packages with known issues are not actually removed on debian/ubuntu #90

Closed
mikemoate opened this Issue Sep 29, 2015 · 3 comments

Comments

Projects
None yet
2 participants
@mikemoate
Member

mikemoate commented Sep 29, 2015

My colleague @JJClements already mentioned this in Gitter at https://gitter.im/hardening-io/general alongside another issue we have encountered.

We have observed that the functionality to remove the list of packages with known issues has only be implemented for the redhat/fedora family of distributions, the debian family implementation is missing. We have also tested this on Ubuntu 14.04 by installing the xinetd package and then confirming applying this cookbook does not remove the package, even if ['security']['packages']['clean'] = true is set.

We intend to contribute a pull request to address this, following the guidance at http://hardening.io/docs/coding/contributing/

@mikemoate

This comment has been minimized.

Show comment
Hide comment
@mikemoate

mikemoate Sep 30, 2015

Member

Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started).

I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe).

For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)?

For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change.

Member

mikemoate commented Sep 30, 2015

Please bear with me if my questions are somewhat inane, we are new to contributing changes back (and relatively new to Chef). We have benefited from the work of the hardening.io project though, so it is satisfying to be able to give something back (albeit minor initially, though that is a deliberate choice to get us started).

I've looked through the existing functionality for the redhat/fedora distro family (i.e. the os-hardening::yum recipe).

For the debian distro family, apt-get and aptitude are configured to check package signatures by default. Should we still check that this hasn't been disabled (i.e. check that 'APT::Get::AllowUnauthenticated=true' has not been specified in apt.conf)?

For the actual package removal section, it would seem better/more portable to use the built-in Chef package resource (https://docs.chef.io/resource_package.html) and therefore to move this into the os-hardening::packages recipe. Thoughts? I'll get an initial pull request up shortly for this change.

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Oct 3, 2015

Member

Hi @mikemoate yes you are right. Currently this is only implemented for RHEL based systems. Please go ahead. I am happy to add this PR. If you need any help, just let me know.

Member

chris-rock commented Oct 3, 2015

Hi @mikemoate yes you are right. Currently this is only implemented for RHEL based systems. Please go ahead. I am happy to add this PR. If you need any help, just let me know.

@mikemoate

This comment has been minimized.

Show comment
Hide comment
@mikemoate

mikemoate Oct 14, 2015

Member

@chris-rock initial pull request for this is now up for comment, apologies it took a bit longer than I hoped.

Member

mikemoate commented Oct 14, 2015

@chris-rock initial pull request for this is now up for comment, apologies it took a bit longer than I hoped.

@chris-rock chris-rock closed this in #93 Nov 20, 2015

rollbrettler pushed a commit to rollbrettler/chef-os-hardening that referenced this issue Sep 16, 2016

Merge pull request #90 from hardening-io/update-common
common files: centos7 + rubocop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment