Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

purge insecure packages #275

Merged
merged 1 commit into from
Jun 2, 2020
Merged

purge insecure packages #275

merged 1 commit into from
Jun 2, 2020

Conversation

chris-rock
Copy link
Member

This PR makes sure that insecure packages are not just removed but completely purged. Otherwise the packages may still be on the system.

@chris-rock chris-rock force-pushed the chris-rock/purge-insecure-packages branch from e2c9815 to ad3dc28 Compare June 1, 2020 08:02
@chris-rock
Copy link
Member Author

If I read the travis report correctly, the errors are not related to this PR

@chris-rock
purge insecure packages
90cfbe3 
Signed-off-by: Christoph Hartmann <[email protected]>
@chris-rock chris-rock force-pushed the chris-rock/purge-insecure-packages branch from ad3dc28 to 90cfbe3 Compare June 1, 2020 18:10
@nodiscc
Copy link

nodiscc commented Jun 1, 2020

Otherwise the packages may still be on the system.

Not exactly, only their configuration files will remain https://docs.ansible.com/ansible/latest/modules/apt_module.html, https://manpages.debian.org/buster/apt/apt.8.en.html. Still it doesn't hurt to remove/purge them also.

this leads me to the question: since you usually want to purge (instead of simply remove) packages when using a config management system, is there a way to make ansible default to purge: yes globally/at the playbook level?

@rndmh3ro rndmh3ro merged commit 0aba114 into master Jun 2, 2020
@rndmh3ro rndmh3ro deleted the chris-rock/purge-insecure-packages branch June 2, 2020 06:39
@rndmh3ro
Copy link
Member

rndmh3ro commented Jun 2, 2020

Thank you Chris for this addition!

@nodiscc

this leads me to the question: since you usually want to purge (instead of simply remove) packages when using a config management system, is there a way to make ansible default to purge: yes globally/at the playbook level?

You could probably use module defaults for this:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_module_defaults.html

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@chris-rock
purge insecure packages (dev-sec#275)
94e79af 
Signed-off-by: Christoph Hartmann <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chris-rock @nodiscc @rndmh3ro