…
Table of Contents:
- Default Debian 9 DomU software packages and libraries
- Figure 1 – List of packages installed in paravirtualized Debian 9 DomU
- What are “necessary” software packages and libraries?
- Debian package priority
- Debian 9 DomU package statistics
- Figure 2 – List of packages installed in paravirtualized Debian 9 DomU with priority and dependency information
- Back to common sense
…
Using the Xen Project hypervisor as the base for your network servers creates many opportunities for strengthening overall network security. Isolating one server or service from another, with the help of virtual machines, increases network security by ensuring that one compromised machine or service will not compromise all machines and services. However, isolation – in and of itself – is not the cure for all security threats: security is best applied in layers, and server isolation is only one layer of many.
A firewall is another common layer of security. Most often there are at least two firewall layers on the network: the first, the network’s gateway device firewall, which may be a dedicated firewall box or a software firewall on a router; and the second, the firewall of the operating system (iptables/netfilter in GNU/Linux).
As ubiquitous and effective as they are, from time to time, firewalls get breached. Breaches typically occur because of poor firewall policy configuration – allowing traffic from any source to any destination – and because risky or unused services are left enabled on the device. Once network policy is properly configured, it’s good practice to disable unnecessary services both on the gateway device/dedicated firewall, and on network servers.
The threat of running unnecessary services on a system bloated with extra software is a less commonly discussed security concern – particularly as it pertains to servers. Yet these enabled and listening services weaken the server’s firewall by creating potential entry points for the attacker. Additionally, if the server is compromised, the intruder has more software to exploit and use against machines on the network, or even on the Internet. More software packages and libraries mean more files and more places to hide. And, more places to hide often mean that malicious system changes are likely to go unnoticed.
So how does one avoid the risks of software bloat? To borrow a common term, you “bastionize” or harden the server.
In the chapter “Hardening Linux and Using iptables” from Michael D Bauer’s book Linux Server Security, Bauer describes bastion servers and emphasizes the point that “good bastion server design dictates that each host should be hardened as though there were no firewall at all.” In other words, if there were no firewall, how can one make it equally difficult for an attacker to compromise the machine and/or use it to attack other computers?
Bauer admits that having up-to-date security patches will only get you so far and, in addition to service isolation, he advocates several other techniques for server hardening. The first server hardening technique detailed in Bauer’s comprehensive list is the one we’re interested in today:
Install only necessary software; delete or disable everything else.
With this topic in mind, our task is to examine how this technique applies to a Xen Project hypervisor DomU virtual machine running a paravirtualized Debian 9 operating system.
Default Debian 9 DomU software packages and libraries
In the default Debian 9 DomU virtual machine installation, 192 packages and libraries are included from the Debian repository. For comparative purposes, there are 2,217 packages and libraries currently installed on my laptop running Debian 9 including the Mate desktop environment and a handful of other programs. Therefore, with only 192 packages and libraries, security-wise the DomU is off to a good start.
To generate a list of all installed packages and libraries in the Debian operating system, use the “dpkg -l” (lower-case “L”) or “dpkg –get-selections” command. The resulting alphabetical listing from the Debian 9 DomU installation is included in Figure 1, below, formatted into three columns for presentation purposes.
$ dpkg --get-selections
Figure 1 – List of Packages Installed in Paravirtualized Debian 9 DomU
Note that, if you use the “dpkg –get-selections” command and pipe the output through “wc -l” (lower-case “L”), the wc program will count the lines in the output with one line representing one installed package or library.
$ dpkg --get-selections | wc -l
The output from the “dpkg -l” command has five lines of headers, so you will need to minus 5 from the result generated from the “dpkg -l | wc -l” command to get the correct count.
$ dpkg -l | wc -l
What are “necessary” software packages and libraries?
Now that we have a list of installed packages and libraries, what criteria can we use to determine which software is “necessary”? Bauer himself admits that determining whether a package or library is necessary is not always an easy task, and suggests that the user rely on three points of reference to determine necessity:
- common sense,
- man pages, and
- GNU/Linux distribution package manager (“dpkg” or “dselect”).
Let’s assume that the points of reference, above, have been put in order for the sake of decision making. That is, if we can exclude a package or library through common sense, it will be an easier task then excluding it through the use of the man pages, or the package manager – unless of course we have absolutely no idea what the software does.
Common sense dictates things like headless servers do not need desktop environments or X window system software, web servers do not need FTP software, servers in general do not need software development tools, compilers, or network scanning or monitoring tools. In other words, common sense is guided by the role the server will play on the network.
As we see from the package list provided in Figure 1, above, the default Debian 9 DomU virtual machine installation starts off with little to no assumption about how the server will be used. In fact, the 192 packages and libraries are pretty much the closest you will get to a blank canvas without applying the Linux From Scratch philosophy of build your own. So, it appears (at first) the only common sense we’ll need to apply is to restrain ourselves from installing software that we do not intend to use – or shouldn’t be using – on the server.
But we still haven’t answered the question: What are “necessary” software packages and libraries? Why are we so sure that all 192 items are necessary? Well to be honest, I don’t believe that all 192 packages and libraries are necessary to have a running Debian operating system but, according to Debian package priority classifications, removing many of them may break parts of the system we need.
Debian package priority
Lucky for us, the Debian distribution maintainers have assigned a “priority” level to each package to assist the package management system. The priorities are, in order of importance: Essential, Required, Important, Standard, Optional, and Extra.
A detailed description of each priority level can be found on the Debian website. In summary, required packages are necessary for the operating system to function, without important packages the system may not run well or be unusable, and standard packages “are standard on any Linux system”. Obviously, the optional and extra packages are at the bottom of the priority list and include a lot of software not likely to be used on most basic servers. Some optional and extra package examples include X, desktop environments, and lots of applications.
For the record, no essential priority packages appear on the Debian 9 DomU operating system.
As simple as the priority level system appears, it is not. Packages that are required, for instance, may have dependencies with lower assigned priority levels. For example, “passwd” is a required package with several dependencies, one being the optional package “libaudit1”. With this in mind, remember that missing dependencies may break the package’s functionality. In other words, we can’t just go and uninstall all packages with a priority less than important and expect everything to be fine.
Similarly, packages that are not priority required may have dependencies with higher or lower assigned priority levels. For example, the optional package “libaudit1”, is dependent on packages “libaudit-common”, “libc6”, and “libcap-ng0”, with “libc6” being priority required, and “libaudit-common” and “libcap-ng0” priority optional.
Another interesting case is that certain indispensable packages may be assigned a lower priority level when it is possible to substitute them with another package serving a similar function. For example, the fundamental packages “systemd” and “linux-image-4.9.0-8-amd64” fall into this category. These packages are assigned priority levels important and optional, respectively. Therefore, the assigned priority level of a given package may sometimes understate its importance in the operating system hierarchy when there are available substitutes.
To determine the priority level of a particular Debian repository package, use the command “apt-cache show {name-of-package}”. For instance, running this command with “adduser”, as an example, generates the following output:
$ apt-cache show adduser
Debian 9 DomU package statistics
Concerning the default 192 packages installed on the Debian 9 DomU, the assigned priority levels are summarized as follows:
- 0 are essential,
- 55 are required,
- 53 are important,
- 21 are standard,
- 55 are optional, and
- 8 are extra.
Additionally, 108 of the 192 packages – or more than half – are libraries, and only 40 of the 192 packages are not dependencies of other packages, as classified by the “deborphan” program. Not being a dependency of another package means that, hypothetically, the package could be removed without disrupting the functionality of any other installed package. However, note that 35 of the 40 packages identified by deborphan have a priority level of required or important. As for the remaining 5 packages, 1 is standard, 3 optional, and 1 extra.
To use deborphan to output a list identifying all packages which are not dependencies of other packages, after installing deborphan, run the following command:
$ deborphan -anp required --no-show-section
The priority level and deborphan result of each of the 192 packages have been assembled into Figure 2, below.
Figure 2 – List of Packages Installed in Paravirtualized Debian 9 DomU with Priority and Dependency Information
| No. | Package | Priority | Is a Dependency? |
|---|---|---|---|
| 1 | adduser | important | yes |
| 2 | apt | important | yes |
| 3 | apt-utils | important | no |
| 4 | base-files | required | yes |
| 5 | base-passwd | required | yes |
| 6 | bash | required | no |
| 7 | bsdmainutils | important | no |
| 8 | bsdutils | required | yes |
| 9 | coreutils | required | yes |
| 10 | cpio | important | yes |
| 11 | cron | important | yes |
| 12 | dash | required | yes |
| 13 | debconf | required | yes |
| 14 | debconf-i18n | important | no |
| 15 | debian-archive-keyring | important | yes |
| 16 | debianutils | required | yes |
| 17 | diffutils | required | no |
| 18 | dmidecode | important | no |
| 19 | dmsetup | optional | yes |
| 20 | dpkg | required | yes |
| 21 | e2fslibs | required | yes |
| 22 | e2fsprogs | required | no |
| 23 | findutils | required | no |
| 24 | gcc-6-base | required | yes |
| 25 | gettext-base | standard | yes |
| 26 | gnupg | important | no |
| 27 | gnupg-agent | optional | yes |
| 28 | gpgv | important | yes |
| 29 | grep | required | no |
| 30 | grub-common | optional | yes |
| 31 | grub-legacy | extra | no |
| 32 | gzip | required | no |
| 33 | hostname | required | no |
| 34 | ifupdown | important | no |
| 35 | init | important | no |
| 36 | init-system-helpers | required | yes |
| 37 | initramfs-tools | optional | yes |
| 38 | initramfs-tools-core | optional | yes |
| 39 | iproute2 | important | yes |
| 40 | iptables | important | no |
| 41 | iputils-ping | important | no |
| 42 | isc-dhcp-client | important | no |
| 43 | isc-dhcp-common | important | no |
| 44 | klibc-utils | optional | yes |
| 45 | kmod | important | yes |
| 46 | lib32ncurses5 | optional | yes |
| 47 | lib32tinfo5 | optional | yes |
| 48 | libacl1 | required | yes |
| 49 | libapparmor1 | extra | yes |
| 50 | libapt-inst2.0 | important | yes |
| 51 | libapt-pkg5.0 | important | yes |
| 52 | libassuan0 | optional | yes |
| 53 | libattr1 | required | yes |
| 54 | libaudit-common | optional | yes |
| 55 | libaudit1 | optional | yes |
| 56 | libblkid1 | required | yes |
| 57 | libbsd0 | optional | yes |
| 58 | libbz2-1.0 | important | yes |
| 59 | libc-bin | required | yes |
| 60 | libc-l10n | standard | yes |
| 61 | libc6 | required | yes |
| 62 | libc6-i386 | optional | yes |
| 63 | libcap-ng0 | optional | yes |
| 64 | libcap2 | standard | yes |
| 65 | libcomerr2 | required | yes |
| 66 | libcryptsetup4 | optional | yes |
| 67 | libdb5.3 | standard | yes |
| 68 | libdebconfclient0 | optional | yes |
| 69 | libdevmapper1.02.1 | optional | yes |
| 70 | libdns-export162 | optional | yes |
| 71 | libedit2 | standard | yes |
| 72 | libelf1 | optional | yes |
| 73 | libestr0 | important | yes |
| 74 | libfastjson4 | optional | yes |
| 75 | libfdisk1 | required | yes |
| 76 | libffi6 | optional | yes |
| 77 | libfreetype6 | optional | yes |
| 78 | libfuse2 | optional | yes |
| 79 | libgcc1 | required | yes |
| 80 | libgcrypt20 | standard | yes |
| 81 | libgdbm3 | important | no |
| 82 | libgmp10 | optional | yes |
| 83 | libgnutls30 | standard | yes |
| 84 | libgpg-error0 | standard | yes |
| 85 | libgssapi-krb5-2 | standard | yes |
| 86 | libhogweed4 | optional | yes |
| 87 | libidn11 | standard | yes |
| 88 | libidn2-0 | extra | yes |
| 89 | libip4tc0 | optional | yes |
| 90 | libip6tc0 | optional | yes |
| 91 | libiptc0 | optional | yes |
| 92 | libisc-export160 | optional | yes |
| 93 | libk5crypto3 | standard | yes |
| 94 | libkeyutils1 | standard | yes |
| 95 | libklibc | optional | yes |
| 96 | libkmod2 | important | yes |
| 97 | libkrb5-3 | standard | yes |
| 98 | libkrb5support0 | standard | yes |
| 99 | libksba8 | optional | yes |
| 100 | liblocale-gettext-perl | optional | yes |
| 101 | liblogging-stdlog0 | important | yes |
| 102 | liblognorm5 | extra | yes |
| 103 | liblz4-1 | extra | yes |
| 104 | liblzma5 | required | yes |
| 105 | libmnl0 | extra | yes |
| 106 | libmount1 | required | yes |
| 107 | libncurses5 | optional | yes |
| 108 | libncursesw5 | important | yes |
| 109 | libnetfilter-conntrack3 | extra | yes |
| 110 | libnettle6 | optional | yes |
| 111 | libnewt0.52 | important | yes |
| 112 | libnfnetlink0 | optional | yes |
| 113 | libnpth0 | optional | yes |
| 114 | libp11-kit0 | standard | yes |
| 115 | libpam-modules | required | yes |
| 116 | libpam-modules-bin | required | yes |
| 117 | libpam-runtime | required | yes |
| 118 | libpam0g | required | yes |
| 119 | libpcre3 | required | yes |
| 120 | libpipeline1 | important | no |
| 121 | libpng16-16 | optional | yes |
| 122 | libpopt0 | important | yes |
| 123 | libprocps6 | important | yes |
| 124 | libpsl5 | optional | yes |
| 125 | libreadline7 | important | yes |
| 126 | libseccomp2 | optional | yes |
| 127 | libselinux1 | required | yes |
| 128 | libsemanage-common | optional | yes |
| 129 | libsemanage1 | optional | yes |
| 130 | libsepol1 | required | yes |
| 131 | libslang2 | important | yes |
| 132 | libsmartcols1 | required | yes |
| 133 | libsqlite3-0 | standard | yes |
| 134 | libss2 | required | yes |
| 135 | libssl1.0.2 | important | yes |
| 136 | libssl1.1 | important | no |
| 137 | libstdc++6 | important | yes |
| 138 | libsystemd0 | optional | yes |
| 139 | libtasn1-6 | standard | yes |
| 140 | libtext-charwidth-perl | optional | yes |
| 141 | libtext-iconv-perl | optional | yes |
| 142 | libtext-wrapi18n-perl | optional | yes |
| 143 | libtinfo5 | required | yes |
| 144 | libudev1 | important | yes |
| 145 | libunistring0 | optional | yes |
| 146 | libustr-1.0-1 | optional | yes |
| 147 | libuuid1 | required | yes |
| 148 | libwrap0 | standard | yes |
| 149 | libxapian30 | important | no |
| 150 | libxtables12 | optional | yes |
| 151 | linux-base | optional | yes |
| 152 | linux-image-4.9.0-8-amd64 | optional | yes |
| 153 | linux-image-amd64 | optional | no |
| 154 | locales | standard | no |
| 155 | login | required | no |
| 156 | logrotate | important | no |
| 157 | lsb-base | required | yes |
| 158 | mawk | required | yes |
| 159 | mount | required | yes |
| 160 | multiarch-support | required | yes |
| 161 | nano | important | no |
| 162 | ncurses-base | required | no |
| 163 | ncurses-bin | required | no |
| 164 | netbase | important | no |
| 165 | openssh-client | standard | yes |
| 166 | openssh-server | optional | no |
| 167 | openssh-sftp-server | optional | yes |
| 168 | passwd | required | yes |
| 169 | perl-base | required | yes |
| 170 | pinentry-curses | optional | yes |
| 171 | procps | important | yes |
| 172 | readline-common | important | yes |
| 173 | rsyslog | important | no |
| 174 | sed | required | no |
| 175 | sensible-utils | required | yes |
| 176 | systemd | important | yes |
| 177 | systemd-sysv | important | yes |
| 178 | sysvinit-utils | required | no |
| 179 | tar | required | yes |
| 180 | tasksel | important | yes |
| 181 | tasksel-data | important | yes |
| 182 | tzdata | required | no |
| 183 | ucf | standard | yes |
| 184 | udev | important | yes |
| 185 | util-linux | required | yes |
| 186 | util-linux-locales | optional | no |
| 187 | vim-common | important | yes |
| 188 | vim-tiny | important | no |
| 189 | wget | important | no |
| 190 | whiptail | important | no |
| 191 | xxd | extra | yes |
| 192 | zlib1g | required | yes |
As may be gleaned through careful examination of the data provided in Figure 2, package priority level and/or the lack of being a dependency does not fully disclose the software’s necessity in the operating system. With such a refined list of packages found in the Debian 9 DomU, package priority level – in and of itself – does not simply translate to package necessity.
Back to common sense
Hopefully we’re getting a better understanding of our need for the vast majority of packages included in the Debian 9 DomU – most of them are required for a functioning operating system, and the others are secretly supporting the same goal. Yet, depending on the server’s ultimate role, there may still be a few select packages you can eliminate.
Text editors
Ever read Clifford Stoll’s non-fiction book The Cuckoo’s Egg“? For those who haven’t, early on in the book Stoll discovers that an attacker is gaining superuser access to his server’s operating system by exploiting a vulnerability in the movemail function of the original GNU Emacs. Maybe times have changed, but it’s still a text editor exploit.
So, perhaps your Debian 9 DomU doesn’t need two text editors after all. Both “nano” and “vim-tiny” packages are priority important and are dependents of no other package on the system. Uninstalling one or the other shouldn’t break anything.
Note that, if you choose to uninstall vim-tiny, “vim-common” can go as well.
OpenSSH server
If you plan on only using Dom0 to access the Debian 9 DomU console, consider uninstalling optional packages “openssh-server” and “openssh-sftp-server” to ensure the SSH service is eternally disabled. After all, less running services create a smaller attack surface.
That being said, if you are not planing on SSHing from the DomU to another machine, you can probably also uninstall “openssh-client”.
wget
The same goes for the very useful and priority important package “wget”. If you’re not planning to use wget, it might be a good package to uninstall. It’s the perfect tool for an attacker to use to download files on to the compromised server, and no other packages depend on wget.
DHCP
If you won’t be using DHCP to configure the server’s networking, both important packages “isc-dhcp-client” and “isc-dhcp-common” may be uninstalled. Neither package is a dependency of any other package on the operating system. Also, using static ip addresses on your local network may be more secure anyway, as an attacker could always setup a fake DHCP service and create a fake gateway to manipulate network traffic.
Ping
If you don’t plan on pinging anything from the server, you might consider getting rid of the important package “iputils-ping”. It’s a handy tool for an attacker to use to locate other machines on the network, and no other packages depend on iputils-ping.
Others
While you’re at it, have a look at the packages “apt-utils”, “bsdmainutils”, “util-linux-locales”, and “whiptail”. These are packages that no other package on the system depend on, and also packages that may not be necessary on a server running a single service.
Additionally, in the “apt-cache” description of the required package “multiarch-support” it states that “It can be removed once nothing on the system depends on it.” Again, it all depends on the role the server will have on the network: do your research and uninstall packages that are not required for your purposes.
Conclusion
So what have we learned from all the above? First of all, we know that unnecessary software installed on a machine increases network security risk. Thankfully, the Debian 9 DomU has very minimal software installed by default – only 192 packages. We also know now that package priority level, and the fact that a package has no dependencies, is informative for decision making, but not definitive in the sense that we can translate priority into necessity. Finally, we learned that common sense is the ultimate guide for deciding whether a particular package should be uninstalled, and that this decision is dependent on what software is required for the machine to fulfil its role.