From 006da8b647012e534b7436676dfeef5ecf8bbe16 Mon Sep 17 00:00:00 2001
From: David du Colombier <djc@datadoghq.com>
Date: Fri, 1 Aug 2025 10:32:36 +0200
Subject: [PATCH 1/2] [AGENTLESS] Remove previously installed kernels after
 security upgrades

This change adds "apt autoremove" after running
unattended upgrades in deployment scripts, so it removes
previously installed kernels after security upgrades.

It should prevent the Agentless Scanner to report unused
kernel packages in SBOM, thus preventing the vulnerability
product to report vulnerabilities for them.
---
 aws_quickstart/datadog_agentless_scanning.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml
index d8c51479..b714e53c 100644
--- a/aws_quickstart/datadog_agentless_scanning.yaml
+++ b/aws_quickstart/datadog_agentless_scanning.yaml
@@ -333,6 +333,9 @@ Resources:
               # Perform unattended upgrades
               unattended-upgrade -v
 
+              # Remove previously installed kernels after security upgrades
+              apt autoremove -y --purge
+
               # Get IMDS metadata to fetch the API Key from SecretsManager (without having to install awscli)
               IMDS_TOKEN=$(      curl -sSL -XPUT "http://169.254.169.254/latest/api/token"                  -H "X-AWS-EC2-Metadata-Token-TTL-Seconds: 30")
               IMDS_INSTANCE_ID=$(curl -sSL -XGET "http://169.254.169.254/latest/meta-data/instance-id"      -H "X-AWS-EC2-Metadata-Token: $IMDS_TOKEN")

From 47386a31593fee18266c00580d26841f9e0915d2 Mon Sep 17 00:00:00 2001
From: Pierre Guilleminot <pierre.guilleminot@datadoghq.com>
Date: Mon, 4 Aug 2025 13:43:03 +0200
Subject: [PATCH 2/2] configure unattended-upgrade to also autoremove

---
 aws_quickstart/datadog_agentless_scanning.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml
index b714e53c..755b94c8 100644
--- a/aws_quickstart/datadog_agentless_scanning.yaml
+++ b/aws_quickstart/datadog_agentless_scanning.yaml
@@ -25,7 +25,7 @@ Parameters:
     Type: String
     Description: Your current AWS account ID for stack deployment
     AllowedPattern: "^[0-9]{12}$"
-  
+
   AgentlessHostScanning:
     Type: String
     AllowedValues:
@@ -377,6 +377,8 @@ Resources:
               Unattended-Upgrade::Automatic-Reboot "true";
               Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
               Unattended-Upgrade::Automatic-Reboot-Time "now";
+              Unattended-Upgrade::Remove-Unused-Dependencies "true";
+              Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
               EOF
 
               # Perform unattended upgrades 10 min after boot, then every 3 hours