Add kickstart remediation to service_kdump_disabled

[jan-cerny]

This change will cause that the kickstart file generated by OpenSCAP will contain %addon com_redhat_kdump --disable section.

This PR partially addresses #12832 but it doesn't fix it completely.

Adding the section %addon com_redhat_kdump --disable to kickstart causes that kdump doesn't work in the installed system. Adding the section is equivalent to clicking on "Disable kdump" in the GUI installation. Both makes the kdump.service fail to start.

However, disabling kdump this way will not make our rule service_kdump_disabled pass. This rule will still fail because it requires the kdump.service to be masked.

The %addon com_redhat_kdump --disable doesn't mask the kdump.service. And unfortunately, the service --disable command in kickstart also doesn't mask the kdump.service.

In other words, we have hit one of the current issues of the Liteweight Anaconda hardening feature, that it doesn't mask the services. This has already been reported in #12282 (second part of the description section).

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[codeclimate]

Code Climate has analyzed commit bb719a4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[jan-cerny]

/packit build

[comps]

I can verify that this PR does add the section to the kickstart:

# Disable the kdump kernel crash dumping mechanism (required for security compliance)
%addon com_redhat_kdump --disable
%end

However, as mentioned, services has no --mask, so the test continues failing: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/automatically_installing_rhel/kickstart-commands-and-options-reference_rhel-installer#services_kickstart-commands-for-system-configuration

Something would need to generate an extra %post section with systemctl masking the service (or generally any services that should be disabled), if services --disabled=... does only soft-disable and not mask (meaning they can be started by a dependency).