Specify platform specific packages for xwindows_remove_packages rule#12853
Merged
jan-cerny merged 11 commits intoMar 3, 2025
Merged
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -3,14 +3,15 @@
Disable graphical user interface
[description]:
-By removing the following packages, the system no longer has X Windows installed.
-
-xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+By removing the following packages, the system no longer has X Windows installed.
+ xorg-x11-server-Xorg
+ xorg-x11-server-common
+ xorg-x11-server-utils
+ xorg-x11-server-Xwayland
If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
-
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
[warning]:
@@ -42,8 +43,8 @@
SV-230553r1017315_rule
[rationale]:
-Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
-vulnerabilities and should not be installed unless approved and documented.
+Unnecessary service packages must not be installed to decrease the attack surface of the system.
+X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
[ident]:
CCE-83411-9
OVAL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- oval:ssg-xwindows_remove_packages:def:1
+++ oval:ssg-xwindows_remove_packages:def:1
@@ -1,5 +1,5 @@
criteria AND
-criterion oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1
-extend_definition oval:ssg-package_xorg-x11-server-common_removed:def:1
-criterion oval:ssg-package_xorg-x11-server-utils_removed:tst:1
-criterion oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xorg_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-common_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-utils_removed:tst:1
+criterion oval:ssg-test_package_xorg-x11-server-Xwayland_removed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
+++ ocil:ssg-xwindows_remove_packages_ocil:questionnaire:1
@@ -1,7 +1,8 @@
To ensure the X Windows package group is removed, run the following command:
-
-$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
+$ rpm -qi xorg-x11-server-Xorg
+$ rpm -qi xorg-x11-server-common
+$ rpm -qi xorg-x11-server-utils
+$ rpm -qi xorg-x11-server-Xwayland
For each package mentioned above you should receive following line:
package <package> is not installed
Is it the case that xorg related packages are not removed and run level is not correctly configured?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,14 +1,16 @@
-
# remove packages
+
if rpm -q --quiet "xorg-x11-server-Xorg" ; then
yum remove -y "xorg-x11-server-Xorg"
fi
+
+if rpm -q --quiet "xorg-x11-server-common" ; then
+yum remove -y "xorg-x11-server-common"
+fi
+
if rpm -q --quiet "xorg-x11-server-utils" ; then
yum remove -y "xorg-x11-server-utils"
-fi
-if rpm -q --quiet "xorg-x11-server-common" ; then
-yum remove -y "xorg-x11-server-common"
fi
if rpm -q --quiet "xorg-x11-server-Xwayland" ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,10 +1,6 @@
-- name: Ensure xorg packages are removed
+- name: Disable graphical user interface - Ensure xorg-x11-server-Xorg is removed
package:
- name:
- - xorg-x11-server-Xorg
- - xorg-x11-server-common
- - xorg-x11-server-utils
- - xorg-x11-server-Xwayland
+ name: xorg-x11-server-Xorg
state: absent
tags:
- CCE-83411-9
@@ -16,3 +12,48 @@
- reboot_required
- restrict_strategy
- xwindows_remove_packages
+
+- name: Disable graphical user interface - Ensure xorg-x11-server-common is removed
+ package:
+ name: xorg-x11-server-common
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Disable graphical user interface - Ensure xorg-x11-server-utils is removed
+ package:
+ name: xorg-x11-server-utils
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
+- name: Disable graphical user interface - Ensure xorg-x11-server-Xwayland is removed
+ package:
+ name: xorg-x11-server-Xwayland
+ state: absent
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs.
--- xccdf_org.ssgproject.content_rule_xwindows_remove_packages
+++ xccdf_org.ssgproject.content_rule_xwindows_remove_packages
@@ -1,2 +1,10 @@
-package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland
+# remove packages
+
+package --remove=xorg-x11-server-Xorg
+
+package --remove=xorg-x11-server-common
+
+package --remove=xorg-x11-server-utils
+
+package --remove=xorg-x11-server-Xwayland |
jan-cerny
requested changes
Jan 20, 2025
Collaborator
jan-cerny
left a comment
There was a problem hiding this comment.
I think that this is a lot of code duplication. You should centralize the definition of the xwindows_packages to a single place. That will make it easier to change or extend in future. I suggest defining it as a product property.
ba29a71 to
73fe970
Compare
Xeicker
suggested changes
Feb 4, 2025
| @@ -1,24 +1,25 @@ | |||
|
|
|||
| {{% if product in ["sle12", "sle15"] %}} | |||
| {{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}} | |||
Contributor
There was a problem hiding this comment.
Now that you made this variable at product level, this is not required
| @@ -0,0 +1,24 @@ | |||
| documentation_complete: true | |||
Contributor
There was a problem hiding this comment.
I think this file is some remains of a different approach you were trying
| @@ -1,27 +1,27 @@ | |||
| documentation_complete: true | |||
| {{% if product in ["sle12", "sle15"] %}} | |||
| {{% set xwindows_packages = ['xorg-x11-server', 'xorg-x11-server-extra', 'xorg-x11-server-Xvfb', 'xwayland'] %}} | |||
Contributor
There was a problem hiding this comment.
Also this variable set is not needed
jan-cerny
reviewed
Feb 5, 2025
|
|
||
| - name: Ensure xorg packages are removed | ||
| {{% for package in xwindows_packages %}} | ||
| - name: Ensure {{{ package }}} is removed |
Collaborator
There was a problem hiding this comment.
You need to add {{{ rule_title }}} - to the Ansible Task's name.
Collaborator
|
@jan-cerny Please check that the package names are correct for RHEL. |
jan-cerny
requested changes
Feb 27, 2025
Comment on lines
+100
to
+103
| - xorg-x11-server-Xorg | ||
| - xorg-x11-server-common | ||
| - xorg-x11-server-utils | ||
| - xorg-x11-server-Xwayland |
Collaborator
There was a problem hiding this comment.
I have verified that these packages exist in RHEL 9.5.0. 👍
Comment on lines
+142
to
+146
| xwindows_packages: | ||
| - xorg-x11-server-Xorg | ||
| - xorg-x11-server-common | ||
| - xorg-x11-server-utils | ||
| - xorg-x11-server-Xwayland |
Collaborator
There was a problem hiding this comment.
I have verified that these packages exist in RHEL 8.10.0. 👍
| <tt>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</tt> | ||
| {{% endif %}} | ||
| By removing the following packages, the system no longer has X Windows installed. | ||
| <tt>{{{ xwindows_packages }}}</tt> |
Collaborator
There was a problem hiding this comment.
This needs to be improved because the generated output contains quotes and brackets
['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
It should be rendered as some sort of a bullet list or comma separated list instead.
| {{% else %}} | ||
| <pre>sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre> | ||
| {{% endif %}} | ||
| <pre>sudo {{{ pkg_manager }}} remove {{{ xwindows_packages }}}</pre> |
Collaborator
There was a problem hiding this comment.
This needs to be improved because the generated command is invalid command because it contains brackets and also quotes:
sudo dnf remove ['xorg-x11-server-Xorg', 'xorg-x11-server-common', 'xorg-x11-server-utils', 'xorg-x11-server-Xwayland']
I expect:
sudo dnf remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
| {{% else %}} | ||
| {{{ package_remove("xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland") }}} | ||
| {{% endif %}} | ||
| {{{ package_remove(xwindows_packages) }}} |
Collaborator
There was a problem hiding this comment.
OCIL and fixtext are affected as well
We don't have xorg or xwayland packages in the default repos there anyways
…s_remove_packages rule
Thanks to @jan-cerny for the hint 🙇
aee3ac6 to
b2632c4
Compare
|
Code Climate has analyzed commit b2632c4 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 62.1% (0.1% change). View more on Code Climate. |
jan-cerny
approved these changes
Mar 3, 2025
Collaborator
jan-cerny
left a comment
There was a problem hiding this comment.
I have reviewed the generated rule.yml and I have reviewed the product files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: