bare minimum packages (Was: Ping, Pong, oh lets get moving shall we ;)

Fabio Fracassi f.fracassi at gmx.net
Wed Nov 8 11:13:04 PST 2000


On Wednesday 08 November 2000 17:47, you wrote:
> >Date: Wed, 8 Nov 2000 04:44:11 -0500
> >From: Jesse Tie Ten Quee <highos at highos.com>
> >To: lfs-security at linuxfromscratch.org
> >Subject: Ping, Pong, oh lets get moving shall we ;)
> >Mime-Version: 1.0
> >X-original-sender: highos at highos.com
> >
> >Yo,
> >
> >Hrm...guys, everyone shouted for this list and there hasn't been one
> >post yet, isn't there anything one wants to post here?
>
> Here's a topic for the truly paranoid -
>
> A very secure system shouldn't have any binaries that aren't going to
> be used. Many of the LFS binaries are only there to build packages.
> Once you have the system built, and have added whatever extra apps you
> want to put on it, what binaries can you get rid of and still have a
> running system?
>
> What I have in mind is, say, a proxy firewall, a router, perhaps a
> print server, or some other special purpose machine that needs to be
> secure and won't have to support general purpose computing. Assumptions
> are (1) this is an LFS machine, (2) it may have some other special
> purpose application(s) compiled on it, (3) it will not be used for any
> further development, so it won't need a compiler or any other
> development tool, (4) it allows logins on only one serial line. For
> maintenance, this machine will be able to mount a CD with statically
> compiled tools. To keep things simple for now, let's not split up
> packages. If a program in a package is necessary, then the package is
> necessary. Feel free to argue - I haven't actually tried to remove any
> of these from a working system, so I'm just guessing.
>
> Gotta have
> ----------
> Bash (or some other shell, for maintenance logins.)
> Glibc (On the other hand, perhaps not necessary on systems that only
>      have static binaries.)
> Kernel
> Ld.so (Ditto glibc comment - if there are no shared libraries, then
>      this is not a necessary package.)
> Modutils (Necessary unless the kernel is monolithic.)
> Shadow Password Suite (Gotta have login, but a lot of the other
>      binaries should go on the CD.)
> Sysklogd
> Sysvinit (Gotta have init to start the system.)
> Util Linux (Have to be able to mount the maintenance CD, among other
>      things.)
>
> Beats me
> --------
> Flex (Even with the book's explanation, I'm not sure what this does.)

It does lexical analysis of syntax, i.e. you give flex the definition what a
legal expression looks like, and it generates a C function which takes 
expressions, and says wether they are correct or not.

That said it is a development tool, and *should* not be an integral part of a 
system. (IIRC It wasn't on my SuSe before I started with LFS)

> Procps (Is the kill command necessary for the shell to run? Is sysctl
>      necessary for the kernel to start?)
>
> Put on the Maintanence CD
> -------------------------
> NOTE: Some of these may still be necessary on some systems, depending
>      on the special purpose applications on the system. For instance, a
>      shell script may call cp or ls, both of which are in the fileutils
>      package.
> Autoconf
> Automake
> Binutils
> Bin86
> Bison
> Bzip2
> Console-data
> Console-tools
> Diffutils
> E2fsprogs
> Ed
> File
> Fileutils
> Findutils
> Gcc
> Gettext
> Grep
> Groff
> Gzip
> Less
> Libtool
> Lilo
> M4
> Make
> Man
> Man-pages
> Ncurses
> Patch
> Perl
> Procinfo
> Psmisc
> Sed
> Shellutils
> Tar
> Texinfo
> Textutils
> Vim





More information about the lfs-security mailing list