Amazon Linux 2023 must remove all software components after updated versions have been installed.

STIG ID: AZLX-23-002615  |  SRG: SRG-OS-000437-GPOS-00194 |  Severity: medium (CAT II)  |  CCI: CCI-002617 |  Vulnerability Id: V-274185

Vulnerability Discussion

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Check

Verify Amazon Linux 2023 removes all software components after updated versions have been installed with the following command:

$ grep clean /etc/dnf/dnf.conf
clean_requirements_on_remove=1

If "clean_requirements_on_remove" is not set to "1", "True", or "yes", this is a finding.

Fix

Configure Amazon Linux 2023 to remove all software components after updated versions have been installed.

Set the "clean_requirements_on_remove" option to "1" in the "/etc/dnf/dnf.conf" file:

clean_requirements_on_remove=1
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.