Date: Tue, 13 Jan 2004 14:09:51 -0800 From: Mike Hoskins <mike@adept.org> To: freebsd-advocacy@freebsd.org Subject: Re: FreeBSD Today (modular devel tools? or what was it again?) Message-ID: <40046CAF.7060709@adept.org> In-Reply-To: <200401111442.57782.dgw@liwest.at> References: <C8FC1BDF-4153-11D8-9D76-003065995254@tasonline.com> <000b01c3d57f$a5c4d910$c701a8c0@diamond> <3FFCB0F2.6040206@adept.org> <200401111442.57782.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniela wrote: > What??? Remove the compiler for better security??? a lot of traditional security checklists have suggested "removing anything not absolutely necessary" when "hardening" machines. the idea is usually to make things as "hard as possible" for would-be attackers (as long as the changes are easy to manage, and removing/changing some subset of standard tools is certainly easy/scritable). many of the security measures put into place can often be worked around... it's by layering various approaches and making attacks hard for all but the (in)famous "determined attacker" that significant security is gained. in short, i don't currently do this on my boxes (although i have stripped a number of other "standard" binaries on firewall appliance machines before, using cfengine to regularly verify/enforce their removal... the same with removing SUID/SGID bits on utils i never use), but there is some arguable amount of "security relevance"... about the same as getting a car alarm... which any real thief can easily bypass. i also originally assumed anyone taking the time to write "compiler removal" into their security policies would have done enough auditing and analysis to understand what they were trying to gain (who does something like this ad-hoc? no one who plans to keep thier job.), and what other systemic tidbits may cause similar "problems". (having a hex editor lying around probably wouldn't be in line with that thought. ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40046CAF.7060709>