Check for PQC GPG key only on RHEL 10.1 and newer

[jan-cerny]

Description:

The redhat-release RPM package in RHEL 10.0 won't contain the postquantum OpenGPG key. This key will be present in RHEL 10.1 and newer.

Addressing:
Failing rule ensure_redhat_gpgkey_installed in multiple contest tests /hardening/host-os/oscap on RHEL 10.0.

Rationale:

Fixes https://issues.redhat.com/browse/OPENSCAP-6613

Review Hints:

Run contest test /hardening/host-os/oscap on RHEL 10.0 and 10.1.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -20,11 +20,9 @@
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
+  # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
 
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
 
-      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
-      rpm --import "${REDHAT_RELEASE_KEY}"
-    }
   fi
 fi

[jan-cerny]

@ggbecker has raised a concern that this check was only for RHEL 10 (as a major release), but the PQC GPG key is in both RHEL 9 and RHEL 10

I think we shall extend this PR and make the check for RHEL 9.7 and newer as well.

[jan-cerny]

@ggbecker I have tried to extend the check to RHEL 9. That has revealed that there are some differences between RHEL 9 and RHEL 10 in how the postquantum GPG key is implemented.

Specifically:

• PQC signing is available in both RHEL 9.7 and RHEL 10.1
• both RHEL 9.7 and RHEL 10.1 ship the PQC GPG key in the redhat-release RPM package
• but: on RHEL 9.7 the key is shipped in a separate file /etc/pki/rpm-gpg/RPM-GPG-KEY-PQC-redhat-release whereas on RHEL 10.1 the key is a part of the common file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
• on RHEL 9.7 using the PQC signatures is optional and there is an entirely separate copy of RPM with PQ support that is not installed by default. IOW the users need to opt-in to use the key.
• on RHEL 9.7 the sq command that we use in our RHEL 10 remediation to get the fingerprint isn't available

That means we can't do the same check and remediation on RHEL 9 as we have on RHEL 10.

Also, the release stabilization tests fail on RHEL 10.0, not on RHEL 9. The reason is that in the current CaC code the rule contains checks and remediations for the postquantum GPG key only on RHEL 10.

Therefore, I have removed the RHEL 9 related changes from this PR and I have submitted them as a separate PR in #14475. We will modify that PR later.

This PR splitting will help us to fix the failing stabilization tests on RHEL 10.0 and proceed further with the release.

[vojtapolasek]

Looks good. I tested with Automatus on RHEL 9, 10.0 and 10.2.
Ansible remediation aborts on 10.2, but unfortunately this is not something we can fix. Relevant PR: ansible/ansible#86157