We want to stop systemd from being added to docker images, because of rpm requiring systemctl.
h.reindl at thelounge.net
Tue Apr 29 19:52:55 UTC 2014
Am 29.04.2014 21:31, schrieb Daniel J Walsh:
> On 04/29/2014 03:17 PM, Chris Adams wrote:
>> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>>> wrong question - is /bin/sh used?
>>> if the answer is yes then the anser to your question is no
>>> the point is remove anything *unneeded* from production systems
>>> that are best practices for many years and for good reasons
>> No, the point is that "remove a bunch of stuff to 'secure' the system"
>> is not security, and should not be claimed that it is being done for
>> 'security'. If you have bash as /bin/sh (as a 'standard' Fedora system
>> does), you don't need wget/curl to download stuff for example.
>> Can you lock that down more? Sure, you can remove network access,
>> remove local write access, etc. However, that is separate from removing
>> arbitrary binaries from the system/image. Removing non-privileged
>> binaries from the image does _nothing_ for security (as claimed
> I am looking at this from a tools perspective. If I run an scap tool
> that says container image XYZ has a vulnerable image of udev, even if
> udev is not being used, I will have to update the image. If it does not
> have the package, no reason to update
exactly *that* is the problem people never had to work the one
or other way in security business not understanding
if you have external security audits there is no "can this be a problem"
you finally get "fix that within 24 hours or shutdown" with no choice
been there and while 100% sure the audit result is from the category
"a fool with a tool is still a fool" no choice to ignore it and god
beware you manage to explain that it is not relevant followed by
a real exploit two days later
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 246 bytes
Desc: OpenPGP digital signature
More information about the devel