Ensure APT has AutomaticRemove configured

Description

The AutomaticRemove setting is used to remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed.

Rationale

Removing unused or unavailable packages and files, reduces the risk of filling the space of a partition or disk, and might reduce any attack surface.

Audit

@test "Verify APT AutomaticRemove" {
  run bash -c "grep '^APT::Get::AutomaticRemove \"true\";$' /etc/apt/apt.conf.d/*"
  [ "$status" -eq 0 ]
}

Remediation

shell

if ! grep '^APT::Get::AutomaticRemove' /etc/apt/apt.conf.d/*; then
  echo 'APT::Get::AutomaticRemove "true";' >> /etc/apt/apt.conf.d/01-vendor-ubuntu
else
  sed -i 's/.*APT::Get::AutomaticRemove.*/APT::Get::AutomaticRemove "true";/g' "$(grep -l 'APT::Get::AutomaticRemove' /etc/apt/apt.conf.d/*)"
fi

Ansible

---
- name: configure apt
  become: 'yes'
  become_method: sudo
  lineinfile:
    dest: /etc/apt/apt.conf.d/98apt-conf
    mode: 0644
    state: present
    create: 'yes'
    line: ""
  with_items:
    - 'APT::Get::AutomaticRemove "true";'
  when: ansible_os_family == "Debian"
  tags:
    - apt
    - security
...

References

https://manpages.ubuntu.com/manpages/bionic/en/man5/apt.conf.5.html
https://manpages.ubuntu.com/manpages/bionic/man8/apt-get.8.html

results matching ""

    No results matching ""