Specify platform specific packages for xwindows_remove_packages rule #12853
+303
−110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teacup-on-rockingchair
added
Ansible
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -3,15 +3,13 @@
Disable graphical user interface
[description]:
-By removing the following packages, the system no longer has X Windows installed.
-
-xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+By removing the following packages, the system no longer has X Windows installed.
+['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
-
-sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+sudo yum remove ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
[warning]:
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
@@ -42,8 +40,8 @@
SV-230553r1017315_rule
[rationale]:
-Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
-vulnerabilities and should not be installed unless approved and documented.
+Unnecessary service packages must not be installed to decrease the attack surface of the system.
+X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
[ident]:
CCE-83411-9
OVAL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- oval:ssg-xwindows_remove_packages:def:1
+++ oval:ssg-xwindows_remove_packages:def:1
@@ -1,5 +1,5 @@
criteria AND
-criterion oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1
-extend_definition oval:ssg-package_xorg-x11-server-common_removed:def:1
-criterion oval:ssg-package_xorg-x11-server-utils_removed:tst:1
-criterion oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xorg_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-common_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-utils_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xwayland_removed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
+++ ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
@@ -1,7 +1,5 @@
To ensure the X Windows package group is removed, run the following command:
-
-$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
+$ rpm -qi ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
For each package mentioned above you should receive following line:
package <package> is not installed
Is it the case that xorg related packages are not removed and run level is not correctly configured?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,14 +1,16 @@
-
# remove packages
+
if rpm -q --quiet "xorg-x11-server-Xorg" ; then
yum remove -y "xorg-x11-server-Xorg"
fi
+
+if rpm -q --quiet "xorg-x11-server-common" ; then
+yum remove -y "xorg-x11-server-common"
+fi
+
if rpm -q --quiet "xorg-x11-server-utils" ; then
yum remove -y "xorg-x11-server-utils"
-fi
-if rpm -q --quiet "xorg-x11-server-common" ; then
-yum remove -y "xorg-x11-server-common"
fi
if rpm -q --quiet "xorg-x11-server-Xwayland" ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,10 +1,6 @@
-- name: Ensure xorg packages are removed
+- name: Ensure xorg-x11-server-Xorg is removed
package:
- name:
- - xorg-x11-server-Xorg
- - xorg-x11-server-common
- - xorg-x11-server-utils
- - xorg-x11-server-Xwayland
+ name: xorg-x11-server-Xorg
state: absent
tags:
- CCE-83411-9
@@ -16,3 +12,48 @@
- reboot_required
- restrict_strategy
- xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-common is removed
+ package:
+ name: xorg-x11-server-common
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-utils is removed
+ package:
+ name: xorg-x11-server-utils
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Ensure xorg-x11-server-Xwayland is removed
+ package:
+ name: xorg-x11-server-Xwayland
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,2 +1,10 @@
-package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland
+# remove packages
+
+package --remove=xorg-x11-server-Xorg
+
+package --remove=xorg-x11-server-common
+
+package --remove=xorg-x11-server-utils
+
+package --remove=xorg-x11-server-Xwayland |
jan-cerny
requested changes
Jan 20, 2025
We don't have xorg or xwayland packages in the default repos there anyways
…s_remove_packages rule
Thanks to @jan-cerny for the hint 🙇
teacup-on-rockingchair
force-pushed
the
fix_xwindows_remove_pakcakage_sle
branch
from
ba29a71 to
73fe970
Compare
|
Code Climate has analyzed commit 73fe970 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
Xeicker
requested changes
Feb 4, 2025
| @@ -1,24 +1,25 @@ | |||
|
|
|||
| {{% if product in ["sle12", "sle15"] %}} | |||
| {{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}} | |||
There was a problem hiding this comment.
Now that you made this variable at product level, this is not required
| @@ -0,0 +1,24 @@ | |||
| documentation_complete: true | |||
There was a problem hiding this comment.
I think this file is some remains of a different approach you were trying
| @@ -1,27 +1,27 @@ | |||
| documentation_complete: true | |||
| {{% if product in ["sle12", "sle15"] %}} | |||
| {{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}} | |||
There was a problem hiding this comment.
Also this variable set is not needed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: