• busybox: Software that provides several stripped-down Unix tools in a single executable file. Of course, it will be necessary to use a “production” version of busybox in order to avoid all the tools useful only in development mode.
Domain Tool name State
Platform-Utilities-1 busybox Used to provide a number of tools. Do not compile development tools.

Functionalities to exclude in production mode

In production mode, a number of tools must be disabled to prevent an attacker from finding logs for example. This is useful to limit the visible surface and thus complicate the fault finding process. The tools used only in development mode are marked by an ‘agl-devel’ feature. When building in production mode, these tools will not be compiled.

Domain Utility name and normal path State
Platform-Utilities-1 chgrp in /bin/chgrp Disabled
Platform-Utilities-2 chmod in /bin/chmod Disabled
Platform-Utilities-3 chown in /bin/chown Disabled
Platform-Utilities-4 dmesg in /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainname in /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear, Remove “dropbear” from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editors in (vi) /bin/vi Disabled
Platform-Utilities-8 find in /bin/find Disabled
Platform-Utilities-9 gdbserver in /bin/gdbserver Disabled
Platform-Utilities-10 hexdump in /bin/hexdump Disabled
Platform-Utilities-11 hostname in /bin/hostname Disabled
Platform-Utilities-12 install in /bin/install Disabled
Platform-Utilities-13 iostat in /bin/iostat Disabled
Platform-Utilities-14 killall in /bin/killall Disabled
Platform-Utilities-15 klogd in /sbin/klogd Disabled
Platform-Utilities-16 logger in /bin/logger Disabled
Platform-Utilities-17 lsmod in /sbin/lsmod Disabled
Platform-Utilities-18 pmap in /bin/pmap Disabled
Platform-Utilities-19 ps in /bin/ps Disabled
Platform-Utilities-20 ps in /bin/ps Disabled
Platform-Utilities-21 rpm in /bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplug in /sbin/stbhotplug Disabled
Platform-Utilities-24 strace in /bin/trace Disabled
Platform-Utilities-25 su in /bin/su Disabled
Platform-Utilities-26 syslogd in (logger) /bin/logger Disabled
Platform-Utilities-27 top in /bin/top Disabled
Platform-Utilities-28 UART in /proc/tty/driver/ Disabled
Platform-Utilities-29 which in /bin/which Disabled
Platform-Utilities-30 who and whoami in /bin/whoami Disabled
Platform-Utilities-31 awk (busybox) Enabled
Platform-Utilities-32 cut (busybox) Enabled
Platform-Utilities-33 df (busybox) Enabled
Platform-Utilities-34 echo (busybox) Enabled
Platform-Utilities-35 fdisk (busybox) Enabled
Platform-Utilities-36 grep (busybox) Enabled
Platform-Utilities-37 mkdir (busybox) Enabled
Platform-Utilities-38 mount (vfat) (busybox) Enabled
Platform-Utilities-39 printf (busybox) Enabled
Platform-Utilities-40 sed in /bin/sed (busybox) Enabled
Platform-Utilities-41 tail (busybox) Enabled
Platform-Utilities-42 tee (busybox) Enabled
Platform-Utilities-43 test (busybox) Enabled

The Enabled Unix/Linux utilities above shall be permitted as they are often used in the start-up scripts and for USB logging. If any of these utilities are not required by the device then those should be removed.