Part of the appeal of appliances is that you know what's running on the hardware. You can't do this on a modern general-purpose operating system. I can go to my Linux workstation and type "ps" and there are things running that are completely mystifying to me. Does my desktop machine really need automated power management? Similarly, I can open my laptop and fire of the task manager, and be completely lost the minute I move from the applications to the processes tab. All I know how to do is click on the CPU column, and if my browser is making the system sluggish, I'll kill it.
On an appliance, I can do a ps -- if such a command existed, which it shouldn't -- and understand and explain everything. Further, I can walk through the filesystem and describe the justification for the existence of every single file. And if I can't do it, the appliance development team certainly can.
When an appliance leaves the factory, it should have only what's needed to perform its task. The supporting infrastructure of a general-purpose computer should be removed as much as possible. Or rather, start with the kernel and add items as you find you need them. The /etc/passwd file, and in fact almost all of /etc? Remove it. The /bin directory? Why? A shell? Your appliance should include some kind of command line, and be complete for problem determination, so get rid of bash, sh, ash, etc. Busybox? Only as a way to package many utilities in a small unit. If needed.
The less stuff you have, the smaller your attack surface: the fewer places folks can sneak in and get you. The fewer moving parts in the appliance, the more reliable it will be. Within reason, of course. If the problem-determination tools are completely integrated into the data-processing capabilities, then you'll get lots of "box becomes completely not responsive, and I can't log in" complaints. And you can take my word on that. :)
Apppliance security from the software that isn't there
RSalz 2700011QK0 278 Visits