RHEL 9 must remove all software components after updated versions have been installed.

STIG ID: RHEL-09-214035  |  SRG: SRG-OS-000437-GPOS-00194 |  Severity: low |  CCI: CCI-002617 |  Vulnerability Id: V-257824 | 

Vulnerability Discussion

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Check

Verify RHEL 9 removes all software components after updated versions have been installed with the following command:

$ grep clean /etc/dnf/dnf.conf

clean_requirements_on_remove=1

If "clean_requirements_on_remove" is not set to "1", this is a finding.

Fix

Configure RHEL 9 to remove all software components after updated versions have been installed.

Edit the file /etc/dnf/dnf.conf by adding or editing the following line:

clean_requirements_on_remove=1