1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
documentation_complete: true
title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
description: |-
<tt>{{{ pkg_manager }}}</tt> should be configured to remove previous software components after
new versions have been installed. To configure <tt>{{{ pkg_manager }}}</tt> to remove the
{{% if 'sle' in product or 'slmicro' in product %}}
previous software components after updating, set the <tt>solver.upgradeRemoveDroppedPackages</tt>
{{% elif 'ubuntu' in product %}}
previous software components after updating, set the <tt>::Remove-Unused-Dependencies</tt> and
<tt>::Remove-Unused-Kernel-Packages</tt>
{{% else %}}
previous software components after updating, set the <tt>clean_requirements_on_remove</tt>
{{% endif %}}
{{% if 'ubuntu' in product %}}
to <tt>true</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.
{{% else %}}
to <tt>1</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.
{{% endif %}}
rationale: |-
Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries.
severity: low
identifiers:
cce@rhel8: CCE-82476-3
cce@rhel9: CCE-83458-0
cce@rhel10: CCE-88515-2
cce@sle12: CCE-83186-7
cce@sle15: CCE-85551-0
cce@slmicro5: CCE-93720-1
cce@slmicro6: CCE-94729-1
references:
cis-csc: 18,20,4
cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
cui: 3.4.8
isa-62443-2009: 4.2.3,4.2.3.12,4.2.3.7,4.2.3.9
iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
nist: SI-2(6),CM-11(a),CM-11(b),CM-6(a)
nist-csf: ID.RA-1,PR.IP-12
srg: SRG-OS-000437-GPOS-00194
stigid@ol7: OL07-00-020200
stigid@ol8: OL08-00-010440
stigid@sle12: SLES-12-010570
stigid@sle15: SLES-15-010560
ocil_clause: |-
{{%- if 'sle' in product or 'slmicro' in product %}}
'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'
{{%- elif 'ubuntu' in product %}}
'::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not
enabled or configured correctly'
{{%- else %}}
'"clean_requirements_on_remove" is not set to "1"'
{{% endif %}}
ocil: |-
Verify {{{ full_name }}} removes all software components after updated versions have been installed.
{{% if 'sle' in product or 'slmicro' in product %}}
To verify that <tt>solver.upgradeRemoveDroppedPackages</tt> is configured properly, run the
following command:
<pre>$ grep -i upgradeRemoveDroppedPackages {{{ pkg_manager_config_file }}}</pre>
The output should return something similar to:
<pre>solver.upgradeRemoveDroppedPackages=true</pre>
{{% elif 'ubuntu' in product %}}
<pre>$ grep -i remove-unused {{{ pkg_manager_config_file }}}</pre>
The output should return something similar to:
<pre>Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";</pre>
{{% else %}}
<pre>$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}</pre>
<pre>clean_requirements_on_remove=1</pre>
{{% endif %}}
{{% if product in ['fedora'] or 'rhel' in product or 'ol' in product %}}
fixtext: |-
Configure {{{ full_name }}} to remove all software components after updated versions have been installed.
Edit the file {{{ pkg_manager_config_file }}} by adding or editing the following line:
<pre>clean_requirements_on_remove=1</pre>
{{% endif %}}
srg_requirement: |-
{{{ full_name }}} must remove all software components after updated versions have been installed.
{{% if 'ubuntu' not in product %}}
platform: package[{{{ pkg_manager }}}]
{{% endif %}}
|
