I was wondering wether to remove compiler tools (gcc, make, ...) from a remote production server, mainly for security purposes.
Background:
The server runs a web application on Linux. Consider Apache jailed. Otherwise, only OpenSSHd faces the public network. Of course there is no compiler stuff within the jail, so this is about the actual OS outside of any jails.
Here's my personal PRO/CON list (regarding removal) so far:
PRO:
- I had been reading some suggestions to remove compiler tools in order inhibit custom building of trojans etc. from within the host if an attacker attains unpriviliged user permissions.
CON:
- I can't live without Perl/Python and a trojan/whatever could be written in a scripting language like that, anyway, so why bother about removing gcc et al. at all.
- There is a need to build new Linux kernels as well as some security tools from source directly on the server, because the server runs in 64-bits mode and (to my understanding) I can't (cross-)compile locally/elsewhere due to lack of another 64-bits hardware system.
OK, so here are my questions for you:
(a) Is my PRO/CON assessment correct?
(b) Do you know of other PROs / CONs to removing all compiler tools? Do they weigh in more?
(c) Which binaries should I consider dangerous if the given PRO statement holds? Only gcc, or also make, or what else? Should I remove the enitre software packages them come with?
(d) Is it OK to just move those binaries to a root-only accessible directory when they are not needed? Or is there a gain in security if I "scp them in" every time?
Thank you!
Lot of people remove compilers, and compiler tools because they can theoretically be used for exploits. I think that's dated. My experience lately has been that, if they can get in, they can get their tools in as well, so removing things like compilers, and emacs, and junk like that doesn't add much to your overall security.
I'd be extremely careful what services I ran on the machine: everything that connects to the outside is a potential vulnerability. Otherwise, I'd only remove the compilers to keep my programmers honest. I don't think it adds much to security these days.
Common wisdom of "proper way to do things" is to put the minimum necessary on servers. If you don't need the compilers, don't put them on there. It's one more thing that, if cracked, a system cracker could potentially use against your system, and it introduces more binaries that could have bugs in them that can be taken advantage of.
It also frees space on the server.
That said, I think there are many small offices and small businesses (and people who don't analyze security or best practices) who leave compilers and extra tools on their servers and don't consider it a huge deal.
If you want to play it safe, remove them. Install binaries you either pre-build or test yourself on another machine or install from trusted repos. It'll also save some space and streamline your backups a little bit.
If it's a critical production server, you probably shouldn't be playing with unknown test kernel configurations on it. You'd be building it on other hardware then migrating it over. We usually just use the "good enough" kernels from our distro's repos of choice for our platform, so there's no recompilation in our case.