Am 29.04.2014 21:31, schrieb Daniel J Walsh: > On 04/29/2014 03:17 PM, Chris Adams wrote: >> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said: >>> wrong question - is /bin/sh used? >>> if the answer is yes then the anser to your question is no >>> >>> the point is remove anything *unneeded* from production systems >>> that are best practices for many years and for good reasons >> No, the point is that "remove a bunch of stuff to 'secure' the system" >> is not security, and should not be claimed that it is being done for >> 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system >> does), you don't need wget/curl to download stuff for example. >> >> Can you lock that down more? Sure, you can remove network access, >> remove local write access, etc. However, that is separate from removing >> arbitrary binaries from the system/image. Removing non-privileged >> binaries from the image does _nothing_ for security (as claimed >> up-thread). >> > I am looking at this from a tools perspective. If I run an scap tool > that says container image XYZ has a vulnerable image of udev, even if > udev is not being used, I will have to update the image. If it does not > have the package, no reason to update exactly *that* is the problem people never had to work the one or other way in security business not understanding if you have external security audits there is no "can this be a problem" you finally get "fix that within 24 hours or shutdown" with no choice been there and while 100% sure the audit result is from the category "a fool with a tool is still a fool" no choice to ignore it and god beware you manage to explain that it is not relevant followed by a real exploit two days later
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
