This article explains how to fix a host vulnerability detected by an assessment.
A vulnerability detection occurs when the host package manager reports a package as installed and the reported package and its version exist in the Lacework CVE data set.
To fix a vulnerability, the package manager must not report the package and its package version as installed.
Scenarios that could occur after you attempt to fix a vulnerability:
- You upgraded kernels but the old kernel packages are still detected
- You ran
apt removebut detections still occur
apt remove and
From the apt manual:
Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory.
The result of the
apt remove and
dpkg --remove commands are that packages with package manager-tracked configuration files are still reported as installed by the package manager after an
apt remove or
dpkg --remove command complete.
Packages with package manager-tracked configurations, such as
redis-server will experience this behavior. These packages must be removed with the
apt purge or
dpkg --purge command to not be reported as installed by the package manager.
If you use dpkg, run the
dpkg --purge PackageName command instead of the
dpkg --remove PackageName command. The command
dpkg --remove PackageName removes only the package binaries and leaves residual configuration files. The command
dpkg --purge PackageName removes the package binaries and the configuration files.
rpm -e PackageName instead of
yum remove PackageName. The command
yum remove PackageName removes the package binaries but can leave configuration files. The command
rpm -e PackageName removes everything related to a package, including the configuration files.