Remove packages to make minimal system
Posted: 2009/04/02 15:59:54
Continuing on my quest to build a system with sole purpose of being a LAMP server, I am trying to have the bare minimum number of packages installed.
I'm not just trying to disable as many deamons as possible, but actually remove any package that is not required. It might sound a bit extreme but each package that is installed that is not needed is using valuable space on the expensive (and small) 36GB 15krpm SAS disk. Also it is a damage control approach, in that assuming a cracker finds an exploit in Apache or PHP that allows them to run executables on the filesystem then taking away as many tools as possible will help in damage limitation. For example I don't want an SSH client installed on the system as it has no purpose for me but could be used by a cracker to access other systems on the network, if they compromise that system.
I have installed the absolute minimum from the 5.3 install by deselecting everything during install but that still leaves a great deal of unnecessary packages installed. Seeing as how the system is a 64bit installation and will have no 32bit apps running on it I have first uninstalled all the i386 versions of various libraries. I presume their only function is to provide compatibility for 32bit apps.
I have been looking for information about removing other packages but I don't seem to be able to find information on real dependancies. For example I believe I have no need for dmraid as it is for managing software RAID arrays that I have no intention using. but if I attempt to remove it the dependancies include kernel and mkinitrd. What I can't figure out though is if these are hard dependancies in that those packages will fail to work or soft ones that simply mean without dmraid it will not be possible to configure the software raid module that is loaded into the kernel.
What packages would people recommend to remove, anyone seen a good guide to reducing down CentOS/RHEL to the absolute minimum ?
Here are a couple that I'm not sure about so far ...
python-elementtree-1.2.6 : Is this really required by YUM ?
m2crypto-0.16 x86_64 : Is this really used by YUM, I didn't think YUM connected via SSL ?
Would be grateful for any pointers.
Thanks
I'm not just trying to disable as many deamons as possible, but actually remove any package that is not required. It might sound a bit extreme but each package that is installed that is not needed is using valuable space on the expensive (and small) 36GB 15krpm SAS disk. Also it is a damage control approach, in that assuming a cracker finds an exploit in Apache or PHP that allows them to run executables on the filesystem then taking away as many tools as possible will help in damage limitation. For example I don't want an SSH client installed on the system as it has no purpose for me but could be used by a cracker to access other systems on the network, if they compromise that system.
I have installed the absolute minimum from the 5.3 install by deselecting everything during install but that still leaves a great deal of unnecessary packages installed. Seeing as how the system is a 64bit installation and will have no 32bit apps running on it I have first uninstalled all the i386 versions of various libraries. I presume their only function is to provide compatibility for 32bit apps.
I have been looking for information about removing other packages but I don't seem to be able to find information on real dependancies. For example I believe I have no need for dmraid as it is for managing software RAID arrays that I have no intention using. but if I attempt to remove it the dependancies include kernel and mkinitrd. What I can't figure out though is if these are hard dependancies in that those packages will fail to work or soft ones that simply mean without dmraid it will not be possible to configure the software raid module that is loaded into the kernel.
What packages would people recommend to remove, anyone seen a good guide to reducing down CentOS/RHEL to the absolute minimum ?
Here are a couple that I'm not sure about so far ...
python-elementtree-1.2.6 : Is this really required by YUM ?
m2crypto-0.16 x86_64 : Is this really used by YUM, I didn't think YUM connected via SSL ?
Would be grateful for any pointers.
Thanks