Merge pull request #12699 from Mab879/new_rule_package_unbound_remove

New rule package_unbound_removed
ComplianceAsCode · Dec 11, 2024 · 949a9a1 · 949a9a1
2 parents aa76180 + 967bf35
commit 949a9a1
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 1 deletion.
diff --git a/components/bind.yml b/components/bind.yml
@@ -17,5 +17,6 @@ rules:
 - dns_server_disable_zone_transfers
 - package_bind_removed
 - package_dnsmasq_removed
+- package_unbound_removed
 - service_named_disabled
 - service_dnsmasq_disabled
diff --git a/components/unbound.yml b/components/unbound.yml
@@ -0,0 +1,5 @@
+name: unbound
+packages:
+    - unbound
+rules:
+    - package_unbound_removed
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -82,6 +82,7 @@ controls:
             - service_firewalld_enabled
 
             # package removed
+            - package_unbound_removed
             - package_vsftpd_removed
             - package_tftp-server_removed
             - package_gssproxy_removed

diff --git a/linux_os/guide/services/dns/package_unbound_removed/rule.yml b/linux_os/guide/services/dns/package_unbound_removed/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Uninstall unbound Package'
+
+description: |-
+    The <tt>named</tt> service is provided by the <tt>unbound</tt> package.
+    {{{ describe_package_remove(package="unbound") }}}
+
+rationale: |-
+    If there is no need to make DNS server software available,
+    removing it provides a safeguard against its activation.
+
+severity: low
+
+identifiers:
+    cce@rhel10: CCE-86181-5
+
+
+references:
+    disa: CCI-000366
+    nist: CM-7(a),CM-7(b),CM-6(a)
+    srg: SRG-OS-000480-GPOS-00227
+
+template:
+    name: package_removed
+    vars:
+        pkgname: unbound
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,7 +1,6 @@
 CCE-86178-1
 CCE-86179-9
 CCE-86180-7
-CCE-86181-5
 CCE-86186-4
 CCE-86187-2
 CCE-86188-0