Audit installed compilers and their packages
Compilers and security
Compilers can be the gateway for an attacker. By misusing a possible weakness in your system(s), a compiler is often used to build the related exploit code. One way to prevent this is to determine what compilers are installed and remove (or restrict) them.
Comparing Installed Packages and Compilers
One way to audit the system is creating a list of common compilers and packages, then match these with the installed packages.
Common compilers
Some of the tools found related to compilers are:
- cc
- gcc
- go
- make
Programming languages
Every interpreter could be abused as well. Especially on systems running network services, like a mail or web server. Making a “power tool” available to shell users, should be carefully considered. Such user should ideally have no access to Perl, Python, and other languages. If it can be restricted, this will be another piece of system hardening.
- Perl
- PHP
- Python
Perform an Audit Against Package Database
To automate things a little bit further, we can also query the package database. Here are some snippets you can use to determine which compilers are installed, with their respective package.
Note: package managers have minor differences between each version. Run the commands manually as well to see if things work properly and give the expected output.
Arch Linux
#!/bin/sh
# Parse pacman output and determine compiler
for I in `pacman -Q | awk '{ print $1 }'`; do
IS_COMPILER=`pacman -Qi $I | grep -i "compil"`
if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi
done
CentOS and RHEL
With YUM, we can get the information from each installed package. For that we have to loop through all installed packages, query the information, and finally see if it contains something like “compiler” or “compilation” in it.
#!/bin/sh
# With the YUM package manager it is harder to retrieve the compilers which are installed.
# Got a better suggestion?
for I in `yum -q -C list installed | awk '{ print $1 }' | grep -v "Installed"`; do
IS_COMPILER=`yum info ${I} | egrep -i "compil"`
if [ ! "${IS_COMPILER}" = "" ]; then echo $I; fi
done
Debian and Ubuntu
For Debian and Ubuntu systems no script is needed. Simply use the dpkg command to query the correct information, and grep it.
dpkg -l | grep -i "compil"
If you just want the package names, display the second column.
Got other tips to find installed compilers on Linux? Let it know!