documentation_complete: true


title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'

description: |-
    <tt>{{{ pkg_manager }}}</tt> should be configured to remove previous software components after
    new versions have been installed. To configure <tt>{{{ pkg_manager }}}</tt> to remove the
    {{% if 'sle' in product or 'slmicro' in product %}}
    previous software components after updating, set the <tt>solver.upgradeRemoveDroppedPackages</tt>
    {{% elif 'ubuntu' in product %}}
    previous software components after updating, set the <tt>::Remove-Unused-Dependencies</tt> and
    <tt>::Remove-Unused-Kernel-Packages</tt>
    {{% else %}}
    previous software components after updating, set the <tt>clean_requirements_on_remove</tt>
    {{% endif %}}
    {{% if 'ubuntu' in product %}}
    to <tt>true</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.
    {{% else %}}
    to <tt>1</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.
    {{% endif %}}

rationale: |-
    Previous versions of software components that are not removed from the information
    system after updates have been installed may be exploited by some adversaries.

severity: low

identifiers:
    cce@rhel8: CCE-82476-3
    cce@rhel9: CCE-83458-0
    cce@rhel10: CCE-88515-2
    cce@sle12: CCE-83186-7
    cce@sle15: CCE-85551-0
    cce@slmicro5: CCE-93720-1
    cce@slmicro6: CCE-94729-1

references:
    cis-csc: 18,20,4
    cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
    cui: 3.4.8
    isa-62443-2009: 4.2.3,4.2.3.12,4.2.3.7,4.2.3.9
    iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
    nist: SI-2(6),CM-11(a),CM-11(b),CM-6(a)
    nist-csf: ID.RA-1,PR.IP-12
    srg: SRG-OS-000437-GPOS-00194
    stigid@ol7: OL07-00-020200
    stigid@ol8: OL08-00-010440
    stigid@sle12: SLES-12-010570
    stigid@sle15: SLES-15-010560

ocil_clause: |-
    {{%- if 'sle' in product or 'slmicro' in product %}}
    'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'
    {{%- elif 'ubuntu' in product %}}
    '::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not
    enabled or configured correctly'
    {{%- else %}}
    '"clean_requirements_on_remove" is not set to "1"'
    {{% endif %}}

ocil: |-
    Verify {{{ full_name }}} removes all software components after updated versions have been installed.

    {{% if 'sle' in product or 'slmicro' in product %}}
    To verify that <tt>solver.upgradeRemoveDroppedPackages</tt> is configured properly, run the
    following command:
    <pre>$ grep -i upgradeRemoveDroppedPackages {{{ pkg_manager_config_file }}}</pre>
    The output should return something similar to:
    <pre>solver.upgradeRemoveDroppedPackages=true</pre>
    {{% elif 'ubuntu' in product %}}
    <pre>$ grep -i remove-unused {{{ pkg_manager_config_file }}}</pre>
    The output should return something similar to:
    <pre>Unattended-Upgrade::Remove-Unused-Dependencies "true";
    Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";</pre>
    {{% else %}}
    <pre>$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}</pre>
    <pre>clean_requirements_on_remove=1</pre>
    {{% endif %}}

{{% if product in ['fedora'] or 'rhel' in product or 'ol' in families %}}
fixtext: |-
    Configure {{{ full_name }}} to remove all software components after updated versions have been installed.

    Edit the file {{{ pkg_manager_config_file }}} by adding or editing the following line:

    <pre>clean_requirements_on_remove=1</pre>
{{% endif %}}

srg_requirement: |-
    {{{ full_name }}} must remove all software components after updated versions have been installed.

{{% if 'ubuntu' not in product %}}
platform: package[{{{ pkg_manager }}}] and not bootc
{{% endif %}}