Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify platform specific packages for xwindows_remove_packages rule #12853

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
+109 −85
Open

Specify platform specific packages for xwindows_remove_packages rule #12853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9016694
Specify platform specific packages for xwindows_packages rule
teacup-on-rockingchair Jan 19, 2025
a7c6f39
Drop xwindows_remove_packages from slmicro5 platform as irrelevant
teacup-on-rockingchair Jan 19, 2025
ef503b1
Create variable with default xwindows packages in relation to xwindo…
teacup-on-rockingchair Jan 23, 2025
1f8b9b9
Add per products ol7,sle12 and sle15 definition for xwindows_packages
teacup-on-rockingchair Jan 23, 2025
ba29a71
Drop code duplication in favour of product variable
teacup-on-rockingchair Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion controls/cis_slmicro5.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,6 @@ controls:
The rule also configures correct run level to prevent unbootable system.
rules:
- package_xorg-x11-server-common_removed
- xwindows_remove_packages

- id: 2.2.3
title: Ensure Avahi Server is not installed
Expand Down
5 changes: 4 additions & 1 deletion ...de/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# platform = multi_platform_all

package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils {{{ "--remove=xorg-x11-server-Xwayland" if product not in ["ol7"] }}}
# remove packages
{{% for package in xwindows_packages %}}
package --remove={{{ package }}}
{{% endfor %}}
14 changes: 5 additions & 9 deletions ...os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,12 @@
# platform = Red Hat Enterprise Linux 8,multi_platform_ol
# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle
# reboot = true
# strategy = restrict
# complexity = low
# disruption = low

- name: Ensure xorg packages are removed
{{% for package in xwindows_packages %}}
- name: Ensure {{{ package }}} is removed
package:
name:
- xorg-x11-server-Xorg
- xorg-x11-server-common
- xorg-x11-server-utils
{{% if product not in ["ol7"] %}}
- xorg-x11-server-Xwayland
{{% endif %}}
name: {{{ package }}}
state: absent
{{% endfor %}}
10 changes: 3 additions & 7 deletions linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,7 @@
# complexity = low
# disruption = low


# remove packages
{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
{{{ bash_package_remove("xorg-x11-server-utils") }}}
{{{ bash_package_remove("xorg-x11-server-common") }}}
{{% if product not in ["ol7"] %}}
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
{{% endif %}}
{{% for package in xwindows_packages %}}
{{{ bash_package_remove(package) }}}
{{% endfor %}}
35 changes: 18 additions & 17 deletions linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,25 @@

{{% if product in ["sle12", "sle15"] %}}
{{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}}
{{% elif 'ol7' in product %}}
{{% set xwindows_packages = ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils'] %}}
{{% else %}}
{{% set xwindows_packages = ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland'] %}}
{{% endif %}}

<def-group>
<definition class="compliance" id="xwindows_remove_packages" version="1">
{{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
<criteria>
<criterion comment="package xorg-x11-server-Xorg is not installed"
test_ref="package_xorg-x11-server-Xorg_removed" />
<extend_definition comment="package xorg-x11-server-common is removed"
definition_ref="package_xorg-x11-server-common_removed" />
<criterion comment="package xorg-x11-server-utils is removed"
test_ref="package_xorg-x11-server-utils_removed" />
{{% if product not in ["ol7"] %}}
<criterion comment="package xorg-x11-server-Xwayland is removed"
test_ref="package_xorg-x11-server-Xwayland_removed" />
{{% endif %}}
</criteria>
<criteria operator="AND" comment="Make sure all xwindows packages are removed">
{{% for package in xwindows_packages %}}
<criterion comment="package {{{ package }}} is removed"
test_ref="test_package_{{{ package }}}_removed" />
{{% endfor %}}
</criteria>
</definition>

{{{ oval_test_package_removed(package='xorg-x11-server-Xorg', test_id='package_xorg-x11-server-Xorg_removed') }}}
{{{ oval_test_package_removed(package='xorg-x11-server-utils', test_id='package_xorg-x11-server-utils_removed') }}}
{{% if product not in ["ol7"] %}}
{{{ oval_test_package_removed(package='xorg-x11-server-Xwayland', test_id='package_xorg-x11-server-Xwayland_removed') }}}
{{% endif %}}
{{% for package in xwindows_packages %}}
{{{ oval_test_package_removed(package=package, test_id="test_package_" + package + "_removed") }}}
{{% endfor %}}

</def-group>
41 changes: 16 additions & 25 deletions linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,27 @@
documentation_complete: true
{{% if product in ["sle12", "sle15"] %}}
{{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}}
{{% elif 'ol7' in product %}}
{{% set xwindows_packages = ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils'] %}}
{{% else %}}
{{% set xwindows_packages = ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland'] %}}
{{% endif %}}

documentation_complete: true

title: 'Disable graphical user interface'

description: |-
By removing the following packages, the system no longer has X Windows installed.
{{% if product in ["ol7"] %}}
<tt>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils</tt>
{{% else %}}
<tt>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</tt>
{{% endif %}}
By removing the following packages, the system no longer has X Windows installed.
<tt>{{{ xwindows_packages }}}</tt>

If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
mode. To do so, run the following command:
{{% if product in ["ol7"] %}}
<pre>sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils</pre>
{{% else %}}
<pre>sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre>
{{% endif %}}
<pre>sudo {{{ pkg_manager }}} remove {{{ xwindows_packages }}}</pre>

rationale: |-
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented.
Unnecessary service packages must not be installed to decrease the attack surface of the system.
X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

severity: medium

Expand All @@ -31,7 +31,6 @@ identifiers:
cce@rhel10: CCE-88391-8
cce@sle12: CCE-92242-7
cce@sle15: CCE-91362-4
cce@slmicro5: CCE-93873-8

references:
cis@sle12: 2.2.2
Expand All @@ -48,21 +47,13 @@ ocil_clause: 'xorg related packages are not removed and run level is not correct

ocil: |-
To ensure the X Windows package group is removed, run the following command:
{{% if product in ["ol7"] %}}
<pre>$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils</pre>
{{% else %}}
<pre>$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre>
{{% endif %}}
<pre>$ rpm -qi {{{ xwindows_packages }}}</pre>
For each <tt>package</tt> mentioned above you should receive following line:
<pre>package &lt;package&gt; is not installed</pre>

fixtext: |-
To ensure the X Windows package group is removed, run the following command:
{{% if product in ["ol7"] %}}
<pre>$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils</pre>
{{% else %}}
{{{ package_remove("xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland") }}}
{{% endif %}}
{{{ package_remove(xwindows_packages) }}}

srg_requirement: '{{{ full_name }}} Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms.'

Expand Down
10 changes: 4 additions & 6 deletions ...ces/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
#!/bin/bash

{{{ bash_package_install("xorg-x11-server-Xorg") }}}
{{{ bash_package_install("xorg-x11-server-utils") }}}
{{{ bash_package_install("xorg-x11-server-common") }}}
{{% if product not in ["ol7"] %}}
{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
{{% endif %}}
# install packages
{{% for package in xwindows_packages %}}
{{{ bash_package_install(package) }}}
{{% endfor %}}
20 changes: 8 additions & 12 deletions ...dows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,12 @@
#!/bin/bash
# based on shared/templates/package_removed/tests/package-installed-removed.pass.sh

{{{ bash_package_install("xorg-x11-server-Xorg") }}}
{{{ bash_package_install("xorg-x11-server-utils") }}}
{{{ bash_package_install("xorg-x11-server-common") }}}
{{% if product not in ["ol7"] %}}
{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
{{% endif %}}
# install packages
{{% for package in xwindows_packages %}}
{{{ bash_package_install(package) }}}
{{% endfor %}}

{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
{{{ bash_package_remove("xorg-x11-server-utils") }}}
{{{ bash_package_remove("xorg-x11-server-common") }}}
{{% if product not in ["ol7"] %}}
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
{{% endif %}}
# remove packages
{{% for package in xwindows_packages %}}
{{{ bash_package_remove(package) }}}
{{% endfor %}}
10 changes: 4 additions & 6 deletions ...vices/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
#!/bin/bash

{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
{{{ bash_package_remove("xorg-x11-server-utils") }}}
{{{ bash_package_remove("xorg-x11-server-common") }}}
{{% if product not in ["ol7"] %}}
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
{{% endif %}}
# install packages
{{% for package in xwindows_packages %}}
{{{ bash_package_remove(package) }}}
{{% endfor %}}
24 changes: 24 additions & 0 deletions linux_os/guide/services/xwindows/xwindows_base_packages.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
documentation_complete: true

title: 'SSH Approved ciphers by FIPS'

description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server."

type: string

operator: equals

interactive: false

options:
stig: aes256-ctr,aes192-ctr,aes128-ctr
stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,[email protected],[email protected]
stig_rhel9: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]
cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected]
cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected]
cis_sle12: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
cis_sle15: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
cis_ubuntu: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
stig_ubuntu2204: aes256-ctr,[email protected],aes192-ctr,aes128-ctr,[email protected]
stig_ol9: [email protected],aes256-ctr,[email protected],aes128-ctr
4 changes: 4 additions & 0 deletions products/ol7/product.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,7 @@ platform_package_overrides:

reference_uris:
cis: 'https://www.cisecurity.org/benchmark/oracle_linux/'
xwindows_packages:
- xorg-x11-server-Xorg
- xorg-x11-server-common
- xorg-x11-server-utils
5 changes: 5 additions & 0 deletions products/sle12/product.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,8 @@ reference_uris:
dconf_gdm_dir: "gdm.d"

sysctl_remediate_drop_in_file: "true"
xwindows_packages:
- xorg-x11-server
- xorg-x11-server-extra
- xorg-x11-server-Xvfb
- xwayland
5 changes: 5 additions & 0 deletions products/sle15/product.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,8 @@ dconf_gdm_dir: "gdm.d"

sysctl_remediate_drop_in_file: "true"
journald_conf_dir_path: /etc/systemd/journal.d
xwindows_packages:
- xorg-x11-server
- xorg-x11-server-extra
- xorg-x11-server-Xvfb
- xwayland
1 change: 1 addition & 0 deletions shared/references/cce-slmicro5-avail.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,6 @@ CCE-93830-8
CCE-93831-6
CCE-93832-4
CCE-93833-2
CCE-93873-8
CCE-94077-5
CCE-94079-1
5 changes: 4 additions & 1 deletion ssg/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,10 @@
DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED = 'false'

DEFAULT_XWINDOWS_PACKAGES = [ 'xorg-x11-server-Xorg',
'xorg-x11-server-common',
'xorg-x11-server-utils',
'xorg-x11-server-Xwayland']

# Constants for OVAL object model
STR_TO_BOOL = {
Expand Down
4 changes: 4 additions & 0 deletions ssg/products.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
DEFAULT_FAILLOCK_PATH,
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE,
DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED,
DEFAULT_XWINDOWS_PACKAGES,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
XCCDF_PLATFORM_TO_PACKAGE,
Expand Down Expand Up @@ -119,6 +120,9 @@ def _get_implied_properties(existing_properties):
if "bootable_containers_supported" not in existing_properties:
result["bootable_containers_supported"] = DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED

if "xwindows_packages" not in existing_properties:
result["xwindows_packages"] = DEFAULT_XWINDOWS_PACKAGES

return result


Expand Down
Loading