Recently, a colleague complained to me that X Windows refused to start following a routine patch upgrade on a production Web server. I asked why he needed X Windows running on a production Web server in the first place, especially a server that was allegedly secured as a bastion host in a perimeter DMZ. The response that "it was installed by default" seemed inadequate when considering the security risk posed by running X Windows on a bastion host.
Unnecessary packages on a host bring significant risks. An attacker can target the capabilities of those unnecessary packages to subvert or compromise your host, especially since most distributions automatically start the processes required by the installed packages (for example, if you have installed Apache, then the httpd process is automatically started).
So how do these unnecessary packages get installed? Well, all distributions, including Red Hat Enterprise Linux, Fedora and SUSE, include a number of them by default, unless you specifically exclude them during the installation process. For Red Hat Enterprise Linux, the default includes software packages like GNOME and file/network servers. Some organizations even select an "Everything" installation option that includes every package on the installation medium to save time and the hassle of sorting out what's needed and what's not.
Obviously, during installation, you can specify exactly which packages are to be installed, but this can be time-consuming
In Kickstart configuration, the packages to be installed are detailed in the %packages section of the Kickstart configuration file (you can read about the other elements of Kickstart configuration here). You can see an example of the %packages section below.
%packages @ Editors @ Administration Tools squid -kdebase -apache
The %packages section can list both groups of packages and single packages. Package group names are prefixed by the @ symbol, for example, @ Editors. You can find a list of all group names in the /RedHat/base/comps.xml file on the first CD of the Red Hat installation media (the Core and Base groups are always automatically installed regardless of whether they are specified). Single packages can be listed by name. Prefixing the package name with a minus sign tells Kickstart that they shouldn't be installed -- even if the group that contains that package is listed in the %packages section.
You can also specify three options in the %packages section, --resolvedeps, --ignoredeps and --ignoremissing. They are specified like so:
The --resolvedeps option resolves any dependencies and installed all required packages. The --ignoredeps option ignores dependencies and only installs the specified packages without their dependencies. The last option, --ignoremissing, ignores any missing packages or groups and continues the installation process.
I recommend having a close look at Kickstart. You can precisely specify those packages that you wish to install and avoid installing unneeded packages that could help an attacker to compromise your host.
P.S. Every time you install a Red Hat host the Anaconda installer saves details of that installation as a Kickstart configuration file at /root/anaconda-ks.cfg. You can use this file to create a Kickstart configuration to configure other hosts.
This was first published in August 2006