{"description": "<tt>apt_get</tt> should be configured to remove previous software components after\nnew versions have been installed. To configure <tt>apt_get</tt> to remove the\n\nprevious software components after updating, set the <tt>::Remove-Unused-Dependencies</tt> and\n<tt>::Remove-Unused-Kernel-Packages</tt>\n\n\nto <tt>true</tt> in <tt>/etc/apt/apt.conf</tt>.", "rationale": "Previous versions of software components that are not removed from the information\nsystem after updates have been installed may be exploited by some adversaries.", "severity": "low", "references": {"cis-csc": ["18", "20", "4"], "cobit5": ["APO12.01", "APO12.02", "APO12.03", "APO12.04", "BAI03.10", "DSS05.01", "DSS05.02"], "cui": ["3.4.8"], "isa-62443-2009": ["4.2.3", "4.2.3.12", "4.2.3.7", "4.2.3.9"], "iso27001-2013": ["A.12.6.1", "A.14.2.3", "A.16.1.3", "A.18.2.2", "A.18.2.3"], "nist": ["SI-2(6)", "CM-11(a)", "CM-11(b)", "CM-6(a)"], "nist-csf": ["ID.RA-1", "PR.IP-12"], "srg": ["SRG-OS-000437-GPOS-00194"], "stigid": ["UBTU-22-214015"], "stigref": ["SV-260477r1044773_rule"]}, "control_references": {"stigid": ["UBTU-22-214015"]}, "components": [], "identifiers": {}, "ocil_clause": "'::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not\nenabled or configured correctly'", "ocil": "Verify Ubuntu 22.04 removes all software components after updated versions have been installed.\n\n\n<pre>$ grep -i remove-unused /etc/apt/apt.conf</pre>\nThe output should return something similar to:\n<pre>Unattended-Upgrade::Remove-Unused-Dependencies \"true\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must remove all software components after updated versions have been installed.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must remove all software components after updated versions have been installed.", "vuldiscussion": "Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.", "checktext": "Verify Ubuntu 22.04 removes all software components after updated versions have been installed with the following command:\n\n$ grep -i clean_requirements_on_remove /etc/dnf/dnf.conf\n\nclean_requirements_on_remove=True\n\nIf \"clean_requirements_on_remove\" is not set to \"True\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to remove all software components after updated versions have been installed.\n\nEdit the file /etc/dnf/dnf.conf by adding or editing the following line:\n\n clean_requirements_on_remove=True"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure apt_get Removes Previous Package Versions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml", "template": null}