Mailinglist Archive: opensuse (818 mails)

< Previous Next >
[opensuse] security issue---compiler absence as last defense?
Nelson Marques wrote:
So... really... I'd like to understand... does any security expert
also believe installing a compiler into a system to be a security
issue? Why?

I'm not a security experts, but compilers are banned in production
servers in nearly all places I know; Kernel modules are handled with
'weak-updates' and so far it's doing the job well. The closest to a
compilar that we allow in production is JDK, other than that, no gcc
or friends :)
----
It depends on site policy.
Most security people I know say that if the person has gotten
as far as being able to login to your system, it's game over -- compilers
make little difference at that point.

The incremental security benefit of not having compilers on
a system, is minor -- NOT that I would advise putting development tools
on a outward facing web server -- BUT, I'd generally advise against
putting any software on it not needed for it's job, as each piece
adds exponential complexity.

I've never worked on a system that's been hacked into and all of
them have had full development tools on them, but my security policy doesn't
for the most part, doesn't provide services for untrusted clients.

They got interactive shell? They can download premade binaries for
your machine or attack tools not needing compilation.

With security, it's never '1 thing', everything is about mitigation,
with overlapping with a minimum of 3 overlapping layers per vector. I'd say
that was far more important than whether or not the machine has compilers or
not. The three layers ideally should be by different vendors and run on
different HW -- i.e. no interdependencies.

You could go so far as to disallow interactive users to running
a shell, with updates to the webserver done via shared files run over a VPN
over IPSEC. Again, a factor of 10x or more in risk reduction vs. disallowing
compiler presence.




--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups