Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Check Bastille for automatic Debian hardening of clients based on a profile after installation . You can run it once on your first thin client, create a profile of security features with 'InteractiveBastille' and then run 'BastilleBackEnd' in the other clients. (BTW in Bastille 2.0 you will just use 'bastille' :) Regards Javi PS: Make sure to read/understand the current (open for woody) bugs in bastille. There will be a proposed-updates package fixing them (hopefully soon) msg07482/pgp0.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Check Bastille for automatic Debian hardening of clients based on a profile after installation . You can run it once on your first thin client, create a profile of security features with 'InteractiveBastille' and then run 'BastilleBackEnd' in the other clients. (BTW in Bastille 2.0 you will just use 'bastille' :) Regards Javi PS: Make sure to read/understand the current (open for woody) bugs in bastille. There will be a proposed-updates package fixing them (hopefully soon) pgpPdzJuwZRND.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 01:01:09PM -0700, Chris Majewski wrote: OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? If you run tasksel and do not select any tasks, you get packages of priority 'standard' and higher. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Friday 18 October 2002 03:46 pm, Noah L. Meyerhans wrote: On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah This is what I do as well. On a 1 GB / partition Debian only takes up about 15% of the partition (when installed in this manner) and hardly anything is installed. I have to apt-get install less... now that's what I call minimal.
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 01:01:09PM -0700, Chris Majewski wrote: OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? If you run tasksel and do not select any tasks, you get packages of priority 'standard' and higher. -- - mdz
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
Towards the end of the Debian installation process, when you're asked
whether you want to run tasksel or dselect, you can choose dselect
and
exit it before installing any packages. If you do that, you're left
with a really minimal install. You might be able to base your work
on
this.
since this is the way I usually work and I've tried to build a debian
based thin client myself.I can say that woody base contains a lot
of packages which you really don't want/need on a thin client.
Gr,
Ivo van Dongen
...
One way to do it is to have:
# ls -l
total 56
...
drwxr-xr-x 19 root root 4096 Oct 20 11:08 deb
...
lrwxrwxrwx1 root root 33 Nov 30 2001 e2fs_stage1_5 -
../grub-0.90/stage2/e2fs_stage1_5
lrwxrwxrwx1 root root 22 Nov 30 2001 grub -
../grub-0.90/grub/grub
-rw-r--r--1 root root 502 Oct 20 11:32 mkdisk
...
drwxr-xr-x6 root root 4096 Nov 28 2001 add
-rw-r--r--1 root root 2491 Oct 20 11:23 pkg.list
drwxr-xr-x 19 root root 4096 Dec 4 2001 slim
lrwxrwxrwx1 root root 26 Nov 30 2001 stage1 -
../grub-0.90/stage1/stage1
lrwxrwxrwx1 root root 26 Nov 30 2001 stage2 -
../grub-0.90/stage2/stage2
-rwxr-xr-x1 root root 573 Oct 20 11:11 trimming
...
-rwxr-xr-x1 root root 800 Oct 20 11:17 updhostname...
where deb is a minimal install of debian:
# chroot deb dpkg --get-selections pkg.list
add is whatever custom things you want to add and slim is a
generated trimmed down root of the thin clients.
# du -s deb add slim
99304 deb
4352add
42092 slim
you generate slim with trimming, and customize it to a specific client
with updhostname..., and write to disk with mkdisk. Later you can
update the clients with mirrordir (found with apt-get install
mirrordir).
Regards,
/Karl
---
Karl HammarAspö Data [EMAIL PROTECTED]
Lilla Aspö 2340 +46 173 140 57Networks
S-742 94 Östhammar +46 18 26 09 00 Computers
Sweden +46 10 270 26 67 Consulting
---
#!/bin/sh
if [ $# = 0 ]
then
echo Usage:
echo mkdisk ip hostname
exit 1
fi
UNITID=$1
dd if=/dev/zero of=/dev/hdc count=50
sfdisk -uM /dev/hdc EOF
0,30,L,*
,
;
EOF
mkfs.ext2 /dev/hdc1
mkfs.ext2 /dev/hdc2
#mkswap/dev/hdc2
mount /dev/hdc1 mnt
mkdir mnt/usr
mount /dev/hdc2 mnt/usr
cp -a current/* mnt
chroot mnt updhostname... $1 $2
umount mnt/usr
umount mnt
./grub --batch EOT 1/dev/null 2/dev/null
root (hd2,0)
install /boot/stage1 (hd2) /boot/stage2 p
quit
EOT
#!/bin/sh
IP=$1
HOST=$2
root=$3
if [ $? -ne 0 ]
then
cat EOF
Usage: unitset ipaddr hostname [root of filesystem]
Synopsis:
change hostname ip-number
EOF
exit 1
fi
export LANG=C
perl -pi.org -e s/172\.16\.0\.1/$IP/$root/etc/network/interfaces
perl -pi.org -e s/HOSTNAME/$HOSTNAME/ \
$root/etc/exim/exim.conf
echo $HOSTNAME $root/etc/hostname
echo $HOSTNAME $root/etc/mailname
ALIAS=`echo $HOSTNAME | sed -e 's/\..*$//'`
echo $IP $HOSTNAME $ALIAS $root/etc/hosts
umask 022
rm $root/etc/ssh/ssh_host_*key
ssh-keygen -t rsa1 -N '' -f $root/etc/ssh/ssh_host_key # /dev/null
ssh-keygen -t rsa -N '' -f $root/etc/ssh/ssh_host_rsa_key # /dev/null
ssh-keygen -t dsa -N '' -f $root/etc/ssh/ssh_host_dsa_key # /dev/null
#!/bin/sh
rm -rf slim/*
cp -a all/*slim
cp -a add/*slim
cd slim
mv etc/cron.d/exim etc/cron.daily/0exim
rm etc/cron.*/sysklogd
rm etc/resolv.conf
rm -rf lib/modules/*
rm -rf var/lib/apt
rm -rf var/lib/dpkg
rm -rf var/cache/*
rm -f var/spool/cron/crontabs/uucp
cd usr
#rm lib/gconv/???
cd share
rm -rf unidata/*
rm -rf man/*
rm -rf doc/*
rm -rf keymaps/{amiga,atari,mac,sun}
rm -rf info/*
find zoneinfo -type f | grep -v ^./zoneinfo/Europe/Stockholm | xargs rm
rm -rf terminfo
ln -s ../../etc/terminfo .
cd locale
ls | grep -v en$ | grep -v sv | xargs rm -rf
adduser install
adjtimexinstall
apt install
apt-utils install
at install
base-files install
base-passwd install
bashinstall
bsdmainutilsinstall
bsdutilsinstall
console-common install
console-datainstall
console-tools install
console-tools-libs
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? You might want to drop in on the Debian Beowulf crowd, since a beowulf is basically a whole lot of thin clients. pbuilder is useful for defining your own base.tgz file if you want to go that way. -- -- Nuke bin Laden: Dale Amon, CEO/MD improve the global Islandone Society gene pool. www.islandone.org --
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. since this is the way I usually work and I've tried to build a debian based thin client myself.I can say that woody base contains a lot of packages which you really don't want/need on a thin client. Gr, Ivo van Dongen
[OT] secure, minimal Debian installation for linux-based thin clients?
This is unrelated to any security patches / exploits, hence off-topic. I'm posting here mostly because it seems like the right crowd for this sort of problem. If this offends you, let me know and I'll find a different venue in the future. OK. We're a large network running lots (~100) thin clients, and expecting to run more of them in the future. Currently, these are NeoWare Eon's (mobile x86 cpu) running Linux (an old scaled-down RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Any other comments (relevant to Debian on thin clients / X terminals) welcome. -chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07463/pgp0.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? -chris Noah L. Meyerhans [EMAIL PROTECTED] writes: On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
* Chris Majewski [EMAIL PROTECTED] [021018 22:43]: RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. I do not know, what you all need. When setting up only as Xterminal I just copied the needed files from the sparc .deb in some dir of the x86-Server. (And compiled some kernel on some sparc-machine, as the clients only had 5mb). Only some libs, init and the xserver. (Not even a shell). If you need ssh, you may need some more libs, but selecting exactly the files you need makes it also a litte more secure. As running ssh means regular updates, I would just suggest some script unpacking the whole .debs (Maybe even directly using ar and tar) and putting the configuration files in place. (Though thinking again about ssh and such things as the sshd-user this might perhaps not be the best solution) Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT] secure, minimal Debian installation for linux-based thin clients?
This is unrelated to any security patches / exploits, hence off-topic. I'm posting here mostly because it seems like the right crowd for this sort of problem. If this offends you, let me know and I'll find a different venue in the future. OK. We're a large network running lots (~100) thin clients, and expecting to run more of them in the future. Currently, these are NeoWare Eon's (mobile x86 cpu) running Linux (an old scaled-down RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? There is obviously more than one solution here, so I'm looking for recommendations. We care about security; we don't want to run any services we don't need, etc. Reliability is key, so your uncle's friend's brother's alpha software might not be for us. Any other comments (relevant to Debian on thin clients / X terminals) welcome. -chris
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgptOgzTLJCET.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
OK, thanks. BTW, how does that differ from running tasksel and not selecting any tasks? Or is that even possible? -chris Noah L. Meyerhans [EMAIL PROTECTED] writes: On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, 18 Oct 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. Is there a Debian-derived minimal distribution? Or should we just install the base Debian system, add X via tasksel, and add/remove remaining items with dselect or apt-get? Try doing a regular install but don't choose the option to install more packages after you install the base package I believe this is what you are looking for... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
* Chris Majewski [EMAIL PROTECTED] [021018 22:43]: RedHat), with an NFS-mounted root fs. They run almost nothing locally: currently an X server, sshd, and possibly some music forwarding daemon in the future, so users can listen to tunes on their thin clients using software on the server (we don't give users access to the local software). Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. This isn't fatal, since the filesystem is NFS-mounted, but it's not clean, either. I do not know, what you all need. When setting up only as Xterminal I just copied the needed files from the sparc .deb in some dir of the x86-Server. (And compiled some kernel on some sparc-machine, as the clients only had 5mb). Only some libs, init and the xserver. (Not even a shell). If you need ssh, you may need some more libs, but selecting exactly the files you need makes it also a litte more secure. As running ssh means regular updates, I would just suggest some script unpacking the whole .debs (Maybe even directly using ar and tar) and putting the configuration files in place. (Though thinking again about ssh and such things as the sshd-user this might perhaps not be the best solution) Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin)
