Hardening Linux server security post Plone installation

Installing Plone on a Linux server typically involves the installation of some packages (normally their names end with -dev) used for compilation of some parts of Zope.

It's considered unsafe to leave these packages behind?

Which packages do you uninstall after setting up your Plone sites?

Very much, yes. Don't forget to delete python because it's one of the most dangerous hacker tools

If you really want to go that way, start with removing the compiler first. SELinux and AppArmor are also something to look into for making sure no one can bring in their own compiler into userspace. It is very rare for that to be worth it.

In general hire a specialist if you have a client requirement and do not have one in-house.

1 Like

@hvelarde I do that.

Basically I run a to the minimal dependencies stripped Plone docker container (with seccomp, without any stuff which is not needed) etc, etc.
This then, runs on stripped docker clusters :slight_smile:

This kind of setup is maybe a bit more secure than a default one, but it also adds some extra work.
Like using a build-pipeline with build-stages, etc.

Also it costs more time to exactly pin a install down to only the stuff you need and learn about seccomp, SELinux, etc, etc :slight_smile:

1 Like

With the newer (i think version 38) setuptools and zc.buildout one can use wheels from within zc.buildout, so this means that no compiler is needed to get lxml and the likes in if I understood it correctly.

But as @Rotonen points out, security by committee is probably not what your clients want :slight_smile:

Only after everything ships a suitable wheel.