Skip to content

Ensure dnf Removes Previous Package Versions

An XCCDF Rule

Description

dnf should be configured to remove previous software components after new versions have been installed. To configure dnf to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/dnf/dnf.conf.

Rationale

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

ID
xccdf_org.ssgproject.content_rule_clean_components_post_updating
Severity
Low
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q dnf; then

if grep --silent ^clean_requirements_on_remove /etc/dnf/dnf.conf ; then
        sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/dnf/dnf.conf
else

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-214035
  - NIST-800-171-3.4.8