Detections
Analytics

1.2.1.5 Ensure weak dependencies are configured

Information

The RPM packaging specification allows for 3 levels of dependencies to be declared:

 - hard dependencies ( Requires / Provides ) for packages which must be installed for a minimal installation of the application to function
 - weak dependencies ( Recommends / Supplements ) for packages which provide additional features, but which are not required for a minimal installation to function
 - hints ( Suggests / Enhances ) for packages which offer add-ons which might be useful.

Unless a system specifically requires the additional capabilities provides by the weak dependencies, it is recommended that the packages are not installed to reduce the potential attack surface.

Solution

Edit /etc/zypp/zypp.conf and set solver.onlyRequires = true.

Example script:

#!/usr/bin/env bash

{
 if grep -Pq '^solver.onlyRequires' /etc/zypp/zypp.conf; then
 sed -i 's/^solver.onlyRequires\s*=\s*.*/solver.onlyRequires = true/' /etc/zypp/zypp.conf
 else
 printf '%s\n' "" "solver.onlyRequires = true" >> /etc/zypp/zypp.conf
 fi
}

Impact:

Software management on SUSE offers "patterns" to install groups of related packages (eg "Software Management", "GNOME Desktop Environment", etc). These patterns are implemented via the use of Requires, Recommends and Suggests . Disabling the installation of weak dependencies can thus may impact on which packages are installed when you install a pattern.

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 5b4b523964a675b736e97e5e285cea06348e15dfc76bcd10dc44e74e5fea2a58