Fix a Host Vulnerability
This article explains how to fix a host vulnerability detected by an assessment.
A vulnerability detection occurs when the host package manager reports a package as installed and the reported package and its version exist in the Lacework CVE data set.
To fix a vulnerability, the package manager must not report the package and its package version as installed.
Scenarios that could occur after you attempt to fix a vulnerability:
- You upgraded kernels but the old kernel packages are still detected
- You ran
apt remove
but detections still occur
Debian-based Distributions
apt remove
and dpkg --remove
From the apt manual:
Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory.
The result of the apt remove
and dpkg --remove
commands are that packages with package manager-tracked configuration files are still reported as installed by the package manager after an apt remove
or dpkg --remove
command complete.
Packages with package manager-tracked configurations, such as redis-server
will experience this behavior. These packages must be removed with the apt purge
or dpkg --purge
command to not be reported as installed by the package manager.
If you use dpkg, run the dpkg --purge PackageName
command instead of the dpkg --remove PackageName
command. The command dpkg --remove PackageName
removes only the package binaries and leaves residual configuration files. The command dpkg --purge PackageName
removes the package binaries and the configuration files.
Redhat-based Distributions
Run rpm -e PackageName
instead of yum remove PackageName
. The command yum remove PackageName
removes the package binaries but can leave configuration files. The command rpm -e PackageName
removes everything related to a package, including the configuration files.