Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

packages with known issues are not actually removed on debian/ubuntu #90

Closed
mikemoate opened this issue Sep 29, 2015 · 3 comments · Fixed by #93
Closed

packages with known issues are not actually removed on debian/ubuntu #90

mikemoate opened this issue Sep 29, 2015 · 3 comments · Fixed by #93

Comments

@mikemoate
Copy link
Member

My colleague @JJClements already mentioned this in Gitter at https://gitter.im/hardening-io/general alongside another issue we have encountered.

We have observed that the functionality to remove the list of packages with known issues has only be implemented for the redhat/fedora family of distributions, the debian family implementation is missing. We have also tested this on Ubuntu 14.04 by installing the xinetd package and then confirming applying this cookbook does not remove the package, even if ['security']['packages']['clean'] = true is set.

We intend to contribute a pull request to address this, following the guidance at http://hardening.io/docs/coding/contributing/

@mikemoate
Copy link
Member Author

Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started).

I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe).

For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)?

For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change.

@chris-rock
Copy link
Member

Hi @mikemoate yes you are right. Currently this is only implemented for RHEL based systems. Please go ahead. I am happy to add this PR. If you need any help, just let me know.

@mikemoate
Copy link
Member Author

@chris-rock initial pull request for this is now up for comment, apologies it took a bit longer than I hoped.

rollbrettler pushed a commit to rollbrettler/chef-os-hardening that referenced this issue Sep 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants