We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Reindl Harald h.reindl at thelounge.net
Tue Apr 29 19:52:55 UTC 2014



Am 29.04.2014 21:31, schrieb Daniel J Walsh:
> On 04/29/2014 03:17 PM, Chris Adams wrote:
>> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>>> wrong question - is /bin/sh used?
>>> if the answer is yes then the anser to your question is no
>>>
>>> the point is remove anything *unneeded* from production systems
>>> that are best practices for many years and for good reasons
>> No, the point is that "remove a bunch of stuff to 'secure' the system"
>> is not security, and should not be claimed that it is being done for
>> 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
>> does), you don't need wget/curl to download stuff for example.
>>
>> Can you lock that down more?  Sure, you can remove network access,
>> remove local write access, etc.  However, that is separate from removing
>> arbitrary binaries from the system/image.  Removing non-privileged
>> binaries from the image does _nothing_ for security (as claimed
>> up-thread).
>>
> I am looking at this from a tools perspective.  If I run an scap tool
> that says container image XYZ has a vulnerable image of udev, even if
> udev is not being used, I will have to update the image.  If it does not
> have the package, no reason to update

exactly *that* is the problem people never had to work the one
or other way in security business not understanding

if you have external security audits there is no "can this be a problem"
you finally get "fix that within 24 hours or shutdown" with no choice

been there and while 100% sure the audit result is from the category
"a fool with a tool is still a fool" no choice to ignore it and god
beware you manage to explain that it is not relevant followed by
a real exploit two days later

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140429/87ee21fc/attachment.sig>


More information about the devel mailing list