From 0c9c768e111f71e141a599053d2d6c4d3e56d5a1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 6 May 2021 19:43:25 +0200 Subject: [PATCH] Add rules to remove setroubleshoot packages Added rules to remove setroubleshoot-plugins and server. --- controls/anssi.yml | 2 ++ .../rule.yml | 32 ++++++++++++++++++ .../rule.yml | 33 +++++++++++++++++++ 4 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml diff --git a/controls/anssi.yml b/controls/anssi.yml index 705f8e25aab..603f224ffaa 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -983,6 +983,8 @@ controls: on a machine in production. rules: - package_setroubleshoot_removed + - package_setroubleshoot-server_removed + - package_setroubleshoot-plugins_removed - id: R69 level: high diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml new file mode 100644 index 00000000000..d20c1116dc0 --- /dev/null +++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9 + +title: 'Uninstall setroubleshoot-plugins Package' + +description: |- + The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, + unauthorized intrusions, and other potential errors. + {{{ describe_package_remove(package="setroubleshoot-plugins") }}} + +rationale: |- + The SETroubleshoot service is an unnecessary daemon to + have running on a server. + +severity: low + +identifiers: + cce@rhcos4: CCE-84091-8 + cce@rhel7: CCE-84249-2 + cce@rhel8: CCE-84250-0 + cce@rhel9: CCE-84251-8 + +references: + anssi: BP28(R68) + +{{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}} + +template: + name: package_removed + vars: + pkgname: setroubleshoot-plugins diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml new file mode 100644 index 00000000000..c5fec06ddc5 --- /dev/null +++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9 + +title: 'Uninstall setroubleshoot-server Package' + +description: |- + The SETroubleshoot service notifies desktop users of SELinux + denials. The service provides information around configuration errors, + unauthorized intrusions, and other potential errors. + {{{ describe_package_remove(package="setroubleshoot-server") }}} + +rationale: |- + The SETroubleshoot service is an unnecessary daemon to have + running on a server. + +severity: low + +identifiers: + cce@rhcos4: CCE-84093-4 + cce@rhel7: CCE-83488-7 + cce@rhel8: CCE-83490-3 + cce@rhel9: CCE-84252-6 + +references: + anssi: BP28(R68) + +{{{ complete_ocil_entry_package(package="setroubleshoot-server") }}} + +template: + name: package_removed + vars: + pkgname: setroubleshoot-server