From 9f7a12207d136211a5906df39490104ef02e3e0c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 19 Mar 2020 15:35:47 +0100
Subject: [PATCH 1/4] add rule

---
 .../package_openldap-clients_removed/rule.yml | 32 +++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
new file mode 100644
index 0000000000..e8dfc04020
--- /dev/null
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure LDAP client is not installed'
+
+description: |-
+    The Lightweight Directory Access Protocol (LDAP) is a service that provideso
+    a method for looking up information from a central database.
+    {{{ describe_package_remove("openldap-clients") }}}
+
+rationale:
+    If the system does not need to act as an LDAP client, it is recommended that the software is
+    removed to reduce the potential attack surface.
+
+severity: low
+
+identifiers:
+    cce@rhel7: 82884-8
+    cce@rhel8: 82885-5
+
+references:
+    cis@rhel7: 2.3.5
+    cis@rhel8: 2.3.3
+
+ocil_clause: 'the package is installed'
+
+ocil: |-
+    {{{ ocil_package("openldap-clients") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: openldap-clients
From b21593567c0c758710461bc7a3d59651503f84c9 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Thu, 19 Mar 2020 16:40:55 +0100
Subject: [PATCH 2/4] Update
 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>
---
 .../openldap_client/package_openldap-clients_removed/rule.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index e8dfc04020..1339137fb4 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Ensure LDAP client is not installed'
 
 description: |-
-    The Lightweight Directory Access Protocol (LDAP) is a service that provideso
+    The Lightweight Directory Access Protocol (LDAP) is a service that provides
     a method for looking up information from a central database.
     {{{ describe_package_remove("openldap-clients") }}}
 

From 82c734902f7f215286168f6aa3e3bfaff99fc336 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 19 Mar 2020 16:58:02 +0100
Subject: [PATCH 3/4] add missing prodtype

---
 .../openldap_client/package_openldap-clients_removed/rule.yml   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index 1339137fb4..aee1aa315a 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
+
 title: 'Ensure LDAP client is not installed'
 
 description: |-