I’ve seen warnings against running rpcbind - a vulnerable system service that listens by default and probably has zero use in Whonix. While Whonix-check can warn against it how can I prevent it from being installed at all?
rpcbind
Reverse Depends:
initscripts
|rstatd
quota
nfs-common
|rwalld
|rusersd
monitoring-plugins-standard
lava-dispatcher
Most important is that it is not reachable from external interfaces.
Risking to state the known and obvious, to remove it, you need to get rid of all the reverse depends. (Sometimes there are alternatives. Like debian/control of initscripts may have something like:
Depends: …, rpcbind | some-secure-alternative, …
In that case you could keep initscripts installed, remove rpcbind and install the hypothetical some-secure-alternative and thereby satisfy the alternative dependency.
OK didn’t know that. Its not a problem anymore then.
It still makes sense to reduce the number of running services / open local ports. Less interaction. Compromised and contained (apparmor, seccomp…) software may not try to exploit it if not running.