New Profile for RHEL10: BSI

[sluetze]

Description:

This PR adds a new profile for RHEL10. The Profile covers the Building Blocks SYS.1.1 and SYS.1.3 of BSI Basic Protection. The BSI is the Federal Office for Security Information in Germany. This profile has manually been tested with virtual RHEL10 servers

Rationale:

This Profile mostly maps existing rules to the controls of the building blocks. It is based on the RHEL9 profile, since the requirements did not change. I just added new rules, which ensure a better coverage in RHEL10.

New rules in RHEL10: 21
  - aide_periodic_checking_systemd_timer
      SYS.1.1.A27: Host-Based Attack Detection
  - audit_rules_continue_loading
      SYS.1.1.A10: Logging
  - audit_rules_dac_modification_fchmodat2
      SYS.1.1.A10: Logging
  - directory_groupowner_sshd_config_d
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - directory_owner_sshd_config_d
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - directory_permissions_sshd_config_d
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_groupowner_cron_yearly
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_groupowner_etc_security_opasswd
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_groupowner_etc_security_opasswd_old
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_groupowner_sshd_drop_in_config
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_owner_cron_yearly
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_owner_etc_security_opasswd
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_owner_etc_security_opasswd_old
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_owner_sshd_drop_in_config
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_permission_user_bash_history
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_permissions_cron_yearly
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_permissions_etc_security_opasswd
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_permissions_etc_security_opasswd_old
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - file_permissions_sshd_drop_in_config
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - no_files_or_dirs_ungroupowned
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information
  - no_files_or_dirs_unowned_by_user
      SYS.1.3.A14: Preventing Unauthorised Collection of System and User Information

Review Hints:

I did not find the right place for the kickstart files in RHEL10... so I would need a pointer here.

[openshift-ci]

Hi @sluetze. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

@sluetze Re kickstarts:

In RHEL 10, we don't have kickstarts that we used to have in RHEL 9 and older (eg. https://github.com/ComplianceAsCode/content/blob/master/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg). The reason is that RHEL 10 doesn't contain oscap-anaconda-addon which is the component that used to handle OpenSCAP hardening in older RHELs. The oscap-anaconda-addon was the component that handled %addon com_redhat_oscap section of the kickstart. Therefore using this section is no longer possible.

Instead, in RHEL 10 we use a new approach based on generated kickstarts and running oscap in post installation phase. This is described in https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/security_hardening/scanning-the-system-for-configuration-compliance#performing-a-hardened-installation-of-rhel-with-kickstart

This means you shouldn't create a kickstart for RHEL 10 and you don't have to submit it here.

[Mab879]

/ok-to-test

[openshift-ci]

@sluetze: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	57feb6f	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.