Remove rhel7 product

[Mab879]

Description:

• Removes RHEL 7 product
• Cleans up testing due to RHEL 7 being gone

There still might some remain references to RHEL 7 in the testing and those will be cleaned up in a separate PR.

Rationale:

Fixes #12044

Review Hints:

Review the commits as they have details on the why.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified' differs.
--- oval:ssg-installed_OS_is_FIPS_certified:def:1
+++ oval:ssg-installed_OS_is_FIPS_certified:def:1
@@ -1,5 +1,4 @@
 criteria OR
-extend_definition oval:ssg-installed_OS_is_rhel7:def:1
 extend_definition oval:ssg-installed_OS_is_rhel8:def:1
 extend_definition oval:ssg-installed_OS_is_rhcos4:def:1
 extend_definition oval:ssg-installed_OS_is_ol7:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -1,5 +1,4 @@
 criteria OR
-extend_definition oval:ssg-installed_OS_is_rhel7:def:1
 extend_definition oval:ssg-installed_OS_is_rhel8:def:1
 extend_definition oval:ssg-installed_OS_is_rhel9:def:1
 extend_definition oval:ssg-installed_OS_is_ol7:def:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -7,12 +7,10 @@
 using pam_faillock.so.
 pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
 defined to work as expected.
-
 Ensure that the file /etc/security/faillock.conf contains the following entry:
 deny = <count>
 Where count should be less than or equal to
 'xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny' and greater than 0.
-
 
 In order to avoid errors when manually editing these files, it is
 recommended to use the appropriate tools, such as authselect or authconfig,

OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- ocil:ssg-accounts_passwords_pam_faillock_deny_ocil:questionnaire:1
+++ ocil:ssg-accounts_passwords_pam_faillock_deny_ocil:questionnaire:1
@@ -1,6 +1,5 @@
 Verify Red Hat Enterprise Linux 8 is configured to lock an account after 
 unsuccessful logon attempts with the command:
-
 
 $ grep 'deny =' /etc/security/faillock.conf
 deny = .

OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- ocil:ssg-accounts_passwords_pam_faillock_deny_root_ocil:questionnaire:1
+++ ocil:ssg-accounts_passwords_pam_faillock_deny_root_ocil:questionnaire:1
@@ -1,6 +1,5 @@
 Verify Red Hat Enterprise Linux 8 is configured to lock the root account after 
 unsuccessful logon attempts with the command:
-
 
 $ grep even_deny_root /etc/security/faillock.conf
 even_deny_root

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -6,11 +6,9 @@
 This rule configures the system to lock out accounts during a specified time period after a
 number of incorrect login attempts using pam_faillock.so.
 
-
 Ensure that the file /etc/security/faillock.conf contains the following entry:
 unlock_time=<interval-in-seconds> where
 interval-in-seconds is 'xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time' or greater.
-
 
 pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
 defined to work as expected. In order to avoid any errors when manually editing these files,

OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- ocil:ssg-accounts_passwords_pam_faillock_unlock_time_ocil:questionnaire:1
+++ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_ocil:questionnaire:1
@@ -1,7 +1,6 @@
 Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator
 after  unsuccessful logon
 attempts with the command:
-
 
 $ grep 'unlock_time =' /etc/security/faillock.conf
 unlock_time = 

New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_anacron'.
--- xccdf_org.ssgproject.content_rule_disable_anacron
+++ xccdf_org.ssgproject.content_rule_disable_anacron
@@ -4,7 +4,7 @@
 
 [description]:
 The cronie-anacron package, which provides anacron
-functionality, is installed by default. 
+functionality, is installed by default.
 The cronie-anacron package can be removed with the following command:
 
 $ sudo yum erase cronie-anacron

New content has different text for rule 'xccdf_org.ssgproject.content_rule_ftp_configure_firewall'.
--- xccdf_org.ssgproject.content_rule_ftp_configure_firewall
+++ xccdf_org.ssgproject.content_rule_ftp_configure_firewall
@@ -17,10 +17,3 @@
 
 [rationale]:
 These settings configure the firewall to allow connections to an FTP server.
-
-
-The first line allows initial connections to the FTP server port.
-FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
-and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp  module is used by
-iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
-FTP server to operate on a system which is running a firewall.

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12093
This image was built from commit: 24c4b85

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12093

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12093 make deploy-local

[Mab879]

Once this is ready to merge we will need to make RHEL 7 no longer required as a test.

[codeclimate]

Code Climate has analyzed commit 24c4b85 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[jan-cerny]

The changes I have seen are great. But, I can still grep some occurrences of RHEL 7, rhel7 and similar strings. It isn't necessary to remove all of them, sometimes they can't be removed, but I think some of them should be removed, for example, the directory tests/data/profile_stability/rhel7 should be removed.

[jan-cerny]

you plan to clean up the tests in a separate PR, so please disregard the comment about tests/data/profile_stability/rhel7

[jan-cerny]

It makes sens to me to remove the RHEL 7 product because this old product is end of maintenance now, as of 2024-06-30, see https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/rhel-7-end-of-maintenance