Minimum Software Installed
By default, Debian, including Debian sarge (minimal install) actually installed a large numbers of development tools. Having these tools available means anyone can program and compile inside that system. This section guides you on how to keep the installed packages minimal.
Identified Threats
These are the identified threats related to Debian Software.
(T13) Debian Installed Development Tools by Default
Development tools are not used in production system allows attacker to do privilege escalation, to run local exploits in the system if there is a debugger and compiler ready to compile and test them.
Actions Required
Here are the list if actions to counter the issues.
Remove Unused Development Tools
Development tools like:
Package Size
------------------------+--------
gdb 2,766,822
gcc-X.X 1,570,284
dpkg-dev 166,800
libcX-dev 2,531,564
cpp-X.X 1,391,346
manpages-dev 1,081,408
flex 257,678
g++ 1,384 (Note: virtual package)
linux-kernel-headers 1,377,022
bin86 82,090
cpp 29,446
gcc 4,896 (Note: virtual package)
g++-X.X 1,778,880
bison 702,830
make 366,138
libstdc++X-X.X-dev 774,982
Should be uninstalled from a production system. This way, intruder cannot use production system as a development tools. Be careful with:
- Python
- Perl
As these are not easily removed and can easily break the operating system upon removal, one must thread lightly.
That's all for hardening Debian by having minimal software installed into the operating system.