Vulnarex | Elite Cybersecurity Learning Platform

#Every Installed Package Is a Liability You Haven't Patched#link

A 2019 study found that the average Linux container image contains over 100 known vulnerabilities—most in packages the application never uses. Removing unnecessary packages and disabling unused services is the simplest and most effective hardening step. This lesson details how to create a minimal package manifest, disable and mask services with systemd, and build a lean OS image that passes vulnerability scanners.

Auditing Installed Packages

Use package manager tools to list installed packages: dpkg -l (Debian), rpm -qa (RHEL), or zypper se --installed (SUSE). Identify packages that are not needed for the system's role: compilers (gcc), X11 libraries on a server, Bluetooth, CUPS, and legacy services like telnet. Remove with apt purge, yum remove, etc. For servers, install in 'minimal' mode at deployment and add only what's necessary.

List and count installed packages on Debian

root@vulnarex:~#dpkg -l | wc -l && dpkg -l | awk '{print $2}' | grep -E 'telnet|ftp|rsh|rlogin|nis'

bash

# Purge a package and its dependencies (Debian/Ubuntu)
sudo apt purge --auto-remove telnetd rsh-server
# On RHEL/CentOS
sudo yum autoremove xinetd tftp-server

The --auto-remove flag removes unused dependencies, further reducing the package footprint.

Systemd Service Hardening: Disable and Mask

systemctl stop disables a running service, but it may be restarted by dependencies. systemctl disable prevents automatic startup at boot, but a dependency can still trigger it. systemctl mask creates a symlink to /dev/null, completely preventing the service from being started by any means—even manually. Use mask for critical-to-disable services like rpcbind, cups, avahi-daemon, and bluetooth on servers.

Mask unwanted services

root@vulnarex:~#sudo systemctl mask bluetooth.service cups.service avahi-daemon.service

info

💡 To list all services and their state: systemctl list-units --type=service --all. Focus on those 'active' or 'inactive'—mask the unnecessary ones.

Service	Potential Risk	Action on Server
cups (print)	Print spooler vulnerabilities	Mask/disable unless print server
avahi-daemon (mDNS)	Service discovery, mDNS spoofing	Mask/disable on servers
bluetooth	Wireless attack surface	Mask/disable, remove hardware if possible
rpcbind (NFS/portmap)	RPC enumeration	Disable if not using NFS

Maintaining a Minimal Package Baseline

Document the list of allowed packages and services in your configuration management (Ansible, Chef). Use tools like deborphan or rpmorphan to identify unused libraries and packages. Integrate a security scanner (e.g., Lynis) into your pipeline that flags unnecessary services. Over time, drift happens; schedule monthly package reviews.

▪Inventory all installed packages; remove those not strictly needed.
▪Mask services that should never run: avahi, cups, bluetooth, rpcbind.
▪Use a minimal base image (e.g., Ubuntu Server, not Desktop) when provisioning.
▪Automate package removal and service masking in Ansible playbooks.

STRICT SECURE AUDIT RULE

⚠️ Removing system packages can break dependencies—always test in a staging environment. Use 'apt autoremove --simulate' or 'yum remove --setopt=tsflags=test' to preview.

quiz BLOCK (★ 50 XP)

After masking a service, an attacker gains root and tries 'systemctl start masked-service'. What happens?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Minimalization Challenge