From 9f7a12207d136211a5906df39490104ef02e3e0c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 19 Mar 2020 15:35:47 +0100
Subject: [PATCH 1/4] add rule
---
.../package_openldap-clients_removed/rule.yml | 32 +++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
new file mode 100644
index 0000000000..e8dfc04020
--- /dev/null
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure LDAP client is not installed'
+
+description: |-
+ The Lightweight Directory Access Protocol (LDAP) is a service that provideso
+ a method for looking up information from a central database.
+ {{{ describe_package_remove("openldap-clients") }}}
+
+rationale:
+ If the system does not need to act as an LDAP client, it is recommended that the software is
+ removed to reduce the potential attack surface.
+
+severity: low
+
+identifiers:
+ cce@rhel7: 82884-8
+ cce@rhel8: 82885-5
+
+references:
+ cis@rhel7: 2.3.5
+ cis@rhel8: 2.3.3
+
+ocil_clause: 'the package is installed'
+
+ocil: |-
+ {{{ ocil_package("openldap-clients") }}}
+
+template:
+ name: package_removed
+ vars:
+ pkgname: openldap-clients
From b21593567c0c758710461bc7a3d59651503f84c9 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Thu, 19 Mar 2020 16:40:55 +0100
Subject: [PATCH 2/4] Update
linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Jan Černý <jcerny@redhat.com>
---
.../openldap_client/package_openldap-clients_removed/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index e8dfc04020..1339137fb4 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Ensure LDAP client is not installed'
description: |-
- The Lightweight Directory Access Protocol (LDAP) is a service that provideso
+ The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
{{{ describe_package_remove("openldap-clients") }}}
From 82c734902f7f215286168f6aa3e3bfaff99fc336 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 19 Mar 2020 16:58:02 +0100
Subject: [PATCH 3/4] add missing prodtype
---
.../openldap_client/package_openldap-clients_removed/rule.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index 1339137fb4..aee1aa315a 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -1,5 +1,7 @@
documentation_complete: true
+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
+
title: 'Ensure LDAP client is not installed'
description: |-