From 43cc10df35546ceeebe629a581d6825bd34f00ee Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 6 Mar 2023 15:37:19 +0100
Subject: [PATCH 1/2] Introduce rule to remove nginx package

---
 .../services/http/disabling_nginx/group.yml   |  7 ++++
 .../package_nginx_removed/rule.yml            | 35 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  2 --
 3 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/http/disabling_nginx/group.yml
 create mode 100644 linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml

diff --git a/linux_os/guide/services/http/disabling_nginx/group.yml b/linux_os/guide/services/http/disabling_nginx/group.yml
new file mode 100644
index 00000000000..b22aaa8ef8b
--- /dev/null
+++ b/linux_os/guide/services/http/disabling_nginx/group.yml
@@ -0,0 +1,7 @@
+documentation_complete: true
+
+title: 'Disable NGINX if Possible'
+
+description: |-
+    If NGINX was installed and activated, but the system does not need to act as a web server,
+    then it should be removed from the system.
diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml
new file mode 100644
index 00000000000..05b573f482c
--- /dev/null
+++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Uninstall nginx Package'
+
+description: |-
+    {{{ describe_package_remove(package="nginx") }}}
+
+rationale: |-
+    If there is no need to make the web server software available,
+    removing it provides a safeguard against its activation.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: CCE-88034-4
+    cce@rhel9: CCE-88035-1
+
+references:
+    cis@rhel8: 2.2.10
+    cis@rhel9: 2.2.8
+    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
+    isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
+    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
+    nist: CM-7(a),CM-7(b),CM-6(a)
+    nist-csf: PR.IP-1,PR.PT-3
+
+{{{ complete_ocil_entry_package(package="nginx") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: nginx
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 9b3bb608e7a..ea8d82326bc 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1584,8 +1584,6 @@ CCE-88028-6
 CCE-88029-4
 CCE-88030-2
 CCE-88031-0
-CCE-88034-4
-CCE-88035-1
 CCE-88037-7
 CCE-88038-5
 CCE-88039-3

From 519749681630dc30cd3af0277a4cf1971f376858 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 6 Mar 2023 15:38:02 +0100
Subject: [PATCH 2/2] Update CIS RHEL control files regarging nginx

The CIS requirement to remove web servers in RHEL8 and RHEL9 also asks
to remove the nginx package. The respective requirements were updated to
include the new templated rule.
---
 controls/cis_rhel8.yml | 5 ++---
 controls/cis_rhel9.yml | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 81f9cb955ce..baa67efcc0c 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -764,16 +764,15 @@ controls:
     rules:
       - package_tftp-server_removed
 
-  # NEEDS RULE
   - id: 2.2.10
     title: Ensure a web server is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - package_httpd_removed
-      # Needs a rule to remove nginx
+      - package_nginx_removed
 
   # NEEDS RULE
   - id: 2.2.11
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 11f9995039e..773d7a006c0 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -760,16 +760,15 @@ controls:
     rules:
       - package_tftp-server_removed
 
-  # NEEDS RULE
   - id: 2.2.8
     title: Ensure a web server is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - package_httpd_removed
-      # Needs a rule to remove nginx
+      - package_nginx_removed
 
   # NEEDS RULE
   - id: 2.2.9