Skip to main content

Fix a Host Vulnerability

This article explains how to fix a host vulnerability detected by an assessment.

A vulnerability detection occurs when the host package manager reports a package as installed and the reported package and its version exist in the Lacework CVE data set.

To fix a vulnerability, the package manager must not report the package and its package version as installed.

Scenarios that could occur after you attempt to fix a vulnerability:

  • You upgraded kernels but the old kernel packages are still detected
  • You ran apt remove but detections still occur

Debian-based Distributions

apt remove and dpkg --remove

From the apt manual:

Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory.

The result of the apt remove and dpkg --remove commands are that packages with package manager-tracked configuration files are still reported as installed by the package manager after an apt remove or dpkg --remove command complete.

Packages with package manager-tracked configurations, such as redis-server will experience this behavior. These packages must be removed with the apt purge or dpkg --purge command to not be reported as installed by the package manager.

If you use dpkg, run the dpkg --purge PackageName command instead of the dpkg --remove PackageName command. The command dpkg --remove PackageName removes only the package binaries and leaves residual configuration files. The command dpkg --purge PackageName removes the package binaries and the configuration files.

Redhat-based Distributions

Run rpm -e PackageName instead of yum remove PackageName. The command yum remove PackageName removes the package binaries but can leave configuration files. The command rpm -e PackageName removes everything related to a package, including the configuration files.