> > My reasoning behind NOT installing the X, Comp and Game sets have > little > to do with saving space, although I am using an 8GB SSD. I learned in my > research that one of the most fundamental ways to improve network/system > security is to minimize the attack surface by not installing unneeded > software. If it isn't installed, any potential vulnerabilities, known or > not, are irrelevant. >
What is not irrelevant is the person/program that somehow has a shell on your box can paste the required 500 bytes of hex data into "openssl base64 -d" to get a binary on your system, so removing the Comp set is one of those "it would be super hard for me to imagine what I need to run a local privilege escalation so it must require all these tools" whereas the hackers that do own other boxes will already have the short_ASM_sequence* tested locally and only need to get those over the same path the exploit took in order to get a better foothold on your machine. So removing comp sets just mean you can't patch locally when a scary advisory comes out, it also means you need to special-case your sysupgrades and those two choices will probably mean you will stay vulnerable for a longer time just because you hoped leaving cc(1),as(1) and battlestar(6) out of the box will "save" you. Yes, I can imagine some few scenarios where it might, but as the other reply you already got says, when you make your own box a surprise to administer and reason about, you are making it worse already so the comparisons about what choice is safer doesn't even start from the same level. *) SEE ALSO: https://en.wikipedia.org/wiki/SQL_Slammer -- May the most significant bit of your life be positive.
