On 04/29/2014 03:17 PM, Chris Adams wrote: > Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said: >> wrong question - is /bin/sh used? >> if the answer is yes then the anser to your question is no >> >> the point is remove anything *unneeded* from production systems >> that are best practices for many years and for good reasons > No, the point is that "remove a bunch of stuff to 'secure' the system" > is not security, and should not be claimed that it is being done for > 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system > does), you don't need wget/curl to download stuff for example. > > Can you lock that down more? Sure, you can remove network access, > remove local write access, etc. However, that is separate from removing > arbitrary binaries from the system/image. Removing non-privileged > binaries from the image does _nothing_ for security (as claimed > up-thread). > I am looking at this from a tools perspective. If I run an scap tool that says container image XYZ has a vulnerable image of udev, even if udev is not being used, I will have to update the image. If it does not have the package, no reason to update. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
