Audit Installed Compilers and Their Packages

Audit Installed Compilers and Their Packages

Compilers can be the gateway for an attacker. By misusing a possible weakness in your system(s), a compiler is often used to build the related exploit code. One way to prevent this is to determine what compilers are installed, and remove or restrict them.

Comparing Installed Packages and Compilers

One way to audit the system is creating a list of common compilers and packages, then match these with the installed packages.

Common compilers

  • cc
  • gcc
  • go
  • make

Programming languages

Every interpreter could be abused as well. Especially on systems running network services, like a mail or web server. Making a “power tool” available to shell users, should be carefully considered. Such user should ideally have no access to Perl, Python, and other languages. If it can be restricted, this will be another piece of system hardening.

  • Perl
  • PHP
  • Python

Perform an Audit Against Package Database

To automate things a little bit further, we can also query the package database. Here are some snippets you can use to determine which compilers are installed, with their respective package.

Note: package managers have minor differences between each version. Run the commands manually as well to see if things work properly and give the expected output.

Arch Linux

# Parse pacman output and determine compiler
for I in `pacman -Q | awk '{ print $1 }'`; do
  IS_COMPILER=`pacman -Qi $I | egrep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi

CentOS and RHEL

With YUM, we can get the information from each installed package. For that we have to loop through all installed packages, query the information, and finally see if it contains something like “compiler” or “compilation” in it.

# With the YUM package manager it is harder to retrieve the compilers which are installed.
# Got a better suggestion?
for I in `yum -q -C list installed | awk '{ print $1 }' | grep -v "Installed"`; do
  IS_COMPILER=`yum info ${I} | egrep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi

Debian and Ubuntu

For Debian and Ubuntu systems no script is needed. Simply use the dpkg command to query the correct information, and grep it.

dpkg -l | egrep -i “compil”

If you just want the package names, display the second column.

Screenshot of installed compilers on Ubuntu system


Got other tips to find installed compilers on Linux? Share it in the comments!

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *