On Tue, Apr 29, 2014 at 03:31:45PM -0400, Daniel J Walsh wrote: > > On 04/29/2014 03:17 PM, Chris Adams wrote: > > Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said: > >> wrong question - is /bin/sh used? > >> if the answer is yes then the anser to your question is no > >> > >> the point is remove anything *unneeded* from production systems > >> that are best practices for many years and for good reasons > > No, the point is that "remove a bunch of stuff to 'secure' the system" > > is not security, and should not be claimed that it is being done for > > 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system > > does), you don't need wget/curl to download stuff for example. > > > > Can you lock that down more? Sure, you can remove network access, > > remove local write access, etc. However, that is separate from removing > > arbitrary binaries from the system/image. Removing non-privileged > > binaries from the image does _nothing_ for security (as claimed > > up-thread). > > > I am looking at this from a tools perspective. If I run an scap tool > that says container image XYZ has a vulnerable image of udev, even if > udev is not being used, I will have to update the image. If it does not > have the package, no reason to update. Welcome to the wonderful world of containers, ignoring 20 years of shipping software in Linux distributions! -- Tomasz Torcz Only gods can safely risk perfection, xmpp: zdzichubg@xxxxxxxxx it's a dangerous thing for a man. -- Alia -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
