From acb5c93d53c099fb3882eab7a8e994a1321e9ea0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 17 Dec 2025 13:51:57 +0100
Subject: [PATCH] Add notes about RHEL 10 CIS requirement 2.1.19

Resolves: https://issues.redhat.com/browse/OPENSCAP-6081
---
 products/rhel10/controls/cis_rhel10.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index f74a3e6e2f3..574695500bb 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -963,6 +963,13 @@ controls:
       levels:
           - l2_server
       status: automated
+      notes: |-
+          The requirement recommends to remove the whole 'Server with GUI' dnf package group.
+          Unfortunately, OVAL can't check for dnf package groups.
+          Remediations that would remove and install large package groups are problematic and too destructive.
+          We decided to not have a rule for the 'Server with GUI' removal and instead just cover the most singificant package - gdm.
+          For more context, see https://github.com/ComplianceAsCode/content/pull/14204 where we failed to create a rule for the package group removal.
+          We shall recomend users who want to use the GUI to use the CIS Workstation L2 profile instead.
       rules:
           - package_gdm_removed