Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packages with known issues are not actually removed on debian/ubuntu #90

Closed
mikemoate opened this issue Sep 29, 2015 · 3 comments · Fixed by #93
Closed

packages with known issues are not actually removed on debian/ubuntu #90

mikemoate opened this issue Sep 29, 2015 · 3 comments · Fixed by #93

Comments

@mikemoate
Copy link
Member

My colleague @JJClements already mentioned this in Gitter at https://gitter.im/hardening-io/general alongside another issue we have encountered.

We have observed that the functionality to remove the list of packages with known issues has only be implemented for the redhat/fedora family of distributions, the debian family implementation is missing. We have also tested this on Ubuntu 14.04 by installing the xinetd package and then confirming applying this cookbook does not remove the package, even if ['security']['packages']['clean'] = true is set.

We intend to contribute a pull request to address this, following the guidance at http://hardening.io/docs/coding/contributing/
@mikemoate
Copy link
Member Author

Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started).

I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe).

For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)?

For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change.

@chris-rock
Copy link
Member

Hi @mikemoate yes you are right. Currently this is only implemented for RHEL based systems. Please go ahead. I am happy to add this PR. If you need any help, just let me know.

@mikemoate mikemoate mentioned this issue Oct 14, 2015
Merged
@mikemoate
Copy link
Member Author

@chris-rock initial pull request for this is now up for comment, apologies it took a bit longer than I hoped.

@mikemoate mikemoate mentioned this issue Nov 23, 2015
Merged
rollbrettler pushed a commit to rollbrettler/chef-os-hardening that referenced this issue Sep 16, 2016
@chris-rock
Merge pull request dev-sec#90 from hardening-io/update-common
b531acf 
common files: centos7 + rubocop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove packages with known issues on debian/ubuntu mikemoate/chef-os-hardening
2 participants
@chris-rock @mikemoate