From 9f7a12207d136211a5906df39490104ef02e3e0c Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 19 Mar 2020 15:35:47 +0100

Subject: [PATCH 1/4] add rule

---

 .../package_openldap-clients_removed/rule.yml | 32 +++++++++++++++++++

 2 files changed, 32 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

new file mode 100644

index 0000000000..e8dfc04020

--- /dev/null

+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

@@ -0,0 +1,32 @@

+documentation_complete: true

+

+title: 'Ensure LDAP client is not installed'

+

+description: |-

+    The Lightweight Directory Access Protocol (LDAP) is a service that provideso

+    a method for looking up information from a central database.

+    {{{ describe_package_remove("openldap-clients") }}}

+

+rationale:

+    If the system does not need to act as an LDAP client, it is recommended that the software is

+    removed to reduce the potential attack surface.

+

+severity: low

+

+identifiers:

+    cce@rhel7: 82884-8

+    cce@rhel8: 82885-5

+

+references:

+    cis@rhel7: 2.3.5

+    cis@rhel8: 2.3.3

+

+ocil_clause: 'the package is installed'

+

+ocil: |-

+    {{{ ocil_package("openldap-clients") }}}

+

+template:

+    name: package_removed

+    vars:

+        pkgname: openldap-clients

From b21593567c0c758710461bc7a3d59651503f84c9 Mon Sep 17 00:00:00 2001

From: vojtapolasek <krecoun@gmail.com>

Date: Thu, 19 Mar 2020 16:40:55 +0100

Subject: [PATCH 2/4] Update

 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>

---

 .../openldap_client/package_openldap-clients_removed/rule.yml   | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

index e8dfc04020..1339137fb4 100644

--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true

 title: 'Ensure LDAP client is not installed'

 description: |-

-    The Lightweight Directory Access Protocol (LDAP) is a service that provideso

+    The Lightweight Directory Access Protocol (LDAP) is a service that provides

     a method for looking up information from a central database.

     {{{ describe_package_remove("openldap-clients") }}}

From 82c734902f7f215286168f6aa3e3bfaff99fc336 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 19 Mar 2020 16:58:02 +0100

Subject: [PATCH 3/4] add missing prodtype

---

 .../openldap_client/package_openldap-clients_removed/rule.yml   | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

index 1339137fb4..aee1aa315a 100644

--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

@@ -1,5 +1,7 @@

 documentation_complete: true

+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4

+

 title: 'Ensure LDAP client is not installed'

 description: |-