The first step is to determine what your system is being used for and then determine what is required to achieve your business goals. For instance, you may have a web server running Apache that is also a file server with NFS for the sales group. This is not an optimal situation, as you should restrict functions as much as possible for critical services, so if one server is compromised, you don t lose more information than if the server was a single use machine. After some investigation, you determine that the sales group is using a completely different machine for most file sharing functions. With this discovery, you could remove NFS capabilities from the server, eliminating a whole class of NFS vulnerabilities as well as patching and administration requirements associated with NFS. This also would have the effect of mitigating a high value target, because the machine would only house web services as opposed to a web server with potentially sensitive files.
Don t be fooled by how simple this sounds ”it is often the most difficult portion of the whole evolution of removing unneeded software. If you are lucky enough to be able to install Linux on the machine yourself, you should start by doing a custom install when it comes to packages and selecting the packages you need individually. If you are inheriting a system, the first step toward determining what is needed is to do a software inventory of your current system. You can do this with the rpm command or through the graphical package management tools included in most distributions. To get a listing of all packages on your system, from the command line use the rpm -qa command, which shows output similar to that in Figure 4-1.
One option for testing multiple configurations with minimal cost is to set up an old machine with Linux and then run multiple virtual machines on that machine. A virtual machine provides software emulation for a hardware environment (typically x86 architecture). This saves on hardware costs and allows you to test in a safe, controlled manner. VMWare (http://www.vmware.com/) is the most widely known product available for virtual machines and is a commercially supported product.
To get a verbose listing of package information, you could run
There is a lot of output associated with these methods , so you will want to redirect the output to a file with a command similar to rpm -qai > filename_to_send_ouptut_to.
If you want to view this type of output in a graphical format, type yast2 sw_single in SUSE or type redhat-config-packages in Red Hat at the command line and you will see screens similar to Figure 4-2 (for SUSE) or Figure 4-3 (for Red Hat).
Anything that shows up in the output of the rpm -qa command is installed on your system. If you are using the graphical tools, anything that has a check next to its package name is installed.
Having a list of the installed software is nice, but you really need to know what the software does. As with determining what software you have, there are multiple ways to determine what the software that you have installed is supposed to do. From the command line you can type
rpm -qi < package name >
with < package name > replaced by the package you want information about (in this case telnet). Figure 4-4 shows the output.
To get information about a package in the graphical package managers, you only need to highlight the package you are interested in finding out about. Figure 4-5 shows how to obtain information on the telnet package in SUSE (note that the top right hand side of the screen shows where to filter the information by package groups, general search, and selections).
Red Hat s package manager shows a brief overview of what the package does as shown in Figure 4-6 (in this case selecting Gnome packages).
Now that you know how the tools work, the next part is the time-consuming one. You need to decide if a package is needed. Create a simple spreadsheet and populate it with packages that are on the system and then determine whether the packages are needed. Figure 4-7 is an example report tracking the software installed on a server called linux1.
You can also use the ps command ( ps -ef or ps -auxww ) to see what processes are running and reference those processes to packages to determine what you need. If you are not too familiar with the machine you are hardening, you will want to contact those who are familiar with the machine for guidance. If this is not an option, watch the system logs to see what types of actions are taking place and the output of the ps command.
Let s take a dedicated web server as an example of what types of software you would want and what types of software you wouldn t want. For a dedicated web server you probably don t need any type of X Window System software (X11, Gnome, KDE, and so on), audio software, web browsers, games , and other software that is generally used by workstations. You would want to install Apache and possibly Perl and PHP as well as other web- related software.
There is no default formula in determining what software you require for your business as each situation is different, so you will have to go through the process and determine if you are using the functionality described in the package. A good knowledge of your system requirements and what the machine is used for goes a long way in making the process of investigating your software requirements much easier.