Re: Copying an Oracle Software "Gold Image" without Cloning?
Date: Wed, 04 Dec 2013 21:00:14 +0000
Message-id: <4997B2BF-189F-4331-A60D-6BDA7D984D9A_at_me.com>
Hi Jared
I believe their concern is an attacker who has compromised the system can compile some malicious code like a root kit. Like you, I'm not convinced this offers much additional security. The attacker could just scp the compiled binaries onto the server for example!
I've never come across this requirement in other organisations, and google doesn't seem to offer many hits, so I'm assuming it isn't wide-spread. I did find this:
www.cyberciti.biz/tips/6-good-security-practices-every-linux-admin-must-follow.html: "Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker's job easier?"
We have a meeting lined to discuss further, and the feedback I'm getting here (most people use clone.pl and compilers aren't generally considered a problem in other organisations) is all good stuff for me to bring to the table.
Thanks
Austin
On 4 Dec 2013, at 20:33, Jared Still <jkstill_at_gmail.com> wrote:
>
> On Tue, Nov 19, 2013 at 12:38 PM, Austin Hackett <hacketta_57_at_me.com> wrote:
> The view of the SAs is that we ought to be creating an RPM of the Oracle Client that doesn't require the clone.pl script, and thus gcc e
>
> I fail to understand how removing the compiler hardens a system.
>
> That doesn't really make much sense.
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Dec 04 2013 - 22:00:14 CET