From 0c9c768e111f71e141a599053d2d6c4d3e56d5a1 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 6 May 2021 19:43:25 +0200

Subject: [PATCH] Add rules to remove setroubleshoot packages

Added rules to remove setroubleshoot-plugins and server.

---

 controls/anssi.yml                            |  2 ++

 .../rule.yml                                  | 32 ++++++++++++++++++

 .../rule.yml                                  | 33 +++++++++++++++++++

 4 files changed, 67 insertions(+), 8 deletions(-)

 create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml

 create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 705f8e25aab..603f224ffaa 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -983,6 +983,8 @@ controls:

       on a machine in production.

     rules:

     - package_setroubleshoot_removed

+    - package_setroubleshoot-server_removed

+    - package_setroubleshoot-plugins_removed

   - id: R69

     level: high

diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml

new file mode 100644

index 00000000000..d20c1116dc0

--- /dev/null

+++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml

@@ -0,0 +1,32 @@

+documentation_complete: true

+

+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9

+

+title: 'Uninstall setroubleshoot-plugins Package'

+

+description: |-

+    The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors,

+    unauthorized intrusions, and other potential errors.

+    {{{ describe_package_remove(package="setroubleshoot-plugins") }}}

+

+rationale: |-

+    The SETroubleshoot service is an unnecessary daemon to

+    have running on a server.

+

+severity: low

+

+identifiers:

+    cce@rhcos4: CCE-84091-8

+    cce@rhel7: CCE-84249-2

+    cce@rhel8: CCE-84250-0

+    cce@rhel9: CCE-84251-8

+

+references:

+    anssi: BP28(R68)

+

+{{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}}

+

+template:

+    name: package_removed

+    vars:

+        pkgname: setroubleshoot-plugins

diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml

new file mode 100644

index 00000000000..c5fec06ddc5

--- /dev/null

+++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml

@@ -0,0 +1,33 @@

+documentation_complete: true

+

+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9

+

+title: 'Uninstall setroubleshoot-server Package'

+

+description: |-

+    The SETroubleshoot service notifies desktop users of SELinux

+    denials. The service provides information around configuration errors,

+    unauthorized intrusions, and other potential errors.

+    {{{ describe_package_remove(package="setroubleshoot-server") }}}

+

+rationale: |-

+    The SETroubleshoot service is an unnecessary daemon to have

+    running on a server.

+

+severity: low

+

+identifiers:

+    cce@rhcos4: CCE-84093-4

+    cce@rhel7: CCE-83488-7

+    cce@rhel8: CCE-83490-3

+    cce@rhel9: CCE-84252-6

+

+references:

+    anssi: BP28(R68)

+

+{{{ complete_ocil_entry_package(package="setroubleshoot-server") }}}

+

+template:

+    name: package_removed

+    vars:

+        pkgname: setroubleshoot-server