On 04/29/2014 03:17 PM, Chris Adams wrote:
> Once upon a time, Reindl Harald <h.rei...@thelounge.net> said:
>> wrong question - is /bin/sh used?
>> if the answer is yes then the anser to your question is no
>>
>> the point is remove anything *unneeded* from production systems
>> that are best practices for many years and for good reasons
> No, the point is that "remove a bunch of stuff to 'secure' the system"
> is not security, and should not be claimed that it is being done for
> 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system
> does), you don't need wget/curl to download stuff for example.
>
> Can you lock that down more? Sure, you can remove network access,
> remove local write access, etc. However, that is separate from removing
> arbitrary binaries from the system/image. Removing non-privileged
> binaries from the image does _nothing_ for security (as claimed
> up-thread).
>
I am looking at this from a tools perspective. If I run an scap tool
that says container image XYZ has a vulnerable image of udev, even if
udev is not being used, I will have to update the image. If it does not
have the package, no reason to update.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
