Living off the Land tools list for OpenBSD

[e1-531g]

Hello,
When it comes to hardening of Windows or Gnu/Linux there are lists such as Microsoft recommended block rules, LOLBAS and GTFOBins. These are lists of legitimate preinstalled system applications that can be used by attacker to conduct harmful activity and circumvent access control mechanisms be it DAC or something else. Are there lists for OpenBSD of that kind of binaries?

[ibara]

Parts of this list are borderline ridiculous. Like, wow, did you know that ed(1) can read files?

Seriously though, if you are running a machine in which you are deliberately putting people in a restricted shell, then you (hopefully) already know that you cannot just put them in a restricted shell in the normal operating environment, and have taken the steps to put them in their own chroot(8) or something. Or better yet, if you really have such restrictions, you should write better policy to completely deny any and all access to those machines. Perhaps airgap the machine too, just to be safe.

[e1-531g]

Quote:

Originally Posted by ibara

have taken the steps to put them in their own chroot(8) or something.

But what if I want to allow somebody access to some basic command line tools? I know that I can just extract filesystem to chroot, but what should I remove from that extracted archive? Does removing all SUID binaries and keeping software updated is enough to prevent privilege escalation? I don't mean letting professional pentester/NSA TAO level hacker in, just average IT technician.