Powered by GitBook

Ensure APT has Remove-Unused-Dependencies configured

Description

The Remove-Unused-Dependencies setting removes all unused dependencies after a upgrade has finished.

Rationale

Reducing the amount of installed packages might reduce any attack surface.

Audit

@test "Verify APT Remove-Unused-Dependencies" {
  run bash -c "grep '^Unattended-Upgrade::Remove-Unused-Dependencies \"true\";$' /etc/apt/apt.conf.d/*"
  [ "$status" -eq 0 ]
}

Remediation

shell

if ! grep '^Unattended-Upgrade::Remove-Unused-Dependencies' /etc/apt/apt.conf.d/*; then
  echo 'Unattended-Upgrade::Remove-Unused-Dependencies "true";' >> /etc/apt/apt.conf.d/50unattended-upgrades
else
  sed -i 's/.*Unattended-Upgrade::Remove-Unused-Dependencies.*/Unattended-Upgrade::Remove-Unused-Dependencies "true";/g' "$(grep -l 'Unattended-Upgrade::Remove-Unused-Dependencies' /etc/apt/apt.conf.d/*)"
fi

Ansible

---
- name: configure apt
  become: 'yes'
  become_method: sudo
  lineinfile:
    dest: /etc/apt/apt.conf.d/98apt-conf
    mode: 0644
    state: present
    create: 'yes'
    line: ""
  with_items:
    - 'Unattended-Upgrade::Remove-Unused-Dependencies "true";'
  when: ansible_os_family == "Debian"
  tags:
    - apt
    - security
...

References

https://manpages.ubuntu.com/manpages/bionic/en/man5/apt.conf.5.html
https://manpages.ubuntu.com/manpages/bionic/man8/apt-get.8.html

results matching ""

No results matching ""