From 0c9c768e111f71e141a599053d2d6c4d3e56d5a1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 6 May 2021 19:43:25 +0200
Subject: [PATCH] Add rules to remove setroubleshoot packages

Added rules to remove setroubleshoot-plugins and server.
---
 controls/anssi.yml                            |  2 ++
 .../rule.yml                                  | 32 ++++++++++++++++++
 .../rule.yml                                  | 33 +++++++++++++++++++
 4 files changed, 67 insertions(+), 8 deletions(-)
 create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
 create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..603f224ffaa 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -983,6 +983,8 @@ controls:
       on a machine in production.
     rules:
     - package_setroubleshoot_removed
+    - package_setroubleshoot-server_removed
+    - package_setroubleshoot-plugins_removed
 
   - id: R69
     level: high
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
new file mode 100644
index 00000000000..d20c1116dc0
--- /dev/null
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9
+
+title: 'Uninstall setroubleshoot-plugins Package'
+
+description: |-
+    The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors,
+    unauthorized intrusions, and other potential errors.
+    {{{ describe_package_remove(package="setroubleshoot-plugins") }}}
+
+rationale: |-
+    The SETroubleshoot service is an unnecessary daemon to
+    have running on a server.
+
+severity: low
+
+identifiers:
+    cce@rhcos4: CCE-84091-8
+    cce@rhel7: CCE-84249-2
+    cce@rhel8: CCE-84250-0
+    cce@rhel9: CCE-84251-8
+
+references:
+    anssi: BP28(R68)
+
+{{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: setroubleshoot-plugins
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
new file mode 100644
index 00000000000..c5fec06ddc5
--- /dev/null
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9
+
+title: 'Uninstall setroubleshoot-server Package'
+
+description: |-
+    The SETroubleshoot service notifies desktop users of SELinux
+    denials. The service provides information around configuration errors,
+    unauthorized intrusions, and other potential errors.
+    {{{ describe_package_remove(package="setroubleshoot-server") }}}
+
+rationale: |-
+    The SETroubleshoot service is an unnecessary daemon to have
+    running on a server.
+
+severity: low
+
+identifiers:
+    cce@rhcos4: CCE-84093-4
+    cce@rhel7: CCE-83488-7
+    cce@rhel8: CCE-83490-3
+    cce@rhel9: CCE-84252-6
+
+references:
+    anssi: BP28(R68)
+
+{{{ complete_ocil_entry_package(package="setroubleshoot-server") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: setroubleshoot-server