Introduce Fedora and Firefox CaC profiles for common workstation users

[j-ode]

Description:

• In my bachelor's thesis, I created a new security policy for common Fedora workstation users. To implement this policy, I introduce two new Common User Security Profiles: cusp_fedora and cusp_firefox. During the implementation of the policy in CaC, many issues were encountered. Most notably, the cusp_firefox profile is a temporary measure til an issue with CaC buildsystem Cannot use firefox rules in a fedora profile with additional_content_directories #10462 about inclusion of multiple products in one profile is resolved. The goal is to only have cusp_fedora in the future that would incorporate all cusp_firefox rules.
• I also introduce two new CaC rules, firefox_policy-content_blocker and package_gnome_software_installed, both of which are templated. The former ensures that a content blocker called uBlock Origin is installed in Firefox, while the latter ensures that the GNOME Software package is installed in Fedora.
• The rest of the changes are just fixing prodtypes and platforms to make rules applicable to Fedora, as well as fixing issues with a Firefox OVAL template.
• Even though many issues discovered during the implementation remain unresolved, the profiles work in the current state, and the aim is to ideally get them into the June CaC release, so that it could be presented during my thesis defense.

Rationale:

• Currently, the Fedora profiles in CaC are largely unmaintained and not useful for common workstation users. The RHEL8/9 profiles and the standards they are based on are not practical for common users due to a variety of issues. The new profile is based on a security policy that is based on the CIS RHEL 8 - workstation level 1 benchmark, and incorporates rules from ANSSI and STIG as well. Unlike those standards however, the focus was on balancing usability with security with common users of Fedora workstation in mind.
• The inclusion of a maintained Fedora profile in CaC would also open the door for activation of OAA in Fedora, which could lead to A) larger adoption of this profile and of CaC/OpenSCAP as a whole, and B) would enable us to test OAA in Fedora as well as in RHEL.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[j-ode]

/test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'.
New datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

fedora (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[Mab879]

Thanks for the PR! I think will be good addition to the project. I have a couple of nitpicks on top of the CI findings.

[ggbecker]

Two gating items I can already see that will need to be addressed,

• the order in which the prodtype fedora has been put. It needs to be in the alphabetical order
• I noticed at least one file without the new line at then end controls/cusp_firefox.yml, but there is more. If you used vscode, I suggest enabling the option to add newline at the end whenever a file is saved. You can press Ctrl+, (Control + Comma), it will open the preferences window, then type Insert Final Newline and make sure it is ticked.

[ggbecker]

Two gating items I can already see that will need to be addressed,

* the order in which the `prodtype` `fedora` has been put. It needs to be in the alphabetical order

* I noticed at least one file without the new line at then end `controls/cusp_firefox.yml`, but there is more. If you used vscode, I suggest enabling the option to add newline at the end whenever a file is saved. You can press `Ctrl+,` (Control + Comma), it will open the preferences window, then type `Insert Final Newline` and make sure it is ticked.

@j-ode I remember we have this: https://github.com/ComplianceAsCode/content/blob/master/utils/autoprodtyper.py please use it.

[yuumasato]

Is the use of VMs a supported use case for the profiles?

Once IP forwarding is disabled in a host the guest VMs will lose access to the external world.

[j-ode]

Thanks for pointing this out, I suppose this profile should be VM-friendly as well. I looked at the two rules, and the ipv4 one has a jinja macro in the platform: https://github.com/ComplianceAsCode/content/blob/f31f13744364d29489e2a414a6a3fd43957ca3bd/shared/macros/01-general.jinja#LL972C1-L977C17 that disables the rule if rhel8 product uses oVirt. I could create a new macro that would apply the machine platform for fedora product only, but I wonder if that could have adverse effect on other potential fedora profiles that do not consider the VM usecase. What are your thoughts on such a solution @yuumasato?

[Mab879]

You may be able to use CPE applicability language here. Something like package[libvirtd] as a platform on Fedora might do it.

[j-ode]

As I am finalizing the source code attachment for my thesis, I just removed the rules in question for now, but I like the idea of using the CPE applicability language

[yuumasato]

I guess making the rules for IP forwarding not applicable when an VM hypervisor is installed makes sense.

But could there be usecases that expect VMs to not have access to the external world?
I.e. I have VMS which I don't want to access the outside networks, they only need to talk to their host and other VMs in the same virtual network.
I think this is unlikely, but I don't have any data on this.

In case of oVirt and RHV4 product, we expect that VMs have access to the external world.

[j-ode]

The problem is that libvirt is installed by default on Fedora 38 Workstation:

The purpose of this profile is to increase security but at the same time maintain usability, so I believe that users should be able to run VMs on their machines without connectivity problems (most users probably want networking inside their VMs). I am not sure there is a way to include these rules in the profile.

[Mab879]

Two gating items I can already see that will need to be addressed,

* the order in which the `prodtype` `fedora` has been put. It needs to be in the alphabetical order

* I noticed at least one file without the new line at then end `controls/cusp_firefox.yml`, but there is more. If you used vscode, I suggest enabling the option to add newline at the end whenever a file is saved. You can press `Ctrl+,` (Control + Comma), it will open the preferences window, then type `Insert Final Newline` and make sure it is ticked.

@j-ode I remember we have this: https://github.com/ComplianceAsCode/content/blob/master/utils/autoprodtyper.py please use it.

In this case ./utils/fix_rules.py sort_prodtypes might be more useful.

[Mab879]

Please ensure the all descriptions are in sentence case (first letter of sentence is capitalized). The title keys should be title case.

Also, my original comments from my first review still stand, it seems that one of the rebases must have gotten rid of your changes.

[Mab879]

You may be able to use CPE applicability language here. Something like package[libvirtd] as a platform on Fedora might do it.

[Mab879]

The rules from linux_os/guide/system/software/disk_partitioning might be useful here

[j-ode]

Yes, the issue is that the respective Anaconda remediations block the installation when the disk is not correctly partitioned which is not ideal, I talk about this in the thesis and created an issue in OAA OpenSCAP/oscap-anaconda-addon#236

[j-ode]

The Automatus CS8/CS9 CI fails are expected, as package_gnome_software_installed is a fedora-only rule and therefore cannot be present in the RHEL8/9 benchmarks as the errors suggest

[codeclimate]

Code Climate has analyzed commit 4bd2e87 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

[jan-cerny]

The fail in centos8 testing farm job is related to rule rsyslog_files_permissions and will be fixed by #10540, therefore it isn't related to the contents of this PR.

feedback has been addressed