Audit Installed Compilers and Their Packages

Compilers and security

Compilers can be the gateway for an attacker. By misusing a possible weakness in your system(s), a compiler is often used to build the related exploit code. One way to prevent this is to determine what compilers are installed and remove (or restrict) them.

Comparing Installed Packages and Compilers

One way to audit the system is creating a list of common compilers and packages, then match these with the installed packages.

Common compilers

Some of the tools found related to compilers are:

  • cc
  • gcc
  • go
  • make

Programming languages

Every interpreter could be abused as well. Especially on systems running network services, like a mail or web server. Making a “power tool” available to shell users, should be carefully considered. Such user should ideally have no access to Perl, Python, and other languages. If it can be restricted, this will be another piece of system hardening.

  • Perl
  • PHP
  • Python

Perform an Audit Against Package Database

To automate things a little bit further, we can also query the package database. Here are some snippets you can use to determine which compilers are installed, with their respective package.

Note: package managers have minor differences between each version. Run the commands manually as well to see if things work properly and give the expected output.

Arch Linux

# Parse pacman output and determine compiler
for I in `pacman -Q | awk '{ print $1 }'`; do
  IS_COMPILER=`pacman -Qi $I | grep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi

CentOS and RHEL

With YUM, we can get the information from each installed package. For that we have to loop through all installed packages, query the information, and finally see if it contains something like “compiler” or “compilation” in it.

# With the YUM package manager it is harder to retrieve the compilers which are installed.
# Got a better suggestion?
for I in `yum -q -C list installed | awk '{ print $1 }' | grep -v "Installed"`; do
  IS_COMPILER=`yum info ${I} | egrep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi

Debian and Ubuntu

For Debian and Ubuntu systems no script is needed. Simply use the dpkg command to query the correct information, and grep it.

dpkg -l | grep -i "compil"

If you just want the package names, display the second column.

Got other tips to find installed compilers on Linux? Share it in the comments!


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon