ComplianceAsCode · teacup-on-rockingchair · Oct 28, 2024 · Oct 3, 2024 · Oct 3, 2024 · Oct 4, 2024
diff --git a/components/dhcp.yml b/components/dhcp.yml
@@ -20,3 +20,4 @@ rules:
 - package_dhcp_removed
 - service_dhcpd_disabled
 - sysconfig_networking_bootproto_ifcfg
+- package_kea_removed
diff --git a/components/kea.yml b/components/kea.yml
@@ -0,0 +1,5 @@
+name: kea
+packages:
+- kea
+rules:
+- package_kea_removed
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1291,6 +1291,7 @@ controls:
       of these in this recommendation.
     rules:
     - package_dhcp_removed
+    - package_kea_removed
     - package_rsh_removed
     - package_rsh-server_removed
     - package_sendmail_removed

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -800,7 +800,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - package_dhcp_removed
+      - package_kea_removed
     related_rules:
       - service_dhcpd_disabled
 

diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+
+title: 'Uninstall kea Package'
+
+description: |-
+    If the system does not need to act as a DHCP server,
+    the kea package can be uninstalled.
+
+rationale: |-
+    Removing the DHCP server ensures that it cannot be easily or
+    accidentally reactivated and disrupt network operation.
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-86596-4
+
+{{{ complete_ocil_entry_package(package="kea") }}}
+
+template:
+    name: package_removed
+    vars:
+        pkgname: kea
@@ -46,3 +46,4 @@ selections:
     - '!audit_sudo_log_events'
     - '!sysctl_net_core_bpf_jit_harden'
     - '!grub2_pti_argument'
+    - '!package_kea_removed'
@@ -72,3 +72,4 @@ selections:
     - '!kernel_config_strict_module_rwx'
     - '!kernel_config_modify_ldt_syscall'
     - '!grub2_pti_argument'
+    - '!package_kea_removed'
@@ -36,3 +36,4 @@ selections:
     - '!grub2_page_alloc_shuffle_argument'
     - '!sysctl_net_core_bpf_jit_harden'
     - '!grub2_pti_argument'
+    - '!package_kea_removed'
@@ -28,3 +28,4 @@ selections:
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
     - '!enable_authselect'
+    - '!package_kea_removed'
@@ -33,3 +33,4 @@ selections:
     - '!sysctl_fs_protected_fifos'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
+    - '!package_kea_removed'
@@ -34,3 +34,4 @@ selections:
     - '!sysctl_fs_protected_fifos'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
+    - '!package_kea_removed'
@@ -27,3 +27,4 @@ selections:
     - '!grub2_page_alloc_shuffle_argument'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_kea_removed'
@@ -23,3 +23,4 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_kea_removed'
@@ -41,3 +41,4 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!package_xinetd_removed'
+    - '!package_kea_removed'
@@ -42,3 +42,4 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!package_xinetd_removed'
+    - '!package_kea_removed'
@@ -33,3 +33,4 @@ selections:
     - '!sudo_add_ignore_dot'
     - '!sudo_add_env_reset'
     - '!package_xinetd_removed'
+    - '!package_kea_removed'
@@ -26,3 +26,4 @@ selections:
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_redhat_gpgkey_installed'
   - '!package_xinetd_removed'
+  - '!package_kea_removed'
@@ -33,6 +33,7 @@ selections:
 
     # these rules do not apply to RHEL 10
     - '!package_audit-audispd-plugins_installed'
+    - '!package_dhcp_removed'
     - '!package_ypserv_removed'
     - '!package_ypbind_removed'
     - '!package_talk_removed'

@@ -49,3 +49,4 @@ selections:
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!audit_rules_privileged_commands_insmod'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -56,3 +56,4 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -37,3 +37,4 @@ selections:
   - '!grub2_page_alloc_shuffle_argument'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -33,3 +33,4 @@ selections:
   - '!cracklib_accounts_password_pam_ocredit'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -47,6 +47,7 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
     # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R29.
     - '!file_groupowner_efi_grub2_cfg'
     - '!file_owner_efi_grub2_cfg'

@@ -50,6 +50,7 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
     # disable R45: Enable AppArmor security profiles
     - '!apparmor_configured'
     - '!all_apparmor_profiles_enforced'

@@ -40,3 +40,4 @@ selections:
   - '!sudo_add_ignore_dot'
   - '!sudo_add_env_reset'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -33,3 +33,4 @@ selections:
   - '!cracklib_accounts_password_pam_ocredit'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -54,3 +54,4 @@ selections:
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!grub2_pti_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -80,3 +80,4 @@ selections:
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!grub2_pti_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -53,3 +53,4 @@ selections:
   - '!sysctl_net_ipv6_conf_all_autoconf'
   - '!grub2_pti_argument'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -42,3 +42,4 @@ selections:
   - '!accounts_password_pam_minlen'
   - '!ensure_oracle_gpgkey_installed'
   - '!enable_authselect'
+  - '!package_kea_removed'
@@ -55,3 +55,4 @@ selections:
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!grub2_pti_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -82,3 +82,4 @@ selections:
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!grub2_pti_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!package_kea_removed'
@@ -54,3 +54,4 @@ selections:
   - '!sysctl_net_ipv6_conf_all_autoconf'
   - '!grub2_pti_argument'
   - '!ensure_oracle_gpgkey_installed'
+  - '!package_kea_removed'
@@ -42,3 +42,4 @@ selections:
   - '!accounts_password_pam_minlen'
   - '!ensure_oracle_gpgkey_installed'
   - '!enable_authselect'
+  - '!package_kea_removed'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -95,7 +95,6 @@ CCE-86576-6
 CCE-86589-9
 CCE-86591-5
 CCE-86594-9
-CCE-86596-4
 CCE-86598-0
 CCE-86600-4
 CCE-86601-2