List of uneeded programs - possible security holes

List of uneeded programs - possible security holes

Post by superdave.. » Wed, 30 Oct 2002 15:07:28



I am in the process of making a script used on all new installs that
wipes from the server all programs that are un-needed and possible
security holes.

The servers are used 100% in a webhosting environment so all programs
unrelated to webserving, FTP, SSH, and sendmail are to be eliminated.
cc and gcc are by default removed on all machines and the entire
/usr/src is wiped after kernel builds.  The machines are not kept
current using CVS, and all future upgrades to major components are
updated via SSH scripts.

Examples being:
/usr/libexec/telnetd
/usr/bin/keyinit  (and eliminated the option of skey from pam.conf) -
/usr/lib/pam_radius.so
/usr/lib/pam_skey.so
/usr/sbin/setkey
/usr/sbin/ppp
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/lpd
/usr/sbin/apmd
/usr/sbin/isdn*
/usr/sbin/rpc*
etc
etc

Does anyone know the existance of a similar script or list of files?

If not, if you look at this post and want to contribute so files that
have caused you issues in the past, by all means include them.

 
 
 

List of uneeded programs - possible security holes

Post by Marc Spitze » Wed, 30 Oct 2002 15:47:39



Quote:> I am in the process of making a script used on all new installs that
> wipes from the server all programs that are un-needed and possible
> security holes.

> The servers are used 100% in a webhosting environment so all programs
> unrelated to webserving, FTP, SSH, and sendmail are to be eliminated.
> cc and gcc are by default removed on all machines and the entire
> /usr/src is wiped after kernel builds.  The machines are not kept
> current using CVS, and all future upgrades to major components are
> updated via SSH scripts.

take a look at /etc/defaults/make.conf, copy it to /etc/make.conf and edit
to suite.  Change your root install target to /whatever and then turn off
all the things you do not want to build in /etc/make.conf, there are a lot
of don't do this switches, for example dont build X is one.  Then look at
what is left and clean that.

Good luck

marc

 
 
 

List of uneeded programs - possible security holes

Post by Michael Sierchi » Wed, 30 Oct 2002 23:30:58



> take a look at /etc/defaults/make.conf, copy it to /etc/make.conf and edit
> to suite.

This would be good advice if it worked ;-)  There are still scads
of things that aren't needed in a base system, an embedded system,
a dedicated fw, etc.

It would really be nice if every friggin' thing was registered
as part of a package, and you could add or remove it that way.

Possibly useful hint:  'ldd' will enable you to assemble depencies
for libs.

 
 
 

List of uneeded programs - possible security holes

Post by Marc Spitze » Thu, 31 Oct 2002 00:45:05





>> take a look at /etc/defaults/make.conf, copy it to /etc/make.conf and
>> edit to suite.
> This would be good advice if it worked ;-)  There are still scads
> of things that aren't needed in a base system, an embedded system,
> a dedicated fw, etc.

> It would really be nice if every friggin' thing was registered
> as part of a package, and you could add or remove it that way.

> Possibly useful hint:  'ldd' will enable you to assemble depencies
> for libs.

I will admit it does not do everything, but it makes your list much
smaller.  I thought that one of the goals was to get the system to do as
much of this as possible and all would be nice.

marc

 
 
 

List of uneeded programs - possible security holes

Post by Michael Sierchi » Thu, 31 Oct 2002 01:48:00



> I will admit it does not do everything, but it makes your list much
> smaller.  I thought that one of the goals was to get the system to do as
> much of this as possible and all would be nice.

Yes, it reduces the amount of manual work, but still leaves a lot.
 
 
 

List of uneeded programs - possible security holes

Post by Steve O'Hara-Smit » Thu, 31 Oct 2002 03:30:29


On Tue, 29 Oct 2002 06:07:28 GMT

SYC> I am in the process of making a script used on all new installs that
SYC> wipes from the server all programs that are un-needed and possible
SYC> security holes.

        Why not go the other way and start with a minimal PicoBSD build
and add in only the essentials. That way you won't be chasing a moving
list to decide what to remove.

--
C:>WIN                                      |     Directable Mirrors
The computer obeys and wins.                |A Better Way To Focus The Sun
You lose and Bill collects.                 |  licenses available - see:
                                            |   http://www.sohara.org/

 
 
 

1. best-of-security mailing list (was: Solaris 2.5 Security Hole: local users can get root)

[Followups set to comp.security.unix & misc since the b-o-s mailing list
 is not solaris/sun-specific but covers all UNIX'es and occasionally other
 platforms.]


|No, I won't send out the exploit script - CERT & Sun already have
|copies as does anyone who gets best-of-security mail.

Several people have asked me for more info about this mailing list -

a message body of "subscribe best-of-security".  The list's purpose is
to serve as "the one and only mailing list busy people need to read"
with readers culling the best & most important items from other mailing
lists & security information sources and sending them on to BOS.  (And
it actually operates somewhere near this - there are times when people
have to be reminded that this is *not* a discussion list or a place to
ask questions, but only a place to report information others need to
know.)

There is an archive of the list available at
        http://www.tryc.on.ca/hypermail/security/
but unfortunately it doesn't seem to have been updated recently.

--
_______________________________________________________________________

The Open Computing Facility at the University of California at Berkeley

2. Remote access (via phone and modem) ... how?

3. masterplan and possible(?) security hole

4. network setup

5. Packet-snooping in IP - possible security hole or too difficult?

6. cd and restricted shells

7. efs filesystem ?

8. Possible Security Hole

9. Possible security hole in Mandrake 7.1?

10. *** POSSIBLE SECURITY HOLE ***

11. SunOS strangeness (possible security hole?)

12. List of known Security-Holes in Linux available?