Hardening production servers

[Paul Smith]

Gregory Bond <gnb at itga.com.au> wrote on 08/Jul/03 at  6:35 PM:
> Here's what we do:
> 
> For the system:
> 
>  - A separate build box, spec'd no higher than the lowest production machine
>  - keep a CVS repository on the build box
>  - buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
>  - run make update / make buildworld / make buildkernel on the build box
>  - Install kernel & world on the build box, run mergemaster, etc as documented
>  - run the build box for a couple of days (rebuilding ports etc) to check it 
>    out
>  - NFS mount /usr/src and /usr/obj readonly on each client
>  - client /etc/make.conf has KERNCONF=CLIENTn
>  - installkernel / installworld / mergemaster on the client in the normal way
> 
> For the ports:
> 
>  - use portupgrade on build box and clients
>  - build box has the union of all the client package sets installed on it
>  - build box does "portupgrade -p" to build packages
>  - client boxes NFS mount /usr/ports/ (including /usr/ports/packages)
>      (can also do it with a local CVSup'd /usr/ports and using FTP to 
>       the build box to get the packages, but that's harder to get right.)
>  - clients run portupgrade -PP to use the packages only
> 
> This works well enough for us with a similar number of servers.

Say a system like this were put into place to support existing production
servers. What's the cleanest/most elegant/least destablizing way to remove
the compiler tools on those machines?

-- 
Paul Smith <paul at cnt.org>
Webmaster/Systems Administrator
Center for Neighborhood Technology
Chicago, Illinois USA