added compliance checks

Author: vickeybrown

components/at.yml

@@ -3,4 +3,5 @@ packages:
 - at
 rules:
 - file_at_deny_not_exist
+- package_at_removed
 - service_atd_disabled

components/dnf.yml

@@ -4,6 +4,7 @@ packages:
 - dnf-automatic
 - dnf-plugin-subscription-manager
 - libdnf-plugin-subscription-manager
+- python3-dnf
 rules:
 - clean_components_post_updating
 - disable_weak_deps
@@ -15,3 +16,4 @@ rules:
 - package_dnf-automatic_installed
 - package_dnf-plugin-subscription-manager_installed
 - package_libdnf-plugin-subscription-manager_installed
+- package_python3_dnf_removed

components/nmap-ncat.yml

@@ -0,0 +1,5 @@
+name: nmap-ncat
+packages:
+- nmap-ncat
+rules:
+- package_netcat_removed

components/socat.yml

@@ -0,0 +1,5 @@
+name: socat
+packages:
+- socat
+rules:
+- package_socat_removed

linux_os/guide/services/cron_and_at/package_at_removed/rule.yml

@@ -0,0 +1,37 @@
+documentation_complete: true
+
+title: 'Uninstall at Package'
+
+description: |-
+    The at package provides the ability to schedule one-time tasks for future execution,
+    which is not required in CoreOS environments and can introduce unnecessary risk.
+    The at package is not installed by default on CoreOS. If found, it should be uninstalled
+    to reduce the risk of unauthorized or unaccountable task execution.
+    {{{ describe_package_remove(package="at") }}}
+
+rationale: |-
+    The at package is not installed by default on CoreOS, but it is available in standard
+    repositories. With sufficient privileges, it could be installed on CoreOS, introducing
+    unnecessary risk. If present, attackers could use the at utility to schedule malicious
+    tasks for future execution, making it harder to detect and trace unauthorized activity.
+    To prevent such risks and unaccountable task execution, regularly verify that the at
+    package is not present and remove it if found.
+
+severity: high
+
+ocil_clause: 'the package is installed'
+
+ocil: |-
+    {{{ complete_ocil_entry_package_removed(package="at") }}}
+
+fixtext: |-
+    To remove the at package, run the following command:
+
+    $ rpm-ostree override remove at
+
+    A reboot is required for the changes to take effect.
+
+template:
+    name: package_removed
+    vars:
+        pkgname: at

linux_os/guide/system/software/system-tools/package_netcat_removed/rule.yml

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Uninstall netcat Package'
+
+description: |-
+    {{{ describe_package_remove(package="nmap-ncat") }}}
+
+rationale: |-
+    Utilities such as netcat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. While netcat is not installed by default on CoreOS, it is
+    available in standard repositories and could be added with sufficient
+    privileges. Removing these tools from systems reduces the risk of
+    unauthorized access and data exfiltration.
+
+severity: high
+
+{{{ complete_ocil_entry_package_removed("nmap-ncat") }}}
+
+fixtext: |-
+    To remove the nmap-ncat package, run the following command:
+
+    $ rpm-ostree override remove nmap-ncat
+
+    A reboot is required for the changes to take effect.
+
+template:
+    name: package_removed
+    vars:
+        pkgname: nmap-ncat

linux_os/guide/system/software/system-tools/package_python3_dnf_removed/rule.yml

@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: 'Remove dnf and python3-dnf Packages'
+
+description: |-
+    The dnf and python3-dnf packages provide package management utilities and Python bindings
+    for installing, updating, and removing software on Linux systems. CoreOS is designed to be
+    an immutable operating system, where software installation and updates are managed through
+    atomic upgrades and containerization, rather than traditional package management.
+    Retaining these utilities can introduce risks by allowing direct package installation,
+    which may compromise system integrity and increase the attack surface.
+    It is recommended to remove these packages to maintain the intended security posture of CoreOS.
+
+rationale: |-
+    Retaining dnf and python3-dnf on CoreOS allows anyone with access to the system to install
+    or modify packages, potentially altering the operating system and undermining its immutability.
+    Attackers or unauthorized users could also reconfigure DNF to use untrusted repositories,
+    introducing malicious software or vulnerabilities. Removing dnf and python3-dnf prevents
+    unauthorized changes and maintains system integrity.
+
+severity: high
+
+ocil_clause: 'the packages are installed'
+
+ocil: |-
+    To verify that the <tt>dnf</tt> and <tt>python3-dnf</tt> packages are not installed,
+    run the following command:
+    <pre>$ rpm -q dnf python3-dnf</pre>
+    The output should indicate that both packages are not installed.
+
+fixtext: |-
+    To remove the dnf and python3-dnf packages, execute the following command:
+
+    $ rpm-ostree override remove dnf python3-dnf
+
+    A reboot is required for the changes to take effect.
+
+template:
+    name: package_removed
+    vars:
+        pkgname:
+            - dnf
+            - python3-dnf

linux_os/guide/system/software/system-tools/package_socat_removed/rule.yml

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Uninstall socat Package'
+
+description: |-
+    {{{ describe_package_remove(package="socat") }}}
+
+rationale: |-
+    Utilities such as socat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. While socat is not installed by default on CoreOS, it is
+    available in standard repositories and could be added with sufficient
+    privileges. Removing these tools from systems reduces the risk of
+    unauthorized access and data exfiltration.
+
+severity: high
+
+{{{ complete_ocil_entry_package_removed("socat") }}}
+
+fixtext: |-
+    To remove the socat package, run the following command:
+
+    $ rpm-ostree override remove socat
+
+    A reboot is required for the changes to take effect.
+
+template:
+    name: package_removed
+    vars:
+        pkgname: socat

products/rhcos4/profiles/default.profile

@@ -185,7 +185,11 @@ selections:
     - grub2_ipv6_disable_argument
     - file_permissions_backup_etc_group
     - etc_system_fips_exists
+    - package_at_removed
     - package_net-snmp_removed
+    - package_netcat_removed
+    - package_python3_dnf_removed
+    - package_socat_removed
     - package_fapolicyd_installed
     - audit_rules_for_ospp
     - sshd_enable_pam

shared/macros/10-bash.jinja

@@ -485,7 +485,12 @@ zypper install -y "{{{ package }}}"
 
 #}}
 {{%- macro bash_package_remove(package) -%}}
-{{%- if pkg_manager is defined -%}}
+{{%- if product == "rhcos4" -%}}
+# RHCOS uses rpm-ostree for package management
+if rpm -q --quiet "{{{ package }}}" ; then
+    rpm-ostree override remove "{{{ package }}}"
+fi
+{{%- elif pkg_manager is defined -%}}
 {{%- if pkg_manager == "yum" or pkg_manager == "dnf" -%}}
 if rpm -q --quiet "{{{ package }}}" ; then
 {{% if SSG_TEST_SUITE_ENV %}}