bare minimum packages (Was: Ping, Pong, oh lets get moving shall we ;)

James J. jjohnson at eclipse.ncsc.mil
Wed Nov 8 08:47:51 PST 2000


>Date: Wed, 8 Nov 2000 04:44:11 -0500
>From: Jesse Tie Ten Quee <highos at highos.com>
>To: lfs-security at linuxfromscratch.org
>Subject: Ping, Pong, oh lets get moving shall we ;)
>Mime-Version: 1.0
>X-original-sender: highos at highos.com
>
>Yo,
>
>Hrm...guys, everyone shouted for this list and there hasn't been one
>post yet, isn't there anything one wants to post here?
>

Here's a topic for the truly paranoid -

A very secure system shouldn't have any binaries that aren't going to
be used. Many of the LFS binaries are only there to build packages.
Once you have the system built, and have added whatever extra apps you
want to put on it, what binaries can you get rid of and still have a
running system?

What I have in mind is, say, a proxy firewall, a router, perhaps a
print server, or some other special purpose machine that needs to be
secure and won't have to support general purpose computing. Assumptions
are (1) this is an LFS machine, (2) it may have some other special
purpose application(s) compiled on it, (3) it will not be used for any
further development, so it won't need a compiler or any other
development tool, (4) it allows logins on only one serial line. For
maintenance, this machine will be able to mount a CD with statically
compiled tools. To keep things simple for now, let's not split up
packages. If a program in a package is necessary, then the package is
necessary. Feel free to argue - I haven't actually tried to remove any
of these from a working system, so I'm just guessing.

Gotta have
----------
Bash (or some other shell, for maintenance logins.)
Glibc (On the other hand, perhaps not necessary on systems that only
     have static binaries.)
Kernel
Ld.so (Ditto glibc comment - if there are no shared libraries, then
     this is not a necessary package.)
Modutils (Necessary unless the kernel is monolithic.)
Shadow Password Suite (Gotta have login, but a lot of the other
     binaries should go on the CD.)
Sysklogd
Sysvinit (Gotta have init to start the system.)
Util Linux (Have to be able to mount the maintenance CD, among other
     things.)

Beats me
--------
Flex (Even with the book's explanation, I'm not sure what this does.)
Procps (Is the kill command necessary for the shell to run? Is sysctl
     necessary for the kernel to start?)

Put on the Maintanence CD
-------------------------
NOTE: Some of these may still be necessary on some systems, depending
     on the special purpose applications on the system. For instance, a
     shell script may call cp or ls, both of which are in the fileutils
     package.
Autoconf
Automake
Binutils
Bin86
Bison
Bzip2
Console-data
Console-tools
Diffutils
E2fsprogs
Ed
File
Fileutils
Findutils
Gcc
Gettext
Grep
Groff
Gzip
Less
Libtool
Lilo
M4
Make
Man
Man-pages
Ncurses
Patch
Perl
Procinfo
Psmisc
Sed
Shellutils
Tar
Texinfo
Textutils
Vim

-- 
James Johnson







More information about the lfs-security mailing list