Add AlmaLinux 9 support

[0intro]

Description:

This PR adds AlmaLinux 9 support.

The AlmaLinux 9 support has been implemented as a derivative of RHEL 9, since AlmaLinux 9 is a clone of RHEL 9 and the CIS Benchmarks are pretty much identical.

Rationale:

AlmaLinux is a community-supported clone of Red Hat Enterprise Linux. CIS Benchmark for AlmaLinux has been firstly published in November 2021.

[openshift-ci]

Hi @0intro. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[codeclimate]

Code Climate has analyzed commit a9564e7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.

[Mab879]

/ok-to-test

[Mab879]

The static test failures are due to Wavier needing to be added. I can propose a PR to Contest later today.

[Mab879]

The static test failures are due to Wavier needing to be added. I can propose a PR to Contest later today.

RHSecurityCompliance/contest#296 should fix it.

[Mab879]

I think these changes are looking fairly good overall.

Due to the Contest PR needed for the tests to pass this PR will most likely get merged in January once the team gets back from the Holiday break. Once those are merged we can move this PR forward.

[sej7278]

CIS is a great start, as we develop the F34-based benchmarks together it would be great to see AlmaLinux added to CaC.

I've got some automation for the AlmaLinux OS 9 STIG that needs updating now the STIG is final, but maybe we should concentrate on adding it to CaC instead?
https://github.com/sej7278/virt-installs/tree/master/alma9_stig_ansible

[sej7278]

I wonder if we should add a note about the FIPS 140-3 modules from https://docs.tuxcare.com/enterprise-support-for-almalinux/fips/ ?

[Mab879]

CIS is a great start, as we develop the F34-based benchmarks together it would be great to see AlmaLinux added to CaC.

I've got some automation for the AlmaLinux OS 9 STIG that needs updating now the STIG is final, but maybe we should concentrate on adding it to CaC instead? https://github.com/sej7278/virt-installs/tree/master/alma9_stig_ansible

If you looking to add different profiles then what is is in RHEL I would suggest creating a new product that isn't a derivative of RHEL. By merging this pull request all of the profiles will be what is in RHEL.

See #12611 as a recent example of how. We also have some docs as well. As always if need any help please let us know.

[sej7278]

That's where I've always got stuck before. The CIS benchmarks are largely the same, but the STIG is more different - requires a license, different repos, specific FIPS packages, certain minor versions aren't supported etc.