Merge pull request #14193 from vojtapolasek/add_sq_to_rhel10

Use Sequoia in RHEL 10 instead of GPG

Author: jan-cerny

components/sequoia.yml

@@ -0,0 +1,5 @@
+name: sequoia
+packages:
+- sequoia-sq
+rules:
+- package_sequoia-sq_installed

controls/anssi.yml

@@ -1255,6 +1255,8 @@ controls:
           - ensure_gpgcheck_globally_activated
           - ensure_gpgcheck_local_packages
           - ensure_redhat_gpgkey_installed
+          # this is relevant for RHEL only
+          - package_sequoia-sq_installed
           - ensure_oracle_gpgkey_installed
           - ensure_almalinux_gpgkey_installed
 

controls/e8.yml

@@ -25,6 +25,8 @@ controls:
           - package_squid_removed
           - service_squid_disabled
           - ensure_redhat_gpgkey_installed
+          # the rule ensure_redhat_gpgkey_installed needs a special package on RHEL 10 which is not installed by default
+          - package_sequoia-sq_installed
           - ensure_gpgcheck_never_disabled
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_globally_activated

controls/hipaa.yml

@@ -171,6 +171,8 @@ controls:
           - ensure_gpgcheck_never_disabled
           - ensure_gpgcheck_repo_metadata
           - ensure_redhat_gpgkey_installed
+          # This is needed for RHEL 10
+          - package_sequoia-sq_installed
           - ensure_suse_gpgkey_installed
           - ensure_almalinux_gpgkey_installed
       status: automated

controls/ism_o.yml

@@ -604,6 +604,7 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          - package_sequoia-sq_installed
           - ensure_oracle_gpgkey_installed
           - dnf-automatic_security_updates_only
       status: automated

controls/ospp.yml

@@ -448,6 +448,8 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          # This package is needed for RHEL 10
+          - package_sequoia-sq_installed
       status: automated
 
     - id: FPT_TUD_EXT.2
@@ -462,6 +464,8 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          # This package is needed for RHEL 10
+          - package_sequoia-sq_installed
       status: automated
 
     - id: FPT_TST_EXT.1

controls/pcidss_4.yml

@@ -1556,6 +1556,8 @@ controls:
             status: automated
             rules:
                 - ensure_redhat_gpgkey_installed
+                # This package is needed for RHEL 10
+                - package_sequoia-sq_installed
                 - ensure_suse_gpgkey_installed
                 - ensure_almalinux_gpgkey_installed
                 - ensure_gpgcheck_globally_activated

controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml

@@ -17,6 +17,7 @@ controls:
             {{% endif %}}
             {{% if 'rhel' in product %}}
             - ensure_redhat_gpgkey_installed
+            - package_sequoia-sq_installed
             {{% endif %}}
             {{% if 'ol' in families %}}
             - ensure_oracle_gpgkey_installed

linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Install sequoia-sq Package'
+
+description: |-
+    {{{ describe_package_install(package="sequoia-sq") }}}
+
+rationale: |-
+    The <tt>sequoia-sq</tt> package provides the <tt>sq</tt> command-line tool,
+    which is used for OpenPGP operations including verification of GPG signatures.
+    This tool is required for cryptographic verification of software packages and
+    GPG keys using modern OpenPGP implementations.
+
+severity: low
+
+identifiers:
+    cce@rhel10: CCE-86458-7
+
+references:
+    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
+    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+    srg: SRG-OS-000366-GPOS-00153
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="sequoia-sq") }}}'
+
+template:
+    name: package_installed
+    vars:
+        pkgname: sequoia-sq

linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml

@@ -3,33 +3,53 @@
 # strategy = restrict
 # complexity = medium
 # disruption = medium
-- name: "Read permission of GPG key directory"
+- name: "{{{ rule_title }}}: Read permission of GPG key directory"
   ansible.builtin.stat:
     path: /etc/pki/rpm-gpg/
   register: gpg_key_directory_permission
   check_mode: no
 
 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
 
-- name: Read signatures in GPG key
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+# RHEL >= 10: Use sq command from sequoia-sq package
+- name: "{{{ rule_title }}}:  Read signatures in GPG key using sq"
+  ansible.builtin.command: sq inspect /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  changed_when: false
+  failed_when: False
+  check_mode: no
+  register: gpg_fingerprints
+
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints (sq format)"
+  ansible.builtin.set_fact:
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('Fingerprint:\\s*([0-9A-Fa-f]+)', '\\1') | list }}"
+{{% else %}}
+# RHEL 8, 9 and other versions: Use gpg command
+
+- name: "{{{ rule_title }}}: Read signatures in GPG key"
   # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
   ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
   changed_when: False
   register: gpg_fingerprints
   failed_when: False
   check_mode: no
 
-- name: Set Fact - Installed GPG Fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints"
   ansible.builtin.set_fact:
-    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
+{{% endif %}}
 
-- name: Set Fact - Valid fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
   ansible.builtin.set_fact:
     gpg_valid_fingerprints:
     - "{{{ release_key_fingerprint }}}"
     - "{{{ auxiliary_key_fingerprint }}}"
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+    - "{{{ pqc_key_fingerprint }}}"
+{{% endif %}}
 
-- name: Import RedHat GPG key
+- name: "{{{ rule_title }}}: Import RedHat GPG key"
   ansible.builtin.rpm_key:
     state: present
     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release