In the pursuit of hardening various Linux systems to comply with the Center for Internet Security (CIS) Benchmarks, system administrators frequently encounter two common issues. The CIS Benchmarks are standards for securely configuring a system, and they're widely adopted as best practices for hardening systems against cyber threats.
Permanently disabling interdependent services and service dependencies
Many CIS Benchmarks control checks if a specific service is ‘disabled’ and/or ‘not running’. One key example is the control ‘Ensure CUPS is not enabled’ from the ‘CIS Debian Linux 10 Benchmark’.
Following the remediation procedure you may attempt to disable the service using the following command:
systemctl --now disable cups.service
This command should instantly stop the cups service, and also prevent it from restarting at boot-time. However, cups is a downstream dependency of the service cups-browsed, which is not disabled. Consequently, cups can restart after a reboot. To find such dependencies you can use the following command:
systemctl --reverse list-dependencies cups.service
To ensure that disabled services don’t restart unexpectedly, you can mask a service in addition to disabling it, using the following command:
systemctl mask cups.service
Masking a service renders it invisible to other services, effectively solving the issue.
Why you should use apt purge instead of apt remove
Almost all CIS Benchmarks require the removal of one software package or another. For Debian based distributions, the APT package manager is used, and in older CIS Benchmarks (Debian 8/9, Ubuntu 14.04, or the CIS Distribution Independent Linux Benchmark) the remediation procedure suggests removing a package using the following command:
apt remove <package>
Or
apt-get remove <package>
However, newer CIS benchmarks have replaced apt-get remove with apt purge.
apt purge <package>
A common misconception is that apt-get remove deletes all potentially harmful files while only preserving the configuration of the software package for potential future use. Sometimes not the binary files themselves contain vulnerabilities, but also the additional files installed with the software package. For example, the NTP Vulnerability CVE-2016-0727, is a vulnerability in the cronjob accompanying the package. APT software packages allow the package maintainer to specify what files are to delete or to keep in case the package is removed by apt remove. Hence, the only way to be sure that all vulnerable pieces of an APT software package have been deleted from a system, is by using the apt purge command.
If you remove a package using apt remove, it will still show as installed in cnspec queries:
This is because under the hood, cnspec will check the packages state in /var/lib/dpkg/status or /var/lib/dpkg/status.d.
prelink
is installed on our Ubuntu 22.04 test system, using
cnspec shell local --sudo
cnspec> package("prelink").installed == false
[failed] package.installed == false
expected: == false
actual: true
2. Now we remove the package using apt remove
vagrant@vagrant:~$ sudo apt remove prelink
3. Doing the same query as above to check the installation status reveals, it’s still considered installed:
cnspec> package("prelink").installed == false
[failed] package.installed == false
expected: == false
actual: trueThe package state in /var/lib/dpkg/status is as follows:
Package: prelink
Status: deinstall ok config-files
Priority: optionalapt purge
to remove the
prelink
package completely:
vagrant@vagrant:~$ sudo apt purge prelink
Now the package prelink has been removed from /var/lib/dpkg/status.
cnspec> package("prelink").installed == false
[ok] value: false
In conclusion, always use apt purge to remove packages to ensure proper hardening of your Debian-based systems.
