Remote server security: handling compiler tools
- by Gonzolas
Hello!
I was wondering wether to remove compiler tools (gcc, make, ...) from a remote production server, mainly for security purposes.
Background:
The server runs a web application on Linux. Consider Apache jailed. Otherwise, only OpenSSHd faces the public network. Of course there is no compiler stuff within the jail, so this is about the actual OS outside of any jails.
Here's my personal PRO/CON list (regarding removal) so far:
PRO:
I had been reading some suggestions to remove compiler tools in order inhibit custom building of trojans etc. from within the host if an attacker attains unpriviliged user permissions.
CON:
I can't live without Perl/Python and a trojan/whatever could be written in a scripting language like that, anyway, so why bother about removing gcc et al. at all.
There is a need to build new Linux kernels as well as some security tools from source directly on the server, because the server runs in 64-bits mode and (to my understanding) I can't (cross-)compile locally/elsewhere due to lack of another 64-bits hardware system.
OK, so here are my questions for you:
(a) Is my PRO/CON assessment correct?
(b) Do you know of other PROs / CONs to removing all compiler tools? Do they weigh in more?
(c) Which binaries should I consider dangerous if the given PRO statement holds? Only gcc, or also make, or what else? Should I remove the enitre software packages them come with?
(d) Is it OK to just move those binaries to a root-only accessible directory when they are not needed? Or is there a gain in security if I "scp them in" every time?
Thank you!
