Permanently disabling interdependent services and service dependencies
Many CIS Benchmarks control checks if a specific service is 'disabled' and/or 'not running'. One key example is the control 'Ensure CUPS is not enabled' from the 'CIS Debian Linux 10 Benchmark'.
Following the remediation procedure you may attempt to disable the service using the following command:
Bashsystemctl --now disable cups.service
This command should instantly stop the cups service, and also prevent it from restarting at boot-time. However, cups is a downstream dependency of the service cups-browsed, which is not disabled. Consequently, cups can restart after a reboot. To find such dependencies you can use the following command:
Bashsystemctl --reverse list-dependencies cups.service
To ensure that disabled services don't restart unexpectedly, you can mask a service in addition to disabling it, using the following command:
Bashsystemctl mask cups.service
Masking a service renders it invisible to other services, effectively solving the issue.
Why you should use apt purge instead of apt remove
Almost all CIS Benchmarks require the removal of one software package or another. For Debian based distributions, the APT package manager is used, and in older CIS Benchmarks (Debian 8/9, Ubuntu 14.04, or the CIS Distribution Independent Linux Benchmark) the remediation procedure suggests removing a package using the following command:
Bashapt remove <package>
Or
Bashapt-get remove <package>
However, newer CIS benchmarks have replaced apt-get remove with apt purge.
Bashapt purge <package>
A common misconception is that apt-get remove deletes all potentially harmful files while only preserving the configuration of the software package for potential future use. Sometimes not the binary files themselves contain vulnerabilities, but also the additional files installed with the software package. For example, the NTP Vulnerability CVE-2016-0727, is a vulnerability in the cronjob accompanying the package. APT software packages allow the package maintainer to specify what files are to delete or to keep in case the package is removed by apt remove. Hence, the only way to be sure that all vulnerable pieces of an APT software package have been deleted from a system, is by using the apt purge command.
If you remove a package using apt remove, it will still show as installed in cnspec queries:
This is because under the hood, cnspec will check the packages state in /var/lib/dpkg/status or /var/lib/dpkg/status.d.
- Let's use cnspec to check if the package
prelinkis installed on our Ubuntu 22.04 test system, usingcnspec shell local --sudo.
MQLpackage("prelink").installed == false
- Now we remove the package using
apt remove.
Bashsudo apt remove prelink
- Doing the same query as above to check the installation status reveals, it's still considered installed:
MQLpackage("prelink").installed == false
The package state in /var/lib/dpkg/status is as follows:
INIPackage: prelinkStatus: deinstall ok config-files
- Now we use
apt purgeto remove theprelinkpackage completely:
Bashsudo apt purge prelink
Now the package prelink has been removed from /var/lib/dpkg/status.
- The cnspec query below confirms the successful deinstallation:
Bashcnspec> package("prelink").installed == false[ok] value: true
In conclusion, always use apt purge to remove packages to ensure proper hardening of your Debian-based systems.
