Hardening the Xen Hypervisor Debian 9 DomU: A review of default packages and libraries

Table of Contents:

1. Default Debian 9 DomU software packages and libraries
2. Figure 1 – List of packages installed in paravirtualized Debian 9 DomU
3. What are ‘necessary’ software packages and libraries?
4. Debian package priority
5. Debian 9 DomU package statistics
6. Figure 2 – List of packages installed in paravirtualized Debian 9 DomU with priority and dependency information
7. Back to common sense

Using the Xen Project hypervisor as the base for your network servers creates many opportunities for strengthening overall network security. Isolating one server or service from another, with the help of virtual machines, increases network security by ensuring that one compromised machine or service will not compromise all machines and services. However, isolation – in and of itself – is not the cure for all security threats: security is best applied in layers, and server isolation is only one layer of many.

A firewall is another common layer of security. Most often there are at least two firewall layers on the network: the first, the network’s gateway device firewall, which may be a dedicated firewall box or a software firewall on a router; and the second, the firewall of the operating system (iptables/netfilter in GNU/Linux).

As ubiquitous and effective as they are, from time to time, firewalls get breached. Breaches typically occur because of poor firewall policy configuration – allowing traffic from any source to any destination – and because risky or unused services are left enabled on the device. Once network policy is properly configured, it’s good practice to disable unnecessary services both on the gateway device/dedicated firewall, and on network servers.

The threat of running unnecessary services on a system bloated with extra software is a less commonly discussed security concern – particularly as it pertains to servers. Yet these enabled and listening services weaken the server’s firewall by creating potential entry points for the attacker. Additionally, if the server is compromised, the intruder has more software to exploit and use against machines on the network, or even on the Internet. More software packages and libraries mean more files and more places to hide. And, more places to hide often mean that malicious system changes are likely to go unnoticed.

So how does one avoid the risks of software bloat? To borrow a common term, you ‘bastionize’ or harden the server.

In the chapter ‘Hardening Linux and Using iptables’ from Michael D Bauer’s book Linux Server Security, Bauer describes bastion servers and emphasizes the point that “good bastion server design dictates that each host should be hardened as though there were no firewall at all.” In other words, if there were no firewall, how can one make it equally difficult for an attacker to compromise the machine and/or use it to attack other computers?

Bauer admits that having up-to-date security patches will only get you so far and, in addition to service isolation, he advocates several other techniques for server hardening. The first server hardening technique detailed in Bauer’s comprehensive list is the one we’re interested in today:

Install only necessary software; delete or disable everything else.

With this topic in mind, our task is to examine how this technique applies to a Xen Project hypervisor DomU virtual machine running a paravirtualized Debian 9 operating system.

Default Debian 9 DomU software packages and libraries

In the default Debian 9 DomU virtual machine installation, 192 packages and libraries are included from the Debian repository. For comparative purposes, there are 2,217 packages and libraries currently installed on my laptop running Debian 9 including the Mate desktop environment and a handful of other programs. Therefore, with only 192 packages and libraries, security-wise the DomU is off to a good start.

To generate a list of all installed packages and libraries in the Debian operating system, use the dpkg -l (lower-case ‘L’) or dpkg –get-selections command. The resulting alphabetical listing from the Debian 9 DomU installation is included in Figure 1, below, formatted into three columns for presentation purposes.

Figure 1 – List of Packages Installed in Paravirtualized Debian 9 DomU

hardening-linux1.png

Note that, if you use the dpkg –get-selections command and pipe the output through wc -l (lower-case L), the wc program will count the lines in the output with one line representing one installed package or library.

$ dpkg --get-selections | wc -l

The output from the dpkg -l command has five lines of headers, so you will need to minus 5 from the result generated from the dpkg -l | wc -l command to get the correct count.

What are ‘necessary’ software packages and libraries?

Now that we have a list of installed packages and libraries, what criteria can we use to determine which software is necessary? Bauer himself admits that determining whether a package or library is necessary is not always an easy task, and suggests that the user rely on three points of reference to determine necessity:

  1. common sense,
  2. man pages, and
  3. GNU/Linux distribution package manager (dpkg or dselect).

Let’s assume that the points of reference, above, have been put in order for the sake of decision making. That is, if we can exclude a package or library through common sense, it will be an easier task then excluding it through the use of the man pages, or the package manager – unless of course we have absolutely no idea what the software does.

Common sense dictates things like headless servers do not need desktop environments or X window system software, web servers do not need FTP software, servers in general do not need software development tools, compilers, or network scanning or monitoring tools. In other words, common sense is guided by the role the server will play on the network.

As we see from the package list provided in Figure 1, above, the default Debian 9 DomU virtual machine installation starts off with little to no assumption about how the server will be used. In fact, the 192 packages and libraries are pretty much the closest you will get to a blank canvas without applying the Linux From Scratch philosophy of build your own. So, it appears (at first) the only common sense we’ll need to apply is to restrain ourselves from installing software that we do not intend to use – or shouldn’t be using – on the server.

But we still haven’t answered the question: What are ‘necessary’ software packages and libraries? Why are we so sure that all 192 items are necessary? Well to be honest, I don’t believe that all 192 packages and libraries are necessary to have a running Debian operating system but, according to Debian package priority classifications, removing many of them may break parts of the system we need.

Debian package priority

Lucky for us, the Debian distribution maintainers have assigned a priority level to each package to assist the package management system. The priorities are, in order of importance: Essential, Required, Important, Standard, Optional, and Extra.

A detailed description of each priority level can be found on the Debian website. In summary, required packages are necessary for the operating system to function, without important packages the system may not run well or be unusable, and standard packages ‘are standard on any Linux system’. Obviously, the optional and extra packages are at the bottom of the priority list and include a lot of software not likely to be used on most basic servers. Some optional and extra package examples include X, desktop environments, and lots of applications.

For the record, no essential priority packages appear on the Debian 9 DomU operating system.

As simple as the priority level system appears, it is not. Packages that are required, for instance, may have dependencies with lower assigned priority levels. For example, passwd is a required package with several dependencies, one being the optional package libaudit1. With this in mind, remember that missing dependencies may break the package’s functionality. In other words, we can’t just go and uninstall all packages with a priority less than important and expect everything to be fine.

Similarly, packages that are not priority required may have dependencies with higher or lower assigned priority levels. For example, the optional package libaudit1, is dependent on packages libaudit-common, libc6, and libcap-ng0, with libc6 being priority required, and libaudit-common and libcap-ng0 priority optional.

Another interesting case is that certain indispensable packages may be assigned a lower priority level when it is possible to substitute them with another package serving a similar function. For example, the fundamental packages systemd and linux-image-4.9.0-8-amd64 fall into this category. These packages are assigned priority levels important and optional, respectively. Therefore, the assigned priority level of a given package may sometimes understate its importance in the operating system hierarchy when there are available substitutes.

To determine the priority level of a particular Debian repository package, use the command apt-cache show {name-of-package}. For instance, running this command with adduser, as an example, generates the following output:

$ apt-cache show adduser

hardening-linux2

Debian 9 DomU package statistics

Concerning the default 192 packages installed on the Debian 9 DomU, the assigned priority levels are summarized as follows:

  • 0 are essential,
  • 55 are required,
  • 53 are important,
  • 21 are standard,
  • 55 are optional, and
  • 8 are extra.

Additionally, 108 of the 192 packages – or more than half – are libraries, and only 40 of the 192 packages are not dependencies of other packages, as classified by the deborphan program. Not being a dependency of another package means that, hypothetically, the package could be removed without disrupting the functionality of any other installed package. However, note that 35 of the 40 packages identified by deborphan have a priority level of required or important. As for the remaining 5 packages, 1 is standard, 3 optional, and 1 extra.

To use deborphan to output a list identifying all packages which are not dependencies of other packages, after installing deborphan, run the following command:

$ deborphan -anp required --no-show-section

The priority level and deborphan result of each of the 192 packages have been assembled into Figure 2, below.

Figure 2 – List of Packages Installed in Paravirtualized Debian 9 DomU with Priority and Dependency Information

No. Package Priority Is a Dependency?
1 adduser important yes
2 apt important yes
3 apt-utils important no
4 base-files required yes
5 base-passwd required yes
6 bash required no
7 bsdmainutils important no
8 bsdutils required yes
9 coreutils required yes
10 cpio important yes
11 cron important yes
12 dash required yes
13 debconf required yes
14 debconf-i18n important no
15 debian-archive-keyring important yes
16 debianutils required yes
17 diffutils required no
18 dmidecode important no
19 dmsetup optional yes
20 dpkg required yes
21 e2fslibs required yes
22 e2fsprogs required no
23 findutils required no
24 gcc-6-base required yes
25 gettext-base standard yes
26 gnupg important no
27 gnupg-agent optional yes
28 gpgv important yes
29 grep required no
30 grub-common optional yes
31 grub-legacy extra no
32 gzip required no
33 hostname required no
34 ifupdown important no
35 init important no
36 init-system-helpers required yes
37 initramfs-tools optional yes
38 initramfs-tools-core optional yes
39 iproute2 important yes
40 iptables important no
41 iputils-ping important no
42 isc-dhcp-client important no
43 isc-dhcp-common important no
44 klibc-utils optional yes
45 kmod important yes
46 lib32ncurses5 optional yes
47 lib32tinfo5 optional yes
48 libacl1 required yes
49 libapparmor1 extra yes
50 libapt-inst2.0 important yes
51 libapt-pkg5.0 important yes
52 libassuan0 optional yes
53 libattr1 required yes
54 libaudit-common optional yes
55 libaudit1 optional yes
56 libblkid1 required yes
57 libbsd0 optional yes
58 libbz2-1.0 important yes
59 libc-bin required yes
60 libc-l10n standard yes
61 libc6 required yes
62 libc6-i386 optional yes
63 libcap-ng0 optional yes
64 libcap2 standard yes
65 libcomerr2 required yes
66 libcryptsetup4 optional yes
67 libdb5.3 standard yes
68 libdebconfclient0 optional yes
69 libdevmapper1.02.1 optional yes
70 libdns-export162 optional yes
71 libedit2 standard yes
72 libelf1 optional yes
73 libestr0 important yes
74 libfastjson4 optional yes
75 libfdisk1 required yes
76 libffi6 optional yes
77 libfreetype6 optional yes
78 libfuse2 optional yes
79 libgcc1 required yes
80 libgcrypt20 standard yes
81 libgdbm3 important no
82 libgmp10 optional yes
83 libgnutls30 standard yes
84 libgpg-error0 standard yes
85 libgssapi-krb5-2 standard yes
86 libhogweed4 optional yes
87 libidn11 standard yes
88 libidn2-0 extra yes
89 libip4tc0 optional yes
90 libip6tc0 optional yes
91 libiptc0 optional yes
92 libisc-export160 optional yes
93 libk5crypto3 standard yes
94 libkeyutils1 standard yes
95 libklibc optional yes
96 libkmod2 important yes
97 libkrb5-3 standard yes
98 libkrb5support0 standard yes
99 libksba8 optional yes
100 liblocale-gettext-perl optional yes
101 liblogging-stdlog0 important yes
102 liblognorm5 extra yes
103 liblz4-1 extra yes
104 liblzma5 required yes
105 libmnl0 extra yes
106 libmount1 required yes
107 libncurses5 optional yes
108 libncursesw5 important yes
109 libnetfilter-conntrack3 extra yes
110 libnettle6 optional yes
111 libnewt0.52 important yes
112 libnfnetlink0 optional yes
113 libnpth0 optional yes
114 libp11-kit0 standard yes
115 libpam-modules required yes
116 libpam-modules-bin required yes
117 libpam-runtime required yes
118 libpam0g required yes
119 libpcre3 required yes
120 libpipeline1 important no
121 libpng16-16 optional yes
122 libpopt0 important yes
123 libprocps6 important yes
124 libpsl5 optional yes
125 libreadline7 important yes
126 libseccomp2 optional yes
127 libselinux1 required yes
128 libsemanage-common optional yes
129 libsemanage1 optional yes
130 libsepol1 required yes
131 libslang2 important yes
132 libsmartcols1 required yes
133 libsqlite3-0 standard yes
134 libss2 required yes
135 libssl1.0.2 important yes
136 libssl1.1 important no
137 libstdc++6 important yes
138 libsystemd0 optional yes
139 libtasn1-6 standard yes
140 libtext-charwidth-perl optional yes
141 libtext-iconv-perl optional yes
142 libtext-wrapi18n-perl optional yes
143 libtinfo5 required yes
144 libudev1 important yes
145 libunistring0 optional yes
146 libustr-1.0-1 optional yes
147 libuuid1 required yes
148 libwrap0 standard yes
149 libxapian30 important no
150 libxtables12 optional yes
151 linux-base optional yes
152 linux-image-4.9.0-8-amd64 optional yes
153 linux-image-amd64 optional no
154 locales standard no
155 login required no
156 logrotate important no
157 lsb-base required yes
158 mawk required yes
159 mount required yes
160 multiarch-support required yes
161 nano important no
162 ncurses-base required no
163 ncurses-bin required no
164 netbase important no
165 openssh-client standard yes
166 openssh-server optional no
167 openssh-sftp-server optional yes
168 passwd required yes
169 perl-base required yes
170 pinentry-curses optional yes
171 procps important yes
172 readline-common important yes
173 rsyslog important no
174 sed required no
175 sensible-utils required yes
176 systemd important yes
177 systemd-sysv important yes
178 sysvinit-utils required no
179 tar required yes
180 tasksel important yes
181 tasksel-data important yes
182 tzdata required no
183 ucf standard yes
184 udev important yes
185 util-linux required yes
186 util-linux-locales optional no
187 vim-common important yes
188 vim-tiny important no
189 wget important no
190 whiptail important no
191 xxd extra yes
192 zlib1g required yes

As may be gleaned through careful examination of the data provided in Figure 2, package priority level and/or the lack of being a dependency does not fully disclose the software’s necessity in the operating system. With such a refined list of packages found in the Debian 9 DomU, package priority level – in and of itself – does not simply translate to package necessity.

Back to common sense

Hopefully we’re getting a better understanding of our need for the vast majority of packages included in the Debian 9 DomU – most of them are required for a functioning operating system, and the others are secretly supporting the same goal. Yet, depending on the server’s ultimate role, there may still be a few select packages you can eliminate.

Text editors
Ever read Clifford Stoll’s non-fiction book The Cuckoo’s Egg? For those who haven’t, early on in the book Stoll discovers that an attacker is gaining superuser access to his server’s operating system by exploiting a vulnerability in the movemail function of the original GNU Emacs. Maybe times have changed, but it’s still a text editor exploit.

So, perhaps your Debian 9 DomU doesn’t need two text editors after all. Both nano and vim-tiny packages are priority important and are dependents of no other package on the system. Uninstalling one or the other shouldn’t break anything.

Note that, if you choose to uninstall vim-tiny, vim-common can go as well.

OpenSSH server
If you plan on only using Dom0 to access the Debian 9 DomU console, consider uninstalling optional packages openssh-server and openssh-sftp-server to ensure the SSH service is eternally disabled. After all, less running services create a smaller attack surface.

That being said, if you are not planing on SSHing from the DomU to another machine, you can probably also uninstall openssh-client.

wget
The same goes for the very useful and priority important package wget. If you’re not planning to use wget, it might be a good package to uninstall. It’s the perfect tool for an attacker to use to download files on to the compromised server, and no other packages depend on wget.

DHCP
If you won’t be using DHCP to configure the server’s networking, both important packages isc-dhcp-client and isc-dhcp-common may be uninstalled. Neither package is a dependency of any other package on the operating system. Also, using static ip addresses on your local network may be more secure anyway, as an attacker could always setup a fake DHCP service and create a fake gateway to manipulate network traffic.

Ping
If you don’t plan on pinging anything from the server, you might consider getting rid of the important package iputils-ping. It’s a handy tool for an attacker to use to locate other machines on the network, and no other packages depend on iputils-ping.

Others
While you’re at it, have a look at the packages apt-utils, bsdmainutils, util-linux-locales, and whiptail. These are packages that no other package on the system depend on, and also packages that may not be necessary on a server running a single service.

Additionally, in the apt-cache description of the required package multiarch-support it states that “It can be removed once nothing on the system depends on it.” Again, it all depends on the role the server will have on the network: do your research and uninstall packages that are not required for your purposes.

Conclusion

So what have we learned from all the above? First of all, we know that unnecessary software installed on a machine increases network security risk. Thankfully, the Debian 9 DomU has very minimal software installed by default – only 192 packages. We also know now that package priority level, and the fact that a package has no dependencies, is informative for decision making, but not definitive in the sense that we can translate priority into necessity. Finally, we learned that common sense is the ultimate guide for deciding whether a particular package should be uninstalled, and that this decision is dependent on what software is required for the machine to fulfil its role.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s