Ensure dnf Removes Previous Package Versions
An XCCDF Rule
Description
dnf
should be configured to remove previous software components after
new versions have been installed. To configure dnf
to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1
in /etc/dnf/dnf.conf
.
Rationale
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
- ID
- xccdf_org.ssgproject.content_rule_clean_components_post_updating
- Severity
- Low
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q dnf; then
if grep --silent ^clean_requirements_on_remove /etc/dnf/dnf.conf ; then
sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/dnf/dnf.conf
else
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-214035
- NIST-800-171-3.4.8