CMP-4248 added compliance checks

[vickeybrown]

Description:

New Rules:

• file_permissions_at_binaries - Removes execute permissions from at job
  scheduling binaries (at, atq, atrm, batch)
• file_permissions_dnf_binaries - Removes execute permissions from package
  management binaries (dnf, dnf-3, yum)
• file_permissions_nmap_ncat_binaries - Removes execute permissions from
  netcat binaries (ncat, nc)
• file_permissions_socat_binaries - Removes execute permissions from socat
  binary

Key Changes:

1. Rule Implementation:
   - All rules use the file_permissions template with filemode: '0000'
   - Each rule includes missing_file_pass: 'true' to pass when binaries are
   absent
   - Platform restricted to rhcos4 only
   - CCE identifiers allocated for each rule:
   • file_permissions_at_binaries: CCE-86468-6
   • file_permissions_dnf_binaries: CCE-86482-7
   • file_permissions_nmap_ncat_binaries: CCE-86483-5
   • file_permissions_socat_binaries: CCE-86484-3
2. Component Updates:
   - Created components/nmap-ncat.yml and components/socat.yml
   - Updated components/at.yml and components/dnf.yml
   - All components include file_permissions template
3. Profile Integration:
   - Added all four rules to products/rhcos4/profiles/default.profile
4. Test Coverage:
   - Each rule includes Automatus test scenarios:
   • correct.pass.sh - Validates compliant state (0000 permissions)
   • wrong_permissions.fail.sh - Validates non-compliant detection
   • missing_files.pass.sh - Validates passing when binaries don't exist

Rationale:

On RHCOS, packages in the base image cannot be removed due to the immutable OS
design. As a compensating control, this MR removes execute permissions from
security-sensitive utilities

Setting permissions to 0000 prevents these tools from being executed while
maintaining system integrity on the immutable platform

Review Hints:

Will fill this out once it's working

[openshift-ci]

Hi @vickeybrown. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_sudoersd'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_sudoers'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sudo'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_motd'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_system_journal'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_ipsecd'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_ipsec_conf'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_ipsec_secrets'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_iptables'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_nftables'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_crypttab'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_sysctld'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_etc_selinux'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_sestatus_conf'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_chrony_keys'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration'.
New data stream adds kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_binaries'.

[yuumasato]

I think this is going in the right direction

[yuumasato]

Would it make sense to target basic.target, which comes up before network.target?

[yuumasato]

I wonder if 0000 is too harsh, maybe 0644 is enough?