Packages are updated, but old kernels are not removed

[bbaassssiiee]

RHEL8-CIS/tasks/section_1/cis_1.9.yml

Line 3 in 5bafd20

- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed"

Updating all packages is fine, but when the kernel is updated, older, possibly vulnerable, versions could be removed to mitigate booting with them.

In the spirit of CIS 1.9, maybe not valid in the strict interpretation...

[uk-bolly]

hi @bbaassssiiee

Great idea, we could make this an optional. I would probably look at keeping the last 2(as default)? just for rollback purposes?
Good enhancement.

Cheers

uk-bolly

[Thulium-Drake]

Hi @uk-bolly

At work we use the following playbook include in our maintenance plays:

---
- name: 'Remove old kernel packages'
  hosts: 'all'
  tasks:
    - name: 'Uninstall old kernels'
      ansible.builtin.shell: yum remove $(yum repoquery --installonly --latest-limit=-2 -q)
      when: ansible_facts['os_family'] == 'RedHat'

That might give you a head stat ;-)

[bbaassssiiee]

Does not seem to work yet. Cannot effectuate 1 kernel.