Add Hummingbird product support#14605
Merged
vojtapolasek merged 8 commits intoComplianceAsCode:masterfrom Apr 2, 2026
Merged
Conversation
Introduce the new "hummingbird" product with product.yml, CMakeLists, build script entry, constants, OVAL platform check, and CIS/STIG profile skeletons. This commit adds compliance content for scanning Red Hat's Hummingbird container images and containers. Hummingbird images are based on their own special Linux distribution, also called Hummingbird, which isn't a RHEL derivative nor Fedora variant. See https://hummingbird-project.io/.
Add control files mapping CIS and STIG requirements to rules for the hummingbird product. The profile are derived from RHEL 10 profiles, but rules that aren't applicable to containers aren't selected.
Update rule descriptions, OCIL, and Jinja2 macros to handle hummingbird as a container-based product: adjust library dir descriptions, crypto policy text, GPG key instructions, package install/remove macros, and file permission/ownership macros.
Exclude the distroless default user (UID 65532) from home directory checks for hummingbird, since distroless images have no /home directory and this user's home is set to /tmp.
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -3,6 +3,7 @@
extend_definition oval:ssg-installed_OS_is_rhel8:def:1
extend_definition oval:ssg-installed_OS_is_rhel9:def:1
extend_definition oval:ssg-installed_OS_is_rhel10:def:1
+extend_definition oval:ssg-installed_OS_is_hummingbird:def:1
extend_definition oval:ssg-installed_OS_is_ol7:def:1
extend_definition oval:ssg-installed_OS_is_ol8:def:1
extend_definition oval:ssg-installed_OS_is_ol9:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_groupowner_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2, run the command:
$ sudo chgrp root /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_owner_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_owner_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
be owned by the root user to prevent
destruction or modification of the file.
-
To properly set the owner of /boot/grub2, run the command:
$ sudo chown root /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2'.
--- xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2
+++ xccdf_org.ssgproject.content_rule_file_permissions_boot_grub2
@@ -6,7 +6,6 @@
The files in /boot/grub2 should
have mode 0600 to prevent
destruction or modification of the file.
-
To properly set the permissions of /boot/grub2, run the command:
$ sudo chmod 0600 /boot/grub2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be group-owned by the root
group to prevent reading or modification of the file.
-
To properly set the group owner of /boot/grub2/user.cfg, run the command:
$ sudo chgrp root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
-
To properly set the owner of /boot/grub2/user.cfg, run the command:
$ sudo chown root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/grub.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/user.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/user.cfg, run the command:
$ sudo chmod 600 /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
-
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be group-owned by the
root group to prevent reading or modification of the file.
-
To properly set the group owner of /boot/grub2/user.cfg, run the command:
$ sudo chgrp root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -6,7 +6,6 @@
The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -5,7 +5,6 @@
[description]:
The file /boot/grub2/user.cfg should be owned by the root
user to prevent reading or modification of the file.
-
To properly set the owner of /boot/grub2/user.cfg, run the command:
$ sudo chown root /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/grub.cfg should be set to 700.
-
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 700 /boot/grub2/grub.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -4,7 +4,6 @@
[description]:
File permissions for /boot/grub2/user.cfg should be set to 600.
-
To properly set the permissions of /boot/grub2/user.cfg, run the command:
$ sudo chmod 600 /boot/grub2/user.cfg
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_systemmap'.
--- xccdf_org.ssgproject.content_rule_file_permissions_systemmap
+++ xccdf_org.ssgproject.content_rule_file_permissions_systemmap
@@ -6,7 +6,6 @@
The System.map files are symbol map files generated during the compilation of the Linux
kernel. They contain the mapping between kernel symbols and their corresponding memory
addresses. In general, there is no need for non-root users to read these files.
-
To properly set the permissions of /boot/System.map*, run the command:
$ sudo chmod 0600 /boot/System.map*
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-group-owned by the root user. If the directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be group-owned by the root group.
+
+If the directories are found to be owned by a group other than root correct
+its ownership with the following command:
$ sudo chgrp root DIR
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be owned by the root user.
+
+If the directories are found to be owned by a user other than root correct
+its ownership with the following command:
$ sudo chown root DIR
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs'.
--- xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs
@@ -11,10 +11,13 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are
-stored in /lib/modules. All sub-directories in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
+stored in /lib/modules.
+
+All sub-directories in these directories should not be group-writable or world-writable.
+
+If any file in these directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directory, or any file in these
-directories, is found to be owned by a user other than root correct its
-ownership with the following command:
+stored in /lib/modules.
+
+All files in these directories should be owned by the root user.
+
+If the directory, or any file in these directories, is found to be owned
+by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs'.
--- xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
@@ -11,11 +11,14 @@
/usr/lib
/usr/lib64
+
Kernel modules, which can be added to the kernel during runtime, are
-stored in /lib/modules. All files in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
-its permission with the following command:
+stored in /lib/modules.
+
+All files in these directories should not be group-writable or world-writable.
+
+If any file in these directories is found to be group-writable
+or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/at.allow exists, it must be group-owned by root.
-
To properly set the group owner of /etc/at.allow, run the command:
$ sudo chgrp root /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/cron.allow exists, it must be group-owned by root.
-
To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_owner_at_allow
+++ xccdf_org.ssgproject.content_rule_file_owner_at_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/at.allow exists, it must be owned by root.
-
To properly set the owner of /etc/at.allow, run the command:
$ sudo chown root /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_owner_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_owner_cron_allow
@@ -4,7 +4,6 @@
[description]:
If /etc/cron.allow exists, it must be owned by root.
-
To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_at_allow
+++ xccdf_org.ssgproject.content_rule_file_permissions_at_allow
@@ -5,7 +5,6 @@
[description]:
If /etc/at.allow exists, it must have permissions 0640
or more restrictive.
-
To properly set the permissions of /etc/at.allow, run the command:
$ sudo chmod 0640 /etc/at.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_cron_allow
+++ xccdf_org.ssgproject.content_rule_file_permissions_cron_allow
@@ -5,7 +5,6 @@
[description]:
If /etc/cron.allow exists, it must have permissions 0640
or more restrictive.
-
To properly set the permissions of /etc/cron.allow, run the command:
$ sudo chmod 0640 /etc/cron.allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
@@ -6,7 +6,6 @@
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in /etc/audit/auditd.conf
or, by default, the path for audit log is /var/log/audit/.
-
To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs.
--- ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the group owner of /etc/audit/, run the command:
$ sudo chgrp root /etc/audit/
-
To properly set the group owner of /etc/audit/rules.d/, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -4,12 +4,10 @@
[description]:
All audit configuration files must be owned by root user.
-
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/
-
To properly set the owner of /etc/audit/rules.d/, run the command:
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs.
--- ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/
-
To properly set the owner of /etc/audit/rules.d/, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
@@ -4,12 +4,10 @@
[description]:
All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/.
-
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
-
To properly set the owner of /var/log/audit/*, run the command:
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit' differs.
--- ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1
@@ -1,9 +1,7 @@
-
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
-
To properly set the owner of /var/log/audit/*, run the command:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
@@ -6,7 +6,6 @@
All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.conf
or by default, the path for audit log is /var/log/audit/.
-
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/*
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration' differs.
--- ocil:ssg-file_permissions_audit_configuration_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_audit_configuration_ocil:questionnaire:1
@@ -1,7 +1,5 @@
-
To properly set the permissions of /etc/audit/, run the command:
$ sudo chmod 0640 /etc/audit/
-
To properly set the permissions of /etc/audit/rules.d/, run the command:
$ sudo chmod 0640 /etc/audit/rules.d/
Is it the case that ? |
jan-cerny
requested review from
Mab879,
ggbecker,
marcusburghardt and
vojtapolasek
as code owners
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jan-cerny
added
Hummingbird
vojtapolasek
requested changes
Apr 1, 2026
Collaborator
vojtapolasek
left a comment
vojtapolasek
left a comment
There was a problem hiding this comment.
Great PR, very clear and concise. See my comments for questions.
Also I have one generic remark, I think it might be worth removing some notes from the cis_hummingbird control from not applicable rules. It just make things confusing. For example there are some notes which talk about libvirt and libvirt is not relevant for hummingbird.
linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
Outdated
Show resolved
Hide resolved
If any OVAL file in `shared/checks/oval` doesn't contain platforms of all products, it causes a warning when building the product that isn't listed there. WARNING:root:Missing OVAL component: sysctl_kernel_ipv6_disable. That's probably caused by an inefficiency of our build system which first loads all OVALs from the shared directory and then it drops these that aren't needed by the product. So the OVALs in shared need to be defined in a way they would be applicable to all products. That being said, I have discovered that all other OVALs in the shared directory don't enumerate all possible platforms, but they simply contain a single platform element containing multi_platform_all. I will do the same change here.
Collaborator
Author
|
I have changed platforms in sysctl_kernel_ipv6_disabled |
We will set the package platform only on the hummingbird product to avoid having a weird syntax with jinja substitution in the platform specifier.
Collaborator
Author
|
I have leimited the dnf platform in ensure_gpgcheck_never_disabled |
The control files in the hummingbird project have been reviewed and status and notes keys have been updated. Most importantly some notes copied from the RHEL 10 product have been removed because they aren't relevant in Hummingbird images
Collaborator
Author
|
I have updated notes and statuses in control files |
vojtapolasek
approved these changes
Apr 2, 2026
Collaborator
vojtapolasek
left a comment
vojtapolasek
left a comment
There was a problem hiding this comment.
Looks good now, thank you.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds compliance content for scanning Red Hat's Hummingbird container images and containers.
Hummingbird container images are minimal, distro-less container images. They are hardened and aim for zero CVEs. Hummingbird images are based on their own special Linux distribution, also called Hummingbird, which isn't a RHEL derivative nor Fedora variant. See https://hummingbird-project.io/.
The PR adds control files mapping CIS and STIG requirements to rules for the hummingbird product. The CIS and STIG profiles are derived from RHEL 10 profiles, but rules that aren't applicable to containers aren't selected.
Selected rules are updated to better describe Hummingbird container images.
For more details please read commit messages of each commit.
Rationale:
This way the ComplianceAsCode will have a specialized selection of rules, profiles and applicability checks, tailored to Hummingbird. Having specialized product folder allows us to refine rule descriptions and rationales and tailor the texts to give more specialized advice focused on container images, and remove misleading text from HTML guides and reports. (For example, we shouldn’t confuse readers of the reports by having there texts about kernel and dnf).
Review Hints:
build the Hummingbird product using
./build_product hummingbirdscan the latest variant of some Hummingbird container images with the CIS profile
quay.io/hummingbird-hatchling/nginx:latest,quay.io/hummingbird-hatchling/openjdk:latestor any other image you likepodman pull quay.io/hummingbird-hatchling/nginx:latestpodman unshareoscap-podmanoscap-podman quay.io/hummingbird-hatchling/nginx:latest xccdf eval --profile cis --results-arf /tmp/arf.xml --report /tmp/report.html /home/jcerny/work/git/scap-security-guide/build/ssg-hummingbird-ds.xmlin a similar way, scan the FIPS images with the STIG profile - they end with
:latest-fips, for example:quay.io/hummingbird-hatchling/nginx:latest-fipsreview the HTML reports from the scan