Title

Amazon Linux 2023 must remove all software components after updated versions have been installed. (Cat II impact)

Discussion

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Check Content

Verify Amazon Linux 2023 removes all software components after updated versions have been installed with the following command: $ grep clean /etc/dnf/dnf.conf clean_requirements_on_remove=1 If "clean_requirements_on_remove" is not set to "1", "True", or "yes", this is a finding.

Fix Text

Configure Amazon Linux 2023 to remove all software components after updated versions have been installed. Set the "clean_requirements_on_remove" option to "1" in the "/etc/dnf/dnf.conf" file: clean_requirements_on_remove=1

Additional Identifiers

Rule ID: SV-274185r1120543_rule

Vulnerability ID: V-274185

Group Title: SRG-OS-000437-GPOS-00194

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.