Hardening production servers
Gregory Bond
gnb at itga.com.au
Tue Jul 8 19:29:32 PDT 2003
paul at cnt.org said:
> Say a system like this were put into place to support existing
> production servers. What's the cleanest/most elegant/least
> destablizing way to remove the compiler tools on those machines?
It's not supported out of the box as far as I can see.
One approach is like this:
- Add new variable NO_COMPILERS to /etc/make.conf on all the client machines
- Go through the Makefiles and add code to drop the compiler tools if this
variable is defined. Look for example at how NO_CVS is implemented in src/gnu/
usr.bin/Makefile and work from that.
- You'll have to manually rm the tools from the existing client machines as
this change won't delete old ones, it'll just not install new ones.
- You might like to also define NOINSTALLLIB and NOPROFILE on the client
make.conf to not install all the .a and _p.a libraries (see /usr/share/mk/
bsd.lib.mk).
Even easier might be to maintain a list of files you don't want on the client
machines and then rm them after every installworld (you could automate this in
the /usr/src/Makefile).
More information about the freebsd-stable
mailing list