Audit Installed Compilers and Their Packages

Compilers and security

Compilers can be the gateway for an attacker. By misusing a possible weakness in your system(s), a compiler is often used to build the related exploit code. One way to prevent this is to determine what compilers are installed and remove (or restrict) them.

Comparing Installed Packages and Compilers

One way to audit the system is creating a list of common compilers and packages, then match these with the installed packages.

Common compilers

Some of the tools found related to compilers are:

  • cc
  • gcc
  • go
  • make

Programming languages

Every interpreter could be abused as well. Especially on systems running network services, like a mail or web server. Making a “power tool” available to shell users, should be carefully considered. Such user should ideally have no access to Perl, Python, and other languages. If it can be restricted, this will be another piece of system hardening.

  • Perl
  • PHP
  • Python

Perform an Audit Against Package Database

To automate things a little bit further, we can also query the package database. Here are some snippets you can use to determine which compilers are installed, with their respective package.

Note: package managers have minor differences between each version. Run the commands manually as well to see if things work properly and give the expected output.

Arch Linux

Parse pacman output and determine compiler

for I in pacman -Q | awk '{ print $1 }'; do IS_COMPILER=pacman -Qi $I | egrep -i "compil" if [ ! “${IS_COMPILER}” = "" ]; then echo $I; fi done

CentOS and RHEL

With YUM, we can get the information from each installed package. For that we have to loop through all installed packages, query the information, and finally see if it contains something like “compiler” or “compilation” in it.

With the YUM package manager it is harder to retrieve the compilers which are installed.

Got a better suggestion?

for I in yum -q -C list installed | awk '{ print $1 }' | grep -v "Installed"; do IS_COMPILER=yum info ${I} | egrep -i "compil" if [ ! “${IS_COMPILER}” = "" ]; then echo $I; fi done

Debian and Ubuntu

For Debian and Ubuntu systems no script is needed. Simply use the dpkg command to query the correct information, and grep it.

dpkg -l | egrep -i "compil"

If you just want the package names, display the second column.

 

Got other tips to find installed compilers on Linux? Share it in the comments!

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page