Need Help Hardening `apt` Config on Debian/Ubuntu

I’m in the process of developing some server hardening scripts, mostly based on DISA STIG via OpenSCAP.

OpenSCAP provides a lot of remediation scripts, but they are all targeted at RHEL family OS’s. I am trying to adapt them to be distro-agnostic (as much as possible).

Obviously, one of the largest discrepancies is between yum/dnf and apt.

I am much more familiar with yum than apt, so I’m just looking for some guidance. Here are my questions:

### 1. GPG check repos

I have a feeling that Ubuntu does this by default because when I tried searching for it, the only results I got were about forcing Ubuntu to use unsigned repos.

Can anyone confirm this?

This question also extends to local packages.

From /etc/dpkg/dpkg.cfg

# Do not enable debsig-verify by default; since the distribution is not using
# embedded signatures, debsig-verify would reject all packages.
no-debsig

2. Remove Old Package Versions

Is there a config for this, or do I just need to run a combination of apt-get clean, apt-get autoclean, apt-get autoremove after applying updates?

3. Verify and Correct File Permissions

I couldn’t find what apt/dpkg commands I could use to accomplish this, or if it’s possible at all. Ideally, I’d adapt the remediation script to logically function the same, just with apt-specific commands.

4. Interactive Installation and Complete Removal

This one isn’t specific to any STIG, but it’s a big issue for me. I’ll use aide as an example, but it applies to any package that has an interactive installation with apt.

apt-get install aide will bring up an interactive prompt asking about how you want to handle messaging. NBD really, I just need to determine how to install it without the interactive prompt.

So I apt-get purge aide apt-get clean apt-get autoclean apt-get autoremove in an effort to return the system to the state it was in before aide was installed. Unfortunately, this is unsuccessful. When I run apt-get install aide again, no interactive prompt is displayed. This means that there’s some remnant of my initial installation there that is preventing the prompt from coming up. I need it to come up again so I can figure out how to prevent it from appearing on a fresh system.

So how do I completely remove a package and all of it’s config? I thought that’s what apt-get purge was for, but it’s obviously not comprehensive.

Is there a silver bullet for preventing apt from displaying interactive prompts so that things can be installed/updated programmatically?

This worked for me.

export DEBIAN_FRONTEND=noninteractive
apt-get install -q -y aide

Still can’t get apt-get purge aide to actually remove config in /etc/aide though…


Thanks in advance for any feedback here. I’ll be happy to share the scripts once they’re done if anyone’s interested.

2 Likes

Found this on signed packages:

Looks messy.

The prompt is to configure postfix, so maybe I configure it manually first.

what do you mean by correct file permissions?
the remove old packages, I normally just run autoremove after every update, doesn’t clean run when you run update anyway?

He wants a way to verify file permissions against their install defaults.

1 Like