I’m in the process of developing some server hardening scripts, mostly based on DISA STIG via OpenSCAP.
OpenSCAP provides a lot of remediation scripts, but they are all targeted at RHEL family OS’s. I am trying to adapt them to be distro-agnostic (as much as possible).
Obviously, one of the largest discrepancies is between yum/dnf and apt.
I am much more familiar with yum than apt, so I’m just looking for some guidance. Here are my questions:
### 1. GPG check repos
I have a feeling that Ubuntu does this by default because when I tried searching for it, the only results I got were about forcing Ubuntu to use unsigned repos.
Can anyone confirm this?
This question also extends to local packages.
From /etc/dpkg/dpkg.cfg
# Do not enable debsig-verify by default; since the distribution is not using
# embedded signatures, debsig-verify would reject all packages.
no-debsig
2. Remove Old Package Versions
Is there a config for this, or do I just need to run a combination of apt-get clean, apt-get autoclean, apt-get autoremove after applying updates?
3. Verify and Correct File Permissions
I couldn’t find what apt/dpkg commands I could use to accomplish this, or if it’s possible at all. Ideally, I’d adapt the remediation script to logically function the same, just with apt-specific commands.
4. Interactive Installation and Complete Removal
This one isn’t specific to any STIG, but it’s a big issue for me. I’ll use aide as an example, but it applies to any package that has an interactive installation with apt.
apt-get install aide will bring up an interactive prompt asking about how you want to handle messaging. NBD really, I just need to determine how to install it without the interactive prompt.
So I apt-get purge aide apt-get clean apt-get autoclean apt-get autoremove in an effort to return the system to the state it was in before aide was installed. Unfortunately, this is unsuccessful. When I run apt-get install aide again, no interactive prompt is displayed. This means that there’s some remnant of my initial installation there that is preventing the prompt from coming up. I need it to come up again so I can figure out how to prevent it from appearing on a fresh system.
So how do I completely remove a package and all of it’s config? I thought that’s what apt-get purge was for, but it’s obviously not comprehensive.
Is there a silver bullet for preventing apt from displaying interactive prompts so that things can be installed/updated programmatically?
This worked for me.
export DEBIAN_FRONTEND=noninteractive
apt-get install -q -y aide
Still can’t get apt-get purge aide to actually remove config in /etc/aide though…
Thanks in advance for any feedback here. I’ll be happy to share the scripts once they’re done if anyone’s interested.