Merge pull request ComplianceAsCode#10131 from rumch-se/rules_avahi_p…

…ackage Two SLE 12/15 rules related to avahi package
mrkanon · Jan 27, 2023 · e9931a1 · e9931a1
2 parents 7eb87db + 4a76f5d
commit e9931a1
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 10 deletions.
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -590,11 +590,11 @@ controls:
     levels:
       - l1_server
       - l2_workstation
-    automated: partially
-    notes: >-
-      Rule for package removal is missing!
+    status: automated
     rules:
       - service_avahi-daemon_disabled
+      - package_avahi_removed
+      - package_avahi-autoipd_removed
 
   - id: 2.2.4
     title: Ensure CUPS is not installed (Automated)

diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -571,11 +571,11 @@ controls:
     levels:
       - l1_server
       - l2_workstation
-    automated: partially
-    notes: >-
-      Rule for package removal is missing!
+    status: automated
     rules:
       - service_avahi-daemon_disabled
+      - package_avahi_removed
+      - package_avahi-autoipd_removed
 
   - id: 2.2.4
     title: Ensure CUPS is not installed (Automated)

diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title: 'Uninstall avahi-autoipd Server Package'
+
+description: |-
+    If the system does not need to have an Avahi server which implements 
+    the DNS Service Discovery and Multicast DNS protocols,
+    the avahi-autoipd and avahi packages can be uninstalled.
+
+rationale: |-
+    Automatic discovery of network services is not normally required for 
+    system functionality. It is recommended to remove this package to reduce 
+    the potential attack surface.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92310-2
+    cce@sle15: CCE-92465-4
+
+references:
+    cis-csc: 11,14,3,9
+    cis@sle12: 2.2.3
+    cis@sle15: 2.2.3
+    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
+    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
+    nist: CM-7(a),CM-7(b),CM-6(a)
+    nist-csf: PR.IP-1,PR.PT-3
+
+{{{ complete_ocil_entry_package(package="avahi-autoipd") }}}
+fixtext: '{{{ fixtext_package_removed("avahi-autoipd") }}}'
+
+template:
+    name: package_removed
+    vars:
+        pkgname: avahi-autoipd
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title: 'Uninstall avahi Server Package'
+
+description: |-
+    If the system does not need to have an Avahi server which implements 
+    the DNS Service Discovery and Multicast DNS protocols,
+    the avahi-autoipd and avahi packages can be uninstalled.
+
+rationale: |-
+    Automatic discovery of network services is not normally required for 
+    system functionality. It is recommended to remove this package to reduce 
+    the potential attack surface.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92314-4
+    cce@sle15: CCE-92464-7
+
+references:
+    cis-csc: 11,14,3,9
+    cis@sle12: 2.2.3
+    cis@sle15: 2.2.3
+    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
+    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
+    nist: CM-7(a),CM-7(b),CM-6(a)
+    nist-csf: PR.IP-1,PR.PT-3
+
+{{{ complete_ocil_entry_package(package="avahi") }}}
+fixtext: '{{{ fixtext_package_removed("avahi") }}}'
+
+template:
+    name: package_removed
+    vars:
+        pkgname: avahi
diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
@@ -1,5 +1,3 @@
-CCE-92310-2
-CCE-92314-4
 CCE-92319-3
 CCE-92321-9
 CCE-92324-3

diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -1,5 +1,3 @@
-CCE-92464-7
-CCE-92465-4
 CCE-92477-9
 CCE-92479-5
 CCE-92481-1