Move RHV4 product to be el8 based

[yuumasato]

Description:

• Update content Hypervisor CPE product
• Update profile with RHEL8 specific rules and their applicabilities
• Document that rhv4 product applies to el8 based hosts
• [ ] Update prodtype in other rules.

Rationale:

• Content for el7 based hosts is provided in rhel7 product
• Content for el8 based hosts is provided by rhv4 product

Related to: https://lists.fedoraproject.org/archives/list/scap-security-guide@lists.fedorahosted.org/thread/CSNMJJWYPAUVBCQFCRIJHJ7PHOBE6SDB/

References

• Remove rule configure_opensc_nss_db from RHEL8 product. #4779
• Unselect rules for packages dropped in RHEL8 #3742
• Updated the e8 profile for RHEL8. #5024
• Remove rules that are shadowed by crypto policies rules. #3677
• PCI-DSS profile should install audispd plugins #5124

[yuumasato]

I'd appreciate feedback on contents of rhv4/README.md. Do you think something else should be there?

I have realized now that the rhel7/profiles/rhelh-stig.profile and rhv4/profiles/rhvh-stig.profile are very identical, and that there exists a rhel8/profiles/rhelh-stig.profile.

Maybe rhv4/profiles/rhvh-stig.profile needs to be updated to be based on rhel8 profile, and the same applies to rhvh-vpp.profile. Thoughts on this?

[yuumasato]

For easy of review, I've dropped ee5ed7d, and will propose it separately.

The commit just did bulk labeling, any rule that applied to rhel8 was made applicable rhv4.
And any rule that was only applicable to rhel7 was made sure not to apply to rhv4

[yuumasato]

So, I think it makes sense to update the profile to be based on RHEL8 versions.
So in 3845826 I update VPP profile to be aligned with RHEL8 OSPP profile, based on rhel8/profiles/rhelh-vpp.profile
And in 5b2d981 I update STIG profile to be aligned with RHEL8 STIG profile, based on rhel8/profiles/rhelh-stig.profile

Unfortunately this makes 0665267 mandatory, as it now enables a few rules needed by the profile.
Reviewing commit by commit will be easier than checking whole list of changed files.

[yuumasato]

So in 3845826 I update VPP profile to be aligned with RHEL8 OSPP profile.
And in 5b2d981 I update STIG profile to be aligned with RHEL8 STIG profile.

@redhatrises, @shawndwells Would appreciate your feedback here

[openscap-ci]

Can one of the admins verify this patch?

[redhatrises]

A couple of thoughts:

1. I noticed that any rule for RHEL8 is selected and enabled for rhv. Let's not do this as we are currently in the process with the RHV team to go through the NIST controls to evaluate applicability to RHV. Once controls are identified, we then add and enable them for RHV.

2. Let's not make the OSPP and STIG rules the same. Keep them as is for now. We can open a draft PR for these changes separately. Reason being is that RHV is going through the NIAP process now and OSPP and VPP and STIG are not the same. And since we are evaluating all of NIST 800-53 and VPP, I am hestitant to make these type of changes to the profiles right now. For example, Gnome shouldn't be installed or configured at all on RHVH or RHVM.

[redhatrises]

Also don't create a separate README integrate the comments into the main README or in the docs.

[yuumasato]

Ok, dropped commits that migrate profiles and all rules to el8.
Now, the changes in rules are directly connected to migrating selected rules to el8.

Also don't create a separate README integrate the comments into the main README or in the docs.

I don't know where would be a good place for such information to be. I moved it to be in the User Guide.
@redhatrises If that is not a good place, suggest one, please.

[yuumasato]

Conflicts resolved.

[JAORMX]

/test all

ocp4 e2e test flake

[JAORMX]

/test all

[yuumasato]

I have no idea how to interpret error in ci/prow/e2e-aws-moderate.
release "release-latest" failed: could not create watcher for pod: Get https://172.30.0.1:443/api/v1/namespaces/ci-op-tgyw9i7j/pods?fieldSelector=metadata.name%3Drelease-latest&watch=true: unexpected EOF

Is it a deal breaker?

[redhatrises]

Looks good to me. As this is draft content, all these changes are fine.

[redhatrises]

/retest

[openshift-ci-robot]

@yuumasato: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-moderate	9f4652c	link	/test e2e-aws-moderate

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[matejak]

The PR has been approved, and those failing tests don't indicate that there is something wrong with it, so I am merging it.