-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packages with known issues are not actually removed on debian/ubuntu #90
Comments
Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started). I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe). For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)? For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change. |
Hi @mikemoate yes you are right. Currently this is only implemented for RHEL based systems. Please go ahead. I am happy to add this PR. If you need any help, just let me know. |
@chris-rock initial pull request for this is now up for comment, apologies it took a bit longer than I hoped. |
common files: centos7 + rubocop
My colleague @JJClements already mentioned this in Gitter at https://gitter.im/hardening-io/general alongside another issue we have encountered.
We have observed that the functionality to remove the list of packages with known issues has only be implemented for the redhat/fedora family of distributions, the debian family implementation is missing. We have also tested this on Ubuntu 14.04 by installing the xinetd package and then confirming applying this cookbook does not remove the package, even if
['security']['packages']['clean'] = true
is set.We intend to contribute a pull request to address this, following the guidance at http://hardening.io/docs/coding/contributing/
The text was updated successfully, but these errors were encountered: