Add initial C2S Docker Profile

[redhatrises]

Description:

• Add initial C2S Docker Profile

Rationale:

• Currently, there is no security profile for hardening docker.

[mpreisler]

As it is this profile brings no value to users, I propose we implement at least some of the rules before we merge it.

[redhatrises]

That's correct. Would like to get this in so people can start helping contributing towards it.

[mpreisler]

Hmm. Could we perhaps start a branch that we will merge after the profiles have rules in them? We have an SSG release scheduled for end of the month, I don't want it to contain empty profiles.

[redhatrises]

We have an SSG release scheduled for end of the month, I don't want it to contain empty profiles.

@mpreisler I selected at least one rule; otherwise, it would not have built. ;-P

[jan-cerny]

We already started a Docker profile for RHEL7. It's here https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/profiles/docker-host.xml . The profile was also meant to follow the CIS Docker Community Edition Benchmark. I remember I studied the document that time.

However soon we didn't see a value in implementing a profile for Docker. What has changed? And why to have 2 profiles that are going to implement the same baseline?

[redhatrises]

However soon we didn't see a value in implementing a profile for Docker. What has changed? And why to have 2 profiles that are going to implement the same baseline?

Not sure where this confusion is coming from here, but it is valuable for implementing a Docker profile.
I thought that the docker-host profile was some sort of standard Docker profile not based on any standards body (CIS) but just what we thought should be in it. Anything CIS based should be standardized to C2S-something as was already done with the existing C2S profile. I can remove one over the other unless we should have a standard docker profile like we do with the RHEL profiles which I would say keep docker-host profile for that.

[mpreisler]

However soon we didn't see a value in implementing a profile for Docker. What has changed? And why to have 2 profiles that are going to implement the same baseline?

AFAIK we definitely saw value in it, we just prioritized content for containers and container images over content for docker host. There is value in docker host content for sure.

[yuumasato]

I think we can merge and introduce this Profile to SSG.
And docker-host can be the Profile for standard checks, not sure if there would be much difference between Profiles.

[yuumasato]

Merging, let the Profile grow and bloom!

[mpreisler]

As it is this profile brings no value to users, I propose we implement at least some of the rules before we merge it.

Hmm. Could we perhaps start a branch that we will merge after the profiles have rules in them? We have an SSG release scheduled for end of the month, I don't want it to contain empty profiles.

I will reiterate that IMO this shouldn't have been merged. There is nothing in this profile, no value for users. Now it's in a release and will show up in installers, SCAP Workbench, guides, ...

CC @yuumasato @redhatrises

[yuumasato]

@mpreisler Sorry for overlooking your review. With #2422 (comment) I thought your comment was addressed. Maybe it was a joke and I didn't get it.

I get your point. This Profile may be extreme example, with just one rule selected. But Profiles like ANSSI or HIPAA were also in very initial state. (though, thanks to #2650, HIPAA has much more content).
Besides number of selected rules, what is the difference between them?
Maybe expectation that there will be content for C2S is lower?