Minimum Software Installed

By default, Debian, including Debian sarge (minimal install) actually installed a large numbers of development tools. Having these tools available means anyone can program and compile inside that system. This section guides you on how to keep the installed packages minimal.

Identified Threats

These are the identified threats related to Debian Software.

(T13) Debian Installed Development Tools by Default

Development tools are not used in production system allows attacker to do privilege escalation, to run local exploits in the system if there is a debugger and compiler ready to compile and test them.

Actions Required

Here are the list if actions to counter the issues.

Remove Unused Development Tools

Development tools like:

Package                    Size
------------------------+--------
gdb                     2,766,822
gcc-X.X                 1,570,284
dpkg-dev                  166,800
libcX-dev               2,531,564
cpp-X.X                 1,391,346
manpages-dev            1,081,408
flex                      257,678
g++                         1,384 (Note: virtual package)
linux-kernel-headers    1,377,022
bin86                      82,090
cpp                        29,446
gcc                         4,896 (Note: virtual package)
g++-X.X                 1,778,880
bison                     702,830
make                      366,138
libstdc++X-X.X-dev        774,982

Should be uninstalled from a production system. This way, intruder cannot use production system as a development tools. Be careful with:

  • Python
  • Perl

As these are not easily removed and can easily break the operating system upon removal, one must thread lightly.

That's all for hardening Debian by having minimal software installed into the operating system.