CMP-4248 added compliance checks

[vickeybrown]

Description:

New Rules:

• package_netcat_removed - Removes nmap-ncat package
• package_socat_removed - Removes socat package
• package_python3_dnf_removed - Removes dnf and python3-dnf packages
• package_at_removed - Removes at package

Key Changes:

• Added rpm-ostree support to bash_package_remove macro in
  shared/macros/10-bash.jinja
  • All RHCOS4 package removal remediations now use rpm-ostree override remove instead
    of dnf remove
• Created component files for nmap-ncat and socat
• Updated component files for at and dnf to include new rules
• Added all four rules to products/rhcos4/profiles/default.profile

Rationale:

These utilities (netcat, socat, dnf) can be used for legitimate troubleshooting but
present security risks if misused by attackers. RHCOS is designed as an immutable
operating system, and these packages are not installed by default but could be added with
sufficient privileges. Removing them reduces attack surface.

The at package allows scheduling tasks for future execution, which is not needed in
RHCOS environments and could be used by attackers to schedule malicious tasks.

Review Hints:

Will fill this out once it's working

[openshift-ci]

Hi @vickeybrown. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.