Merge pull request #14531 from jan-cerny/ensure_redhat

Add ensure_redhat_gpgkey_installed to RHEL CIS

Author: Mab879

controls/cis_fedora.yml

@@ -369,9 +369,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_fedora_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)

products/rhel10/controls/cis_rhel10.yml

@@ -366,9 +366,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)

products/rhel8/controls/cis_rhel8.yml

@@ -379,9 +379,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is configured (Automated)

products/rhel9/controls/cis_rhel9.yml

@@ -361,9 +361,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      related_rules:
+      status: partial
+      rules:
           - ensure_redhat_gpgkey_installed
+      notes: >
+        In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
+        But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
+        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
+        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.
 
     - id: 1.2.1.2
       title: Ensure gpgcheck is globally activated (Automated)

tests/data/profile_stability/rhel10/cis.profile

@@ -153,6 +153,7 @@ disable_weak_deps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

tests/data/profile_stability/rhel10/cis_server_l1.profile

@@ -74,6 +74,7 @@ disable_users_coredumps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

tests/data/profile_stability/rhel10/cis_workstation_l1.profile

@@ -72,6 +72,7 @@ disable_users_coredumps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

tests/data/profile_stability/rhel10/cis_workstation_l2.profile

@@ -153,6 +153,7 @@ disable_weak_deps
 ensure_gpgcheck_globally_activated
 ensure_journald_and_rsyslog_not_active_together
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

tests/data/profile_stability/rhel8/cis.profile

@@ -141,6 +141,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist

tests/data/profile_stability/rhel8/cis_server_l1.profile

@@ -72,6 +72,7 @@ enable_authselect
 ensure_gpgcheck_globally_activated
 ensure_gpgcheck_never_disabled
 ensure_pam_wheel_group_empty
+ensure_redhat_gpgkey_installed
 ensure_root_password_configured
 file_at_allow_exists
 file_at_deny_not_exist