Create rule group_server_with_gui_removed #14204
Conversation
This commit introduces new rule `group_server_with_gui_removed` and adds it to CIS profile according to RHEL 10 CIS Benchmark v1.0.1, requirement 2.1.19. Although the requirement title suggests to remove only the GNOME Display Manager (gdm), the prose in the requirement instructs us to remove the whole `Server with GUI` dnf group. Also the remediation described in the CIS document wants us to remove the `Server with GUI` using the `dnf groupremove` command. The problem with this rule is that we aren't able to write an OVAL check for it. The rpm probes can't provide any information about dnf groups as that is a concept that doesn't exist on rpm level and is known only for dnf tools. We don't have any dnf probe or dnf query in OpenSCAP. Therefore this rule will have only an SCE check. Resolves: https://issues.redhat.com/browse/OPENSCAP-6081
jan-cerny
added
CIS
There was a problem hiding this comment.
I think the whole rule would fit better into the linux_os/guide/services/xwindows/disabling_xwindows group.
vojtapolasek
left a comment
vojtapolasek
left a comment
There was a problem hiding this comment.
Thank you for this rule, it looks mostly good. Please see comments for concerns.
| cmd: dnf groupinstall -y 'Minimal Install' | ||
| - name: "{{{ rule_title }}} - Remove Server with GUI group" | ||
| ansible.builtin.command: | ||
| cmd: dnf groupremove -y 'Server with GUI' |
There was a problem hiding this comment.
Please add empty lines between tasks.
| # with GUI group with minimal impact to the system functionality. | ||
| - name: "{{{ rule_title }}} - Install Minimal Install group" | ||
| ansible.builtin.command: | ||
| cmd: dnf groupinstall -y 'Minimal Install' |
There was a problem hiding this comment.
How is this going to work in "check mode"? Will it be OK? Would some tasks which would check actual presence / absence of a group make sense?
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/packit build |
|
|
||
| - name: "{{{ rule_title }}} - Install Server group" | ||
| ansible.builtin.command: | ||
| cmd: dnf groupinstall -y 'Server' |
There was a problem hiding this comment.
I don't like this solution. It conflicts with our approach to install and remove all packages at the very beginning of the Ansible Playbook. Now, with this change, many packages are installed or removed somewhere in the middle of the Playbook. That not only makes the task longer, but probably causes the fails of the /hardening/host-os/ansible tests in Testing farm CI jobs. Please invent a different solution.
2 participants
This commit introduces new rule
group_server_with_gui_removedand adds it to CIS profile according to RHEL 10 CIS Benchmark v1.0.1, requirement 2.1.19. Although the requirement title suggests to remove only the GNOME Display Manager (gdm), the prose in the requirement instructs us to remove the wholeServer with GUIdnf group. Also the remediation described in the CIS document wants us to remove theServer with GUIusing thednf groupremovecommand.The problem with this rule is that we aren't able to write an OVAL check for it. The rpm probes can't provide any information about dnf groups as that is a concept that doesn't exist on rpm level and is known only for dnf tools. We don't have any dnf probe or dnf query in OpenSCAP. Therefore this rule will have only an SCE check.
Resolves: https://issues.redhat.com/browse/OPENSCAP-6081