From 9475af13870ebecbb20f9a7fa3115b7757377413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 2 Dec 2025 10:14:34 +0100 Subject: [PATCH 1/4] Create rule group_server_with_gui_removed This commit introduces new rule `group_server_with_gui_removed` and adds it to CIS profile according to RHEL 10 CIS Benchmark v1.0.1, requirement 2.1.19. Although the requirement title suggests to remove only the GNOME Display Manager (gdm), the prose in the requirement instructs us to remove the whole `Server with GUI` dnf group. Also the remediation described in the CIS document wants us to remove the `Server with GUI` using the `dnf groupremove` command. The problem with this rule is that we aren't able to write an OVAL check for it. The rpm probes can't provide any information about dnf groups as that is a concept that doesn't exist on rpm level and is known only for dnf tools. We don't have any dnf probe or dnf query in OpenSCAP. Therefore this rule will have only an SCE check. Resolves: https://issues.redhat.com/browse/OPENSCAP-6081 --- components/gnome.yml | 1 + controls/cis_rhel10.yml | 1 + .../ansible/shared.yml | 16 ++++++++ .../bash/shared.sh | 9 ++++ .../group_server_with_gui_removed/rule.yml | 41 +++++++++++++++++++ .../sce/shared.sh | 10 +++++ .../tests/installed.fail.sh | 3 ++ .../tests/removed.pass.sh | 9 ++++ shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel10/cis.profile | 1 + 10 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh create mode 100644 linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh diff --git a/components/gnome.yml b/components/gnome.yml index 25bccf83300..908c81d528e 100644 --- a/components/gnome.yml +++ b/components/gnome.yml @@ -47,6 +47,7 @@ rules: - gnome_gdm_disable_guest_login - gnome_gdm_disable_unattended_automatic_login - gnome_gdm_disable_xdmcp +- group_server_with_gui_removed - gui_login_dod_acknowledgement - package_gdm_removed - xwayland_disabled diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml index 980e4e12bce..9a8b0cd46bd 100644 --- a/controls/cis_rhel10.yml +++ b/controls/cis_rhel10.yml @@ -968,6 +968,7 @@ controls: status: automated rules: - package_gdm_removed + - group_server_with_gui_removed - id: 2.1.20 title: Ensure X window server services are not in use (Automated) diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml b/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml new file mode 100644 index 00000000000..2df6a6b70bb --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml @@ -0,0 +1,16 @@ +# platform = multi_platform_rhel +# strategy = configure +# complexity = low +# disruption = low + +# Note: This is important to update dependencies to allow the removal of the Server +# with GUI group with minimal impact to the system functionality. +- name: "{{{ rule_title }}} - Install Minimal Install group" + ansible.builtin.command: + cmd: dnf groupinstall -y 'Minimal Install' +- name: "{{{ rule_title }}} - Remove Server with GUI group" + ansible.builtin.command: + cmd: dnf groupremove -y 'Server with GUI' +- name: "{{{ rule_title }}} - Install Server group" + ansible.builtin.command: + cmd: dnf groupinstall -y 'Server' diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh b/linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh new file mode 100644 index 00000000000..fe106d62f04 --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_rhel + +# Note: This is important to update dependencies to allow the removal of the Server +# with GUI group with minimal impact to the system functionality. +dnf groupinstall -y "Minimal Install" + +# Remove the Server with GUI group +dnf groupremove -y "Server with GUI" +dnf groupinstall -y "Server" diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml b/linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml new file mode 100644 index 00000000000..e5616aeab9d --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +title: 'Remove the Server with GUI Package Group' + +description: |- + By removing the Server with GUI package group, the system no longer has a graphical user interface (GUI) installed. + If a GUI is not installed then the system cannot boot into graphical user mode. + This prevents the system from being accidentally or maliciously booted into a graphical.target mode. + To do so, run the following command: + 
dnf groupremove -y "Server with GUI"
+ +rationale: |- + Unnecessary service packages must not be installed to decrease the attack surface of the system. + If a Graphical User Interface (GUI) is not required, it should be removed to reduce the + attack surface of the system. + +severity: medium + +identifiers: + cce@rhel10: CCE-87443-8 + +ocil_clause: The Server with GUI package group has not been removed + +ocil: |- + Run the following command to verify the Installed Environment Group is not + Server with GUI: + # dnf grouplist | sed -n '/Installed Environment Groups:/,/Installed Groups:/p' + The output should not contain the Server with GUI group. + +fixtext: |- + Run the following commands to remove the Server with GUI package group: + # dnf groupinstall -y "Minimal Install" + Note: This is important to update dependencies to allow the removal of the Server + with GUI group with minimal impact to the system functionality. + # dnf groupremove -y "Server with GUI" + # dnf groupinstall -y "Server" + # reboot + +warnings: + - general: |- + This rule doesn't come with an OVAL check, as it is not possible to check if the Server with GUI group is installed using the OVAL rpm objects. Therefore, this rule contains only an SCE check. diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh b/linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh new file mode 100644 index 00000000000..bdd4dc54541 --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# platform = multi_platform_rhel +# check-import = stdout + +if dnf grouplist | sed -n '/Installed Environment Groups:/,/Installed Groups:/p' | grep -q "Server with GUI"; then + echo "Server with GUI group is installed" + exit $XCCDF_RESULT_FAIL +fi + +exit $XCCDF_RESULT_PASS diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh b/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh new file mode 100644 index 00000000000..5cab3ea945a --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +dnf groupinstall -y "Server with GUI" diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh b/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh new file mode 100644 index 00000000000..5dcbf8b8b4f --- /dev/null +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Note: This is important to update dependencies to allow the removal of the Server +# with GUI group with minimal impact to the system functionality. +dnf groupinstall -y "Minimal Install" + +# Remove the Server with GUI group +dnf groupremove -y "Server with GUI" +dnf groupinstall -y "Server" diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 10573c2feb7..bd70c57af8f 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -431,7 +431,6 @@ CCE-87438-8 CCE-87440-4 CCE-87441-2 CCE-87442-0 -CCE-87443-8 CCE-87446-1 CCE-87450-3 CCE-87453-7 diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index b1ff9a39d67..37244fcf01f 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -256,6 +256,7 @@ file_permissions_user_cfg file_permissions_var_log_audit firewalld_loopback_traffic_trusted gid_passwd_group_same +group_server_with_gui_removed group_unique_id group_unique_name groups_no_zero_gid_except_root From 27cce1312ed37becf024c69ddb4fce7ebff715b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 3 Dec 2025 11:52:31 +0100 Subject: [PATCH 2/4] Add a missing reboot --- .../updating/group_server_with_gui_removed/ansible/shared.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml b/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml index 2df6a6b70bb..3af55c8e41d 100644 --- a/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml @@ -2,6 +2,7 @@ # strategy = configure # complexity = low # disruption = low +# reboot = false # Note: This is important to update dependencies to allow the removal of the Server # with GUI group with minimal impact to the system functionality. From d084da72440b9c7ed79cf24dc211e10e92107413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 4 Dec 2025 15:38:15 +0100 Subject: [PATCH 3/4] Move rule group_server_with_gui_removed to disabling_xwindows group --- .../group_server_with_gui_removed/ansible/shared.yml | 0 .../group_server_with_gui_removed/bash/shared.sh | 0 .../disabling_xwindows}/group_server_with_gui_removed/rule.yml | 0 .../group_server_with_gui_removed/sce/shared.sh | 0 .../group_server_with_gui_removed/tests/installed.fail.sh | 0 .../group_server_with_gui_removed/tests/removed.pass.sh | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/ansible/shared.yml (100%) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/bash/shared.sh (100%) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/rule.yml (100%) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/sce/shared.sh (100%) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/tests/installed.fail.sh (100%) rename linux_os/guide/{system/software/updating => services/xwindows/disabling_xwindows}/group_server_with_gui_removed/tests/removed.pass.sh (100%) diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/ansible/shared.yml rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/bash/shared.sh similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/bash/shared.sh rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/bash/shared.sh diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/rule.yml similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/rule.yml rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/rule.yml diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/sce/shared.sh similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/sce/shared.sh rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/sce/shared.sh diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/tests/installed.fail.sh similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/installed.fail.sh rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/tests/installed.fail.sh diff --git a/linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/tests/removed.pass.sh similarity index 100% rename from linux_os/guide/system/software/updating/group_server_with_gui_removed/tests/removed.pass.sh rename to linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/tests/removed.pass.sh From 1adc743a62262833bce6fa11d947306ad2afcf6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 4 Dec 2025 15:51:12 +0100 Subject: [PATCH 4/4] Disable tasks in check mode --- .../group_server_with_gui_removed/ansible/shared.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml index 3af55c8e41d..8803c9f603a 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml @@ -9,9 +9,14 @@ - name: "{{{ rule_title }}} - Install Minimal Install group" ansible.builtin.command: cmd: dnf groupinstall -y 'Minimal Install' + when: not ansible_check_mode + - name: "{{{ rule_title }}} - Remove Server with GUI group" ansible.builtin.command: cmd: dnf groupremove -y 'Server with GUI' + when: not ansible_check_mode + - name: "{{{ rule_title }}} - Install Server group" ansible.builtin.command: cmd: dnf groupinstall -y 'Server' + when: not ansible_check_mode