Change crypto policy requirement for Hummingbird images

[jan-cerny]

This commit changes the expected crypto policy settings in the CIS profile for Hummingbird container images.

Hummingbird provides images in 2 basic variants:

1. normal (eg. :latest) - has the crypto policy set to DEFAULT
2. FIPS (eg. :latest-fips) - has the crypto policy set to FIPS.

CIS Benchmarks typically require that the crypto policy isn't set to LEGACY. Following these requirements, both variants of Hummingbird images are compliant with CIS. Both DEFAULT and FIPS crypto policy satisfy the requirement.

This commit make both variants of images passing the CIS profile by selecting new rule crypto_policy_not_legacy in the profile instead of the usual rule configure_crypto_policy. The new rule is created in this commit as well.

Review Hints:

1. ./build_product -d hummingbird
2. mkdir -p /tmp/ssg/
3. cp build/ssg-hummingbird-ds.xml /tmp/ssg
4. podman run --rm --cap-add SYS_CHROOT --mount type=image,source=quay.io/hummingbird/nginx:latest,destination=/target -e OSCAP_PROBE_ROOT=/target -v /tmp/ssg:/ssg:z,U quay.io/hummingbird/openscap:latest xccdf eval --profile cis --results-arf /ssg/results.xml --report /ssg/report.html /ssg/ssg-hummingbird-ds.xml
5. podman run --rm --cap-add SYS_CHROOT --mount type=image,source=quay.io/hummingbird/nginx:latest-fips,destination=/target -e OSCAP_PROBE_ROOT=/target -v /tmp/ssg:/ssg:z,U quay.io/hummingbird/openscap:latest xccdf eval --profile cis --results-arf /ssg/results-fips.xml --report /ssg/report-fips.html /ssg/ssg-hummingbird-ds.xml

[Mab879]

One concern I have that is that in order to use default_or_fips you have go modifiy the OVAL. Some non-obvious coupling. This feels like a common source of bugs in the future. Should just make this regex for everyone?

[jan-cerny]

Good point. I have decided to do it differently. I have created a new rule and used it in CIS profile in Hummingbird instead of modifying the existing rule.