Specify platform specific packages for xwindows_remove_packages rule #12853
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We don't have xorg or xwayland packages in the default repos there anyways
teacup-on-rockingchair
added
Ansible
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -3,15 +3,13 @@
Disable graphical user interface
[description]:
-By removing the following packages, the system no longer has X Windows installed.
-
-xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+By removing the following packages, the system no longer has X Windows installed.
+['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
-
-sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+sudo yum remove ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
[warning]:
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
@@ -42,8 +40,8 @@
SV-230553r1017315_rule
[rationale]:
-Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
-vulnerabilities and should not be installed unless approved and documented.
+Unnecessary service packages must not be installed to decrease the attack surface of the system.
+X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
[ident]:
CCE-83411-9
OVAL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- oval:ssg-xwindows_remove_packages:def:1
+++ oval:ssg-xwindows_remove_packages:def:1
@@ -1,5 +1,5 @@
criteria AND
-criterion oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1
-extend_definition oval:ssg-package_xorg-x11-server-common_removed:def:1
-criterion oval:ssg-package_xorg-x11-server-utils_removed:tst:1
-criterion oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xorg_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-common_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-utils_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xwayland_removed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
+++ ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
@@ -1,7 +1,5 @@
To ensure the X Windows package group is removed, run the following command:
-
-$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
+$ rpm -qi ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
For each package mentioned above you should receive following line:
package <package> is not installed
Is it the case that xorg related packages are not removed and run level is not correctly configured?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,14 +1,20 @@
+
+
+
# remove packages
+
if rpm -q --quiet "xorg-x11-server-Xorg" ; then
yum remove -y "xorg-x11-server-Xorg"
fi
+
+if rpm -q --quiet "xorg-x11-server-common" ; then
+yum remove -y "xorg-x11-server-common"
+fi
+
if rpm -q --quiet "xorg-x11-server-utils" ; then
yum remove -y "xorg-x11-server-utils"
-fi
-if rpm -q --quiet "xorg-x11-server-common" ; then
-yum remove -y "xorg-x11-server-common"
fi
if rpm -q --quiet "xorg-x11-server-Xwayland" ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,10 +1,6 @@
-- name: Ensure xorg packages are removed
+- name: Ensure xorg-x11-server-Xorg is removed
package:
- name:
- - xorg-x11-server-Xorg
- - xorg-x11-server-common
- - xorg-x11-server-utils
- - xorg-x11-server-Xwayland
+ name: xorg-x11-server-Xorg
state: absent
tags:
- CCE-83411-9
@@ -16,3 +12,48 @@
- reboot_required
- restrict_strategy
- xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-common is removed
+ package:
+ name: xorg-x11-server-common
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-utils is removed
+ package:
+ name: xorg-x11-server-utils
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-Xwayland is removed
+ package:
+ name: xorg-x11-server-Xwayland
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,2 +1,14 @@
-package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland
+
+
+
+
+# remove packages
+
+package --remove=package
+
+package --remove=package
+
+package --remove=package
+
+package --remove=package |
|
Code Climate has analyzed commit a7c6f39 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
jan-cerny
requested changes
Jan 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: