
measurements are needed. The only major reason why not have compilers
on
production boxes is to stop your sysadmin friend from trying to
compile
stuff on production boxes which do not belong there, only because it
is
easier to try it out on the production system instead of the
development
system.. The other major reason (which is my case) is if you have a
need
to keep the root/system filesystem small.
If you run on any common platform then hackers (including most
script-kiddies) won't care much if there is a compiler or not once
they
hack the box as they most likely already have the needed binaries
compiled for their needs..
If you run a odd platform or variant where "normal" binaries won't run
then not having compilers available may be a reasonable security
measure
if hackers is what you worry about.
Regards
Henrik
PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSI) virus scanning service supplied
exclusively by Cable & Wireless in partnership with MessageLabs.
GSI users see http://www.gsi.gov.uk/main/new2002notices.htm for further
details. In case of problems, please call your organisational IT
helpdesk.
*********************************************************************
This E-mail and any files transmitted with it are private and
intended solely for the use of the individual or entity to whom
they are addressed. If you are not the intended recipient,
the E-mail and any files have been transmitted to you in error
and any copying, distribution or other use of the information
contained in them is strictly prohibited.
Nothing in this E-mail message amounts to a contractual
or other legal commitment on the part of the Government
unless confirmed by a communication signed on behalf of
the Secretary of State.
The Department's computer systems may be monitored
and communications carried on them recorded, to secure
the effective operation of the system and for other lawful
purposes.
*********************************************************************
Received on Thu Jan 09 2003 - 05:37:26 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:35 MST