[nycbug-talk] removing compilers in obsd
Wed Feb 25 19:45:41 EST 2004
On Wed, 25 Feb 2004 18:00:55 -0500
"G. Rosamond" <george at sddi.net> wrote:
> i know that one way to further lockdown an openbsd
> (or any bsd) box is to not install the compilers,
> compxx from the install sets.
I do not think it is worth worrying about too much, its not really
adding anything meaningful to your security. You are much better off
spending the time setting up a root kit detection tripwire/mtree script
that runs every 5 min. on selected binaries, ls and the like, so you get
alerted and/or take the proper action(shutdown -y now for example). Most
exploits are in binary form already.
> they are necessary if you're hacking the kernel,
> using ports, etc.
> but after you've used them, how do you remove
rm gcc f77 g++ ...
chmod 0000 gcc f77 g++ ...
but I would recommend against removing the full suite because the
compiler comes with a lot of shared libraries that may be used in
different parts of the system.
More information about the talk