From 6429aa7d29a6c93a6c6826d6fa99cee162ed1c22 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 20 Apr 2020 12:50:27 +0200
Subject: [PATCH 01/10] Add warning to package_xorg-x11-server-common_removed.
When this package is removed from a GUI environment system, it may end up with a black
screen after restarting it.
---
.../package_xorg-x11-server-common_removed/rule.yml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 4ce51a8141..04ee90b4d5 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -9,8 +9,8 @@ description: |-
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
mode. To do so, run the following command:
- <pre>$ sudo yum groupremove "X Window System"</pre>
- <pre>$ sudo yum remove xorg-x11-server-common</pre>
+ <pre>$ sudo {{{ pkg_manager }}} groupremove "X Window System"</pre>
+ <pre>$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common</pre>
rationale: |-
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
@@ -47,6 +47,14 @@ ocil: |-
The output should be:
<pre>package xorg-x11-server-common is not installed</pre>
+warnings:
+ - functionality: |-
+ The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
+ overall security posture. Removing the package xorg-x11-server-common package can
+ potentially remove the graphical target which might bring your system to an inconsistent state requiring
+ additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile
+ that removes this rule should used before continuing installation.
+
template:
name: package_removed
vars:
From 9f767c7c60e1a5b35e30cbe7f9d81288dd26ac9e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 20 Apr 2020 12:51:48 +0200
Subject: [PATCH 02/10] SSGTS: Encode string to UTF-8 before writing into file.
---
tests/ssg_test_suite/oscap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py
index 301c326835..2858963373 100644
--- a/tests/ssg_test_suite/oscap.py
+++ b/tests/ssg_test_suite/oscap.py
@@ -170,7 +170,7 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path):
# Appends output of ansible-playbook to the verbose_path file.
with open(verbose_path, 'a') as f:
f.write('Stdout of "{}":'.format(command_string))
- f.write(output)
+ f.write(output.encode("utf-8"))
if returncode != 0:
msg = (
'Ansible playbook remediation run has '
@@ -199,7 +199,7 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path):
# Appends output of script execution to the verbose_path file.
with open(verbose_path, 'a') as f:
f.write('Stdout of "{}":'.format(command_string))
- f.write(output)
+ f.write(output.encode("utf-8"))
if returncode != 0:
msg = (
'Bash script remediation run has exited with return code {} '
From 2cb9a0eac96e2dd44c2ca8e50c8460e9f220f977 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 20 Apr 2020 12:52:36 +0200
Subject: [PATCH 03/10] Add check and remediation for xwindows_runlevel_target.
Select this rule in profiles (RHEL6 profiles are not included) that select
package_xorg-x11-server-common_removed since this rule removes a
package that is dependent when using a system with GUI and the target
needs to be changed from graphical.target to multi-user.target otherwise
the system ends with having a black screen after restarting it.
---
.../ansible/shared.yml | 12 +++++
.../xwindows_runlevel_target/bash/shared.sh | 7 +++
.../xwindows_runlevel_target/oval/shared.xml | 49 +++++++++++++++++++
.../xwindows_runlevel_target/rule.yml | 3 +-
.../tests/correct_target.pass.sh | 5 ++
.../tests/wrong_target.fail.sh | 5 ++
rhel7/profiles/cis.profile | 1 +
10 files changed, 84 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
new file mode 100644
index 0000000000..49cdaeb7aa
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: get default target
+ command: systemctl get-default
+ register: default_target
+- name: Switch to multi-user runlevel
+ command: systemctl set-default multi-user.target
+ when: default_target.stdout != "multi-user.target"
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
new file mode 100644
index 0000000000..289a38483c
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+systemctl set-default multi-user.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
new file mode 100644
index 0000000000..94c372ffec
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
@@ -0,0 +1,49 @@
+{{%- if init_system == "systemd" and target_oval_version == [5, 10] -%}}
+{{# this is the only scenario this definition cannot handle, there is no good alternative for symlink_test for OVAL 5.10 #}}
+{{%- else -%}}
+<def-group>
+ <definition class="compliance" id="xwindows_runlevel_target" version="1">
+ <metadata>
+ <title>Disable X Windows Startup By Setting Default SystemD Target</title>
+ {{{- oval_affected(products) }}}
+ {{%- if init_system == "systemd" %}}
+ <description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</description>
+ {{%- else %}}
+ <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description>
+ {{%- endif %}}
+ </metadata>
+ {{%- if init_system == "systemd" %}}
+ <criteria>
+ <criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel_target" />
+ </criteria>
+ {{%- else %}}
+ <criteria>
+ <criterion comment="default runlevel is 3" test_ref="test_etc_inittab_default_runlevel_target" />
+ </criteria>
+ {{%- endif %}}
+ </definition>
+ {{%- if init_system == "systemd" %}}
+ <unix:symlink_test check="all" check_existence="all_exist" comment="default.target systemd softlink exists" id="test_disable_xwindows_runlevel_target" version="1">
+ <unix:object object_ref="object_disable_xwindows_runlevel_target" />
+ <unix:state state_ref="state_disable_xwindows_runlevel_target" />
+ </unix:symlink_test>
+ <unix:symlink_object comment="default.target systemd softlink exists" id="object_disable_xwindows_runlevel_target" version="1">
+ <unix:filepath>/etc/systemd/system/default.target</unix:filepath>
+ </unix:symlink_object>
+ <unix:symlink_state comment="default.target is linked to multi-user.target" id="state_disable_xwindows_runlevel_target" version="1">
+ <unix:filepath>/etc/systemd/system/default.target</unix:filepath>
+ <unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
+ </unix:symlink_state>
+ {{%- else %}}
+ <ind:textfilecontent54_test check="all" comment="default runlevel is 3" id="test_etc_inittab_default_runlevel_target" version="1">
+ <ind:object object_ref="object_etc_inittab_default_runlevel_target" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_etc_inittab_default_runlevel_target" version="1">
+ <ind:filepath>/etc/inittab</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*id:3:initdefault:[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ {{%- endif %}}
+</def-group>
+{{%- endif -%}}
+
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
index ed5882941c..cd04fcde8f 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,rhel7,rhel8,sle12,rhv4
title: 'Disable X Windows Startup By Setting Default Target'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: 27285-6
+ cce@rhel8: 83380-6
references:
disa: "366"
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
new file mode 100644
index 0000000000..33835c8f50
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+rm -f /etc/systemd/system/default.target
+ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
new file mode 100644
index 0000000000..9313dbb5a2
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+rm -f /etc/systemd/system/default.target
+ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 886e9a963a..0826a49547 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -226,6 +226,7 @@ selections:
### 2.2.2 Ensure X Window System is not installed (Scored)
- package_xorg-x11-server-common_removed
+ - xwindows_runlevel_target
### 2.2.3 Ensure Avahi Server is not enabled (Scored)
- service_avahi-daemon_disabled
From 3e1381a89b54591b7ca6a6b54cf56c6594cb87c0 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 20 Apr 2020 17:46:08 +0200
Subject: [PATCH 04/10] Simplify xwindows_runlevel_target artifacts.
---
.../rule.yml | 2 ++
.../ansible/shared.yml | 1 +
.../xwindows_runlevel_target/oval/shared.xml | 23 +------------------
.../tests/correct_target.pass.sh | 3 +--
.../tests/wrong_target.fail.sh | 3 +--
5 files changed, 6 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 04ee90b4d5..934205472b 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -9,7 +9,9 @@ description: |-
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
mode. To do so, run the following command:
+ {{%- if product != "rhel8" and product != "rhv4" -%}}
<pre>$ sudo {{{ pkg_manager }}} groupremove "X Window System"</pre>
+ {{%- endif %}}
<pre>$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common</pre>
rationale: |-
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
index 49cdaeb7aa..2677c96ac7 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
@@ -7,6 +7,7 @@
- name: get default target
command: systemctl get-default
register: default_target
+
- name: Switch to multi-user runlevel
command: systemctl set-default multi-user.target
when: default_target.stdout != "multi-user.target"
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
index 94c372ffec..16e15df8e1 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
@@ -6,23 +6,12 @@
<metadata>
<title>Disable X Windows Startup By Setting Default SystemD Target</title>
{{{- oval_affected(products) }}}
- {{%- if init_system == "systemd" %}}
- <description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</description>
- {{%- else %}}
- <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description>
- {{%- endif %}}
+ <description>Ensure that the default runlevel target is set to multi-user.target.</description>
</metadata>
- {{%- if init_system == "systemd" %}}
<criteria>
<criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel_target" />
</criteria>
- {{%- else %}}
- <criteria>
- <criterion comment="default runlevel is 3" test_ref="test_etc_inittab_default_runlevel_target" />
- </criteria>
- {{%- endif %}}
</definition>
- {{%- if init_system == "systemd" %}}
<unix:symlink_test check="all" check_existence="all_exist" comment="default.target systemd softlink exists" id="test_disable_xwindows_runlevel_target" version="1">
<unix:object object_ref="object_disable_xwindows_runlevel_target" />
<unix:state state_ref="state_disable_xwindows_runlevel_target" />
@@ -34,16 +23,6 @@
<unix:filepath>/etc/systemd/system/default.target</unix:filepath>
<unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
</unix:symlink_state>
- {{%- else %}}
- <ind:textfilecontent54_test check="all" comment="default runlevel is 3" id="test_etc_inittab_default_runlevel_target" version="1">
- <ind:object object_ref="object_etc_inittab_default_runlevel_target" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_etc_inittab_default_runlevel_target" version="1">
- <ind:filepath>/etc/inittab</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*id:3:initdefault:[\s]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- {{%- endif %}}
</def-group>
{{%- endif -%}}
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
index 33835c8f50..f7837a25b7 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
@@ -1,5 +1,4 @@
#!/bin/bash
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-rm -f /etc/systemd/system/default.target
-ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+systemctl set-default multi-user.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
index 9313dbb5a2..5a20e8ce3a 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
@@ -1,5 +1,4 @@
#!/bin/bash
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-rm -f /etc/systemd/system/default.target
-ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target
+systemctl set-default graphical.target
From bf0a5b6760b58ae5a7927781af3f24443b732554 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 20 Apr 2020 23:23:00 +0200
Subject: [PATCH 05/10] Update list of available CCE.
---
shared/references/cce-redhat-avail.txt | 1 -
1 file changed, 1 deletion(-)
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index c10448ff8d..4debf015dd 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -71,7 +71,6 @@ CCE-83376-4
CCE-83377-2
CCE-83378-0
CCE-83379-8
-CCE-83380-6
CCE-83381-4
CCE-83382-2
CCE-83383-0
From e4ab5d8502aba4e4f55aa1d6394fe47f893e68ff Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 23 Apr 2020 16:01:06 +0200
Subject: [PATCH 06/10] Update ansible remediation for xwindows_runlevel_target
to use file module.
---
.../xwindows_runlevel_target/ansible/shared.yml | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
index 2677c96ac7..72a3c5415a 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
@@ -4,10 +4,9 @@
# complexity = low
# disruption = low
-- name: get default target
- command: systemctl get-default
- register: default_target
-
- name: Switch to multi-user runlevel
- command: systemctl set-default multi-user.target
- when: default_target.stdout != "multi-user.target"
+ file:
+ src: /usr/lib/systemd/system/multi-user.target
+ dest: /etc/systemd/system/default.target
+ state: link
+ force: yes
From d19185cd39abcb413351894384a8c603ee768470 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 23 Apr 2020 16:01:52 +0200
Subject: [PATCH 07/10] Update rule package_xorg-x11-server-common_removed
metadata.
For RHEL8 based products the group id that represents base Xorg packages
is called "base-x".
---
.../package_xorg-x11-server-common_removed/rule.yml | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 934205472b..099ef2bc7b 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -9,7 +9,9 @@ description: |-
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
mode. To do so, run the following command:
- {{%- if product != "rhel8" and product != "rhv4" -%}}
+ {{%- if product == "rhel8" or product == "rhv4" -%}}
+ <pre>$ sudo {{{ pkg_manager }}} groupremove base-x</pre>
+ {{%- else %}}
<pre>$ sudo {{{ pkg_manager }}} groupremove "X Window System"</pre>
{{%- endif %}}
<pre>$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common</pre>
@@ -52,10 +54,10 @@ ocil: |-
warnings:
- functionality: |-
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
- overall security posture. Removing the package xorg-x11-server-common package can
- potentially remove the graphical target which might bring your system to an inconsistent state requiring
- additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile
- that removes this rule should used before continuing installation.
+ overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
+ which might bring your system to an inconsistent state requiring additional configuration to access the system
+ again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
+ continuing installation.
template:
name: package_removed
From 568ea36774cd41778c5ffcb004c11b538697f39b Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 23 Apr 2020 17:13:58 +0200
Subject: [PATCH 08/10] OVAL Check for xwindows_runlevel_target consider files
from both /usr and /lib directory prefix.
---
.../xwindows_runlevel_target/oval/shared.xml | 2 +-
.../tests/correct_target_under_lib.pass.sh | 4 ++++
.../tests/wrong_target_under_lib.fail.sh | 4 ++++
3 files changed, 9 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
index 16e15df8e1..97f51c3140 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
@@ -21,7 +21,7 @@
</unix:symlink_object>
<unix:symlink_state comment="default.target is linked to multi-user.target" id="state_disable_xwindows_runlevel_target" version="1">
<unix:filepath>/etc/systemd/system/default.target</unix:filepath>
- <unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
+ <unix:canonical_path operation="pattern match">^(/usr)?/lib/systemd/system/multi-user.target$</unix:canonical_path>
</unix:symlink_state>
</def-group>
{{%- endif -%}}
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
new file mode 100644
index 0000000000..f7837a25b7
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+systemctl set-default multi-user.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
new file mode 100644
index 0000000000..408409b9b1
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+
+ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
From e39030c464385251d0688ccb609ad10718b22359 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 23 Apr 2020 17:14:51 +0200
Subject: [PATCH 09/10] Update command output from instructions on how to
manually set multi-user.target.
---
.../disabling_xwindows/xwindows_runlevel_target/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
index cd04fcde8f..79457b2b4f 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
@@ -11,8 +11,8 @@ description: |-
<tt>multi-user.target</tt> will prevent automatic startup of the X server. To do so, run:
<pre>$ systemctl set-default multi-user.target</pre>
You should see the following output:
- <pre>rm '/etc/systemd/system/default.target'
- ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'</pre>
+ <pre>Removed symlink /etc/systemd/system/default.target.
+ Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.</pre>
rationale: |-
Services that are not required for system and application processes
From 2965265fcaf9b14b53866e33d18eeb89f50902c1 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 23 Apr 2020 17:32:21 +0200
Subject: [PATCH 10/10] Fix location of symlink created by test scenario for
xwindows_runlevel_target.
---
.../tests/correct_target_under_lib.pass.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
index f7837a25b7..dc698edc50 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
@@ -1,4 +1,4 @@
#!/bin/bash
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-systemctl set-default multi-user.target
+ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target