Merge pull request #10292 from marcusburghardt/cis_disabling_cyrus-imapd

Introduce rule to remove cyrus-imapd package
ComplianceAsCode · Mar 6, 2023 · a76957c · a76957c
2 parents 7f094ff + 81c9ad7
commit a76957c
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 8 deletions.
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -774,16 +774,15 @@ controls:
       - package_httpd_removed
       - package_nginx_removed
 
-  # NEEDS RULE
   - id: 2.2.11
     title: Ensure IMAP and POP3 server is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - package_dovecot_removed
-      # Needs a rule to remove cyrus-imapd
+      - package_cyrus-imapd_removed
 
   - id: 2.2.12
     title: Ensure Samba is not installed (Automated)

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -770,16 +770,15 @@ controls:
       - package_httpd_removed
       - package_nginx_removed
 
-  # NEEDS RULE
   - id: 2.2.9
     title: Ensure IMAP and POP3 server is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - package_dovecot_removed
-      # Needs a rule to remove cyrus-imapd
+      - package_cyrus-imapd_removed
 
   - id: 2.2.10
     title: Ensure Samba is not installed (Automated)

diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/group.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/group.yml
@@ -0,0 +1,7 @@
+documentation_complete: true
+
+title: 'Disable Cyrus IMAP'
+
+description: |-
+    If the system does not need to operate as an IMAP or
+    POP3 server, the Cyrus IMAP software should be removed.
diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Uninstall cyrus-imapd Package'
+
+description: |-
+    {{{ describe_package_remove(package="cyrus-imapd") }}}
+
+rationale: |-
+    If there is no need to make the cyrus-imapd software available,
+    removing it provides a safeguard against its activation.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: CCE-88119-3
+    cce@rhel9: CCE-88120-1
+
+references:
+    cis@rhel8: 2.2.11
+    cis@rhel9: 2.2.9
+
+{{{ complete_ocil_entry_package(package="cyrus-imapd") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: cyrus-imapd
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1659,8 +1659,6 @@ CCE-88115-1
 CCE-88116-9
 CCE-88117-7
 CCE-88118-5
-CCE-88119-3
-CCE-88120-1
 CCE-88124-3
 CCE-88125-0
 CCE-88126-8