ComplianceAsCode · vickeybrown · Apr 20, 2026
diff --git a/.github/workflows/ocp-test-profiles.yaml b/.github/workflows/ocp-test-profiles.yaml
@@ -1,7 +1,7 @@
 name: Trigger OCP Tests When Relevant
 on:
  pull_request:
    branches: [ master, 'stabilization*' ]
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
  cancel-in-progress: true
@@ -15,7 +15,7 @@
      pull-requests: write
    steps:
      - name: Install Deps
        run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip nodejs
      - name: Install deps python
        run: pip install gitpython xmldiff
      - name: Checkout
@@ -33,10 +33,10 @@
      - name: Find forking point
        env:
          BASE_BRANCH: ${{ github.base_ref }}
        run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
        id: fork_point
      - name: Detect content changes in the PR
        run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }}  --verbose --rule --output json ${{ github.event.pull_request.number }} > ctf-output.json
      - name: Test if there are no content changes
        run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" ctf-output.json)" >> $GITHUB_OUTPUT
        id: ctf
@@ -51,23 +51,23 @@
      - name: Get product attribute
        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
        id: product
        uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
        with:
          path: 'ctf-output.json'
          prop_path: 'product'

      - name: Build product OCP and RHCOS content
        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' && (contains(steps.product.outputs.prop, 'ocp4') || contains(steps.product.outputs.prop, 'rhcos4')) }}
        run: ./build_product --datastream ocp4 rhcos4 --cel-content=ocp4

      - name: Process list of rules into a list of product-profiles to test
        if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' && (contains(steps.product.outputs.prop, 'ocp4') || contains(steps.product.outputs.prop, 'rhcos4')) }}
        id: profiles_to_test 
        run: |
          # Let's grab the profiles for which we have a CI job configured
          PROW_CONFIG=https://raw.githubusercontent.com/openshift/release/refs/heads/master/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml
          curl -o prow_config.yaml ${PROW_CONFIG}
          readarray -t TESTED_PROFILES <<< $(grep -r PROFILE= ./prow_config.yaml | sort -u | sed 's/.*export PROFILE=\(.*\)/\1/')

          RULES=$(cat ctf-output.json | jq -r '.rules[]')

@@ -91,7 +91,10 @@
             done
 
             ALL_PROFILES+=(${ELIGIBLE_PROFILES[@]})
-            PROFILES+=(${ELIGIBLE_PROFILES[$(($RANDOM%(${#ELIGIBLE_PROFILES[@]})))]})
+            # Only add a profile if there are eligible profiles with CI jobs
+            if [ ${#ELIGIBLE_PROFILES[@]} -gt 0 ]; then
+              PROFILES+=(${ELIGIBLE_PROFILES[$(($RANDOM%(${#ELIGIBLE_PROFILES[@]})))]})
+            fi
           done
 
           # Sort and ensure that the profiles are unique

diff --git a/components/at.yml b/components/at.yml
@@ -3,4 +3,5 @@ packages:
 - at
 rules:
 - file_at_deny_not_exist
+- file_permissions_at_binaries
 - service_atd_disabled
diff --git a/components/dnf.yml b/components/dnf.yml
@@ -4,6 +4,7 @@ packages:
 - dnf-automatic
 - dnf-plugin-subscription-manager
 - libdnf-plugin-subscription-manager
+- python3-dnf
 rules:
 - clean_components_post_updating
 - disable_weak_deps
@@ -12,6 +13,7 @@ rules:
 - ensure_gpgcheck_local_packages
 - ensure_gpgcheck_never_disabled
 - ensure_gpgcheck_repo_metadata
+- file_permissions_dnf_binaries
 - package_dnf-automatic_installed
 - package_dnf-plugin-subscription-manager_installed
 - package_libdnf-plugin-subscription-manager_installed
diff --git a/components/nmap-ncat.yml b/components/nmap-ncat.yml
@@ -0,0 +1,5 @@
+name: nmap-ncat
+packages:
+- nmap-ncat
+rules:
+- file_permissions_nmap_ncat_binaries
diff --git a/components/socat.yml b/components/socat.yml
@@ -0,0 +1,5 @@
+name: socat
+packages:
+- socat
+rules:
+- file_permissions_socat_binaries
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Restrict Execution of At Job Scheduling Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, job scheduling utilities such as at should have their execute
+    permissions removed to prevent unauthorized task scheduling.
+    {{{ describe_file_permissions(file="/usr/bin/at", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atq", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/batch", perms="0644") }}}
+
+rationale: |-
+    The at package provides the ability to schedule one-time tasks for future
+    execution. While not installed by default on RHCOS, if present, attackers
+    could use these utilities to schedule malicious tasks, making it harder to
+    detect and trace unauthorized activity. On immutable systems like RHCOS,
+    removing execute permissions prevents these tools from being used while
+    maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86492-6
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/at", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atq", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/batch", perms="0644") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/at
+            - /usr/bin/atq
+            - /usr/bin/atrm
+            - /usr/bin/batch
+        filemode: '0644'
+        missing_file_pass: 'true'
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/at
+touch /usr/bin/atq
+touch /usr/bin/atrm
+touch /usr/bin/batch
+chmod 0000 /usr/bin/at
+chmod 0000 /usr/bin/atq
+chmod 0000 /usr/bin/atrm
+chmod 0000 /usr/bin/batch
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/at
+rm -f /usr/bin/atq
+rm -f /usr/bin/atrm
+rm -f /usr/bin/batch
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/at
+touch /usr/bin/atq
+touch /usr/bin/atrm
+touch /usr/bin/batch
+chmod 0755 /usr/bin/at
+chmod 0755 /usr/bin/atq
+chmod 0755 /usr/bin/atrm
+chmod 0755 /usr/bin/batch
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'Restrict Execution of DNF Package Manager Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, package management utilities such as dnf and yum should have their
+    execute permissions removed to prevent unauthorized package installation.
+    {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/yum", perms="0644") }}}
+
+rationale: |-
+    The dnf and python3-dnf packages provide package management utilities for
+    installing, updating, and removing software. RHCOS is designed to be an
+    immutable operating system managed through atomic upgrades and containerization.
+    Retaining these utilities with execute permissions allows unauthorized users
+    to install or modify packages, potentially compromising system integrity.
+    On immutable systems like RHCOS, removing execute permissions prevents
+    unauthorized package management while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86494-2
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/yum", perms="0644") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/dnf
+            - /usr/bin/dnf-3
+            - /usr/bin/yum
+        filemode: '0644'
+        missing_file_pass: 'true'
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/dnf
+touch /usr/bin/dnf-3
+touch /usr/bin/yum
+chmod 0000 /usr/bin/dnf
+chmod 0000 /usr/bin/dnf-3
+chmod 0000 /usr/bin/yum
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/dnf
+rm -f /usr/bin/dnf-3
+rm -f /usr/bin/yum
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/dnf
+touch /usr/bin/dnf-3
+touch /usr/bin/yum
+chmod 0755 /usr/bin/dnf
+chmod 0755 /usr/bin/dnf-3
+chmod 0755 /usr/bin/yum
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+title: 'Restrict Execution of Netcat Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, network utilities such as netcat should have their execute permissions
+    removed to prevent unauthorized use.
+    {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/nc", perms="0644") }}}
+
+rationale: |-
+    Utilities such as netcat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. On immutable operating systems like RHCOS, removing execute
+    permissions prevents these tools from being used while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86483-5
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0644") }}}
+    {{{ describe_file_permissions(file="/usr/bin/nc", perms="0644") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/ncat
+            - /usr/bin/nc
+        filemode: '0644'
+        missing_file_pass: 'true'
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/ncat
+touch /usr/bin/nc
+chmod 0000 /usr/bin/ncat
+chmod 0000 /usr/bin/nc
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/ncat
+rm -f /usr/bin/nc
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/ncat
+touch /usr/bin/nc
+chmod 0755 /usr/bin/ncat
+chmod 0755 /usr/bin/nc
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Restrict Execution of Socat Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, network utilities such as socat should have their execute permissions
+    removed to prevent unauthorized use.
+    {{{ describe_file_permissions(file="/usr/bin/socat", perms="0644") }}}
+
+rationale: |-
+    Utilities such as socat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. On immutable operating systems like RHCOS, removing execute
+    permissions prevents these tools from being used while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86484-3
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/socat", perms="0644") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /usr/bin/socat
+        filemode: '0644'
+        missing_file_pass: 'true'
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binary with correct permissions (0000)
+touch /usr/bin/socat
+chmod 0000 /usr/bin/socat
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binary - should pass because missing_file_pass: true
+rm -f /usr/bin/socat
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binary with wrong permissions (0755)
+touch /usr/bin/socat
+chmod 0755 /usr/bin/socat
diff --git a/products/rhcos4/profiles/default.profile b/products/rhcos4/profiles/default.profile
@@ -186,6 +186,10 @@ selections:
     - file_permissions_backup_etc_group
     - etc_system_fips_exists
     - package_net-snmp_removed
+    - file_permissions_at_binaries
+    - file_permissions_dnf_binaries
+    - file_permissions_nmap_ncat_binaries
+    - file_permissions_socat_binaries
     - package_fapolicyd_installed
     - audit_rules_for_ospp
     - sshd_enable_pam

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,7 +1,3 @@
-CCE-86483-5
-CCE-86484-3
-CCE-86492-6
-CCE-86494-2
 CCE-86497-5
 CCE-86498-3
 CCE-86499-1

diff --git a/shared/templates/file_permissions/kubernetes.template b/shared/templates/file_permissions/kubernetes.template
@@ -0,0 +1,31 @@
+---
+# platform = multi_platform_rhcos
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: {{{ rule_id }}}-permissions.service
+        enabled: true
+        contents: |
+          [Unit]
+          Description=Set file permissions for {{{ rule_id }}}
+          DefaultDependencies=no
+          After=local-fs.target
+
+          [Service]
+          Type=oneshot
+{{% for path in FILEPATH %}}
+          ExecStart=/bin/bash -c 'test -e {{{ path }}} && chmod {{{ FILEMODE }}} {{{ path }}} || true'
+{{% endfor %}}
+          RemainAfterExit=yes
+
+          [Install]
+          WantedBy=basic.target
diff --git a/shared/templates/file_permissions/template.yml b/shared/templates/file_permissions/template.yml
@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - kubernetes
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ supported_languages: @@
       - ansible
       - bash
       - oval
+      - kubernetes