Automatically remove package deps

This patch adds functionality to enable autoremoval of dependencies when a package is removed. This can be dangerous, so it is disabled by default. Docs are included. Implements: blueprint security-rhel7-stig Change-Id: Ie88ffaec33249ac2ff03bf3d712533b382fac877
2016-11-10 16:31:33 -06:00 · 2016-11-10 16:31:33 -06:00 · db2663b116
commit db2663b116
parent 235ee0604a
4 changed files with 45 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -406,6 +406,8 @@ security_rhel7_remove_telnet_server: yes                     # RHEL-07-021910
 security_rhel7_remove_tftp_server: yes                       # RHEL-07-040500
 security_rhel7_remove_xorg: yes                              # RHEL-07-040560
 security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
+# Automatically remove dependencies when removing packages.
+security_package_clean_on_remove: no                         # RHEL-07-020200

 ## RPM (rpm)
 # Enable GPG checks for remotely and locally installed packages. This includes
--- a/doc/metadata/rhel7/RHEL-07-020200.rst
+++ b/doc/metadata/rhel7/RHEL-07-020200.rst
@ -1,7 +1,17 @@
 ---
 id: RHEL-07-020200
-status: not implemented
-tag: misc
+status: opt-in
+tag: packages
 ---

-This STIG requirement is not yet implemented.
+Although the STIG requires that dependent packages are removed automatically
+when a package is removed, this can cause problems with certain packages,
+especially kernels. Deployers must opt in to meet the requirements of this STIG
+control.
+
+Deployers should set the following variable to enable automatic dependent
+package removal:
+
+.. code-block:: yaml
+
+    security_package_clean_on_remove: yes
--- a/tasks/rhel7stig/packages.yml
+++ b/tasks/rhel7stig/packages.yml
@ -36,3 +36,32 @@
    - RHEL-07-040260
    - RHEL-07-040500
    - RHEL-07-040560
+
+- name: RHEL-07-020200 - Clean requirements/dependencies when removing packages (rpm)
+  lineinfile:
+    dest: /etc/yum.conf
+    regexp: "^(#)?clean_requirements_on_remove"
+    line: "clean_requirements_on_remove=1"
+    state: present
+  when:
+    - security_package_clean_on_remove | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - low
+    - packages
+    - RHEL-07-020200
+
+- name: RHEL-07-020200 - Clean requirements/dependencies when removing packages (dpkg)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/security-autoremove
+    regexp: "^(#)?APT::Get::AutomaticRemove"
+    line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
+    state: present
+    create: yes
+  when:
+    - security_package_clean_on_remove | bool
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - low
+    - packages
+    - RHEL-07-020200
--- a/tests/test.yml
+++ b/tests/test.yml
@ -70,5 +70,6 @@
  roles:
    - role: "openstack-ansible-security"
  vars:
+    security_package_clean_on_remove: yes
    security_unattended_upgrades_enabled: true
    security_unattended_upgrades_notifications: true