Add service_kdump_disabled to RHEL 9 CCN profiles

[vojtapolasek]

Description:

• Add rule service_kdump_disabled to the CCN RHEL 9 control file under requirement A.8.SEC-RHEL4 ("Unnecessary Services are Disabled, Reducing the Attack Surface").
• Update profile stability tests for ccn_advanced and ccn_intermediate profiles to reflect the new rule selection.

Rationale:

• Disabling kdump reduces the attack surface by removing an unnecessary service. Kernel core dumps may contain the full contents of system memory and can exhaust disk space, causing denial of service. Additionally, leaving kdump enabled produces confusing errors during boot after remediation.

• The rule uses the service_disabled template with medium severity and is already available for RHEL 9 (CCE-84232-8).

• Fixes Systemd-tmpfiles errors on RHEL 9 boot #14582

Review Hints:

• Only 3 files changed, all straightforward additions of a single rule ID — review all commits together.
• Affected product: RHEL 9. Build with: ./build_product --datastream-only rhel9
• The rule service_kdump_disabled is templated (service_disabled), so no rule-specific test scenarios are needed.
• Key files to review:
  • products/rhel9/controls/ccn_rhel9.yml — rule added under A.8.SEC-RHEL4
  • tests/data/profile_stability/rhel9/ccn_advanced.profile — stability test updated
  • tests/data/profile_stability/rhel9/ccn_intermediate.profile — stability test updated
• The rule is already used in other profiles/products (STIG for OL7, OL8, SLES), so it is well-established.

[Arden97]

Custom pipeline run shows that /scanning/boot-errors/ccn_advanced no longer triggers systemd-tmpfiles errors, mentioned in the issue.

[openshift-ci]

@vojtapolasek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-platform-compliance	dde4d8e	link	true	/test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance	dde4d8e	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.