Audit Installed Compilers and Their Packages

Compilers and security

Compilers can be the gateway for an attacker. By misusing a possible weakness in your system(s), a compiler is often used to build the related exploit code. One way to prevent this is to determine what compilers are installed and remove (or restrict) them.

Comparing Installed Packages and Compilers

One way to audit the system is creating a list of common compilers and packages, then match these with the installed packages.

Common compilers

Some of the tools found related to compilers are:

  • cc
  • gcc
  • go
  • make

Programming languages

Every interpreter could be abused as well. Especially on systems running network services, like a mail or web server. Making a “power tool” available to shell users, should be carefully considered. Such user should ideally have no access to Perl, Python, and other languages. If it can be restricted, this will be another piece of system hardening.

  • Perl
  • PHP
  • Python

Perform an Audit Against Package Database

To automate things a little bit further, we can also query the package database. Here are some snippets you can use to determine which compilers are installed, with their respective package.

Note: package managers have minor differences between each version. Run the commands manually as well to see if things work properly and give the expected output.

Arch Linux

#!/bin/sh
# Parse pacman output and determine compiler
for I in `pacman -Q | awk '{ print $1 }'`; do
  IS_COMPILER=`pacman -Qi $I | egrep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi
done

CentOS and RHEL

With YUM, we can get the information from each installed package. For that we have to loop through all installed packages, query the information, and finally see if it contains something like “compiler” or “compilation” in it.

#!/bin/sh
# With the YUM package manager it is harder to retrieve the compilers which are installed.
# Got a better suggestion?
for I in `yum -q -C list installed | awk '{ print $1 }' | grep -v "Installed"`; do
  IS_COMPILER=`yum info ${I} | egrep -i "compil"`
  if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi
done

Debian and Ubuntu

For Debian and Ubuntu systems no script is needed. Simply use the dpkg command to query the correct information, and grep it.

dpkg -l | egrep -i "compil"

If you just want the package names, display the second column.

Screenshot of installed compilers on Ubuntu system

 

Got other tips to find installed compilers on Linux? Share it in the comments!

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

2 comments

  • rileyriley

    For CentOS and RHEL, could try substituting `rpm -qi` for `yum info`. RPM always has rpm command lying around with low privilege database access.

    Reply
  • rileyriley

    This one-liner may do it all: rpm -qa description=”*compil*”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.