Ensure zypper Removes Previous Package Versions

An XCCDF Rule

Description

zypper should be configured to remove previous software components after new versions have been installed. To configure zypper to remove the previous software components after updating, set the solver.upgradeRemoveDroppedPackages to 1 in /etc/zypp/zypp.conf.

Rationale

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

ID: xccdf_org.ssgproject.content_rule_clean_components_post_updating
Severity: Low
References: 18 20 4

APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02

3.4.8

CCI-002617

4.2.3 4.2.3.12 4.2.3.7 4.2.3.9

A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3

CM-11(a) CM-11(b) CM-6(a) SI-2(6)

ID.RA-1 PR.IP-12

SRG-OS-000437-GPOS-00194

SLES-12-010570

CCE-83186-7

SV-217154r854090_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q zypper; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^solver.upgradeRemoveDroppedPackages")
# shellcheck disable=SC2059
printf -v formatted_output "%s=%s" "$stripped_key" "true"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^solver.upgradeRemoveDroppedPackages\\>" "/etc/zypp/zypp.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^solver.upgradeRemoveDroppedPackages\\>.*/$escaped_formatted_output/gi" "/etc/zypp/zypp.conf"
else
    if [[ -s "/etc/zypp/zypp.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/zypp/zypp.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/zypp/zypp.conf"
    fi
    cce="CCE-83186-7"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/zypp/zypp.conf" >> "/etc/zypp/zypp.conf"
    printf '%s\n' "$formatted_output" >> "/etc/zypp/zypp.conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83186-7
  - DISA-STIG-SLES-12-010570  - NIST-800-171-3.4.8
  - NIST-800-53-CM-11(a)
  - NIST-800-53-CM-11(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-2(6)
  - clean_components_post_updating
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure zypper Removes Previous Package Versions - Ensure Zypper Removes Previous
    Package Versions
  ansible.builtin.ini_file:
    dest: /etc/zypp/zypp.conf
    section: main
    option: solver.upgradeRemoveDroppedPackages
    value: true
    create: false
  when: '"zypper" in ansible_facts.packages'
  tags:
  - CCE-83186-7
  - DISA-STIG-SLES-12-010570
  - NIST-800-171-3.4.8
  - NIST-800-53-CM-11(a)
  - NIST-800-53-CM-11(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-2(6)
  - clean_components_post_updating
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

Ensure zypper Removes Previous Package Versions

Description

Rationale

Remediation - Shell Script

Remediation - Ansible