chainguard-security-guide: update to CG stig 3.2.2, add tests #54602

Merge pull request #54602 from stevebeattie/chainguard-security-guide-stig-3.2.2

Author: stevebeattie

chainguard-security-guide.yaml

@@ -35,7 +35,21 @@ test:
     contents:
       packages:
         - openscap
+        - python-3.12
+        - ca-certificates-bundle
   pipeline:
     - name: Verify gpos content is recognized by oscap
       runs: |
         oscap info /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml
+    - name: Verify that the trust anchor check passes
+      runs: |
+        if ! oscap xccdf eval --verbose WARNING --rule xccdf_._rule_V_263659 /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml ; then
+            # if we failed, then re-run more verbosely to help make diagnosing easier
+            oscap xccdf eval --verbose INFO --rule xccdf_._rule_V_263659 /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml
+        fi
+    - name: Verify that the remote service check passes, even with python-3.12 (telnetlib.py) installed
+      runs: |
+        if ! oscap xccdf eval --verbose WARNING --rule xccdf_._rule_V_203736 /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml ; then
+            # if we failed, then re-run more verbosely to help make diagnosing easier
+            oscap xccdf eval --verbose INFO --rule xccdf_._rule_V_203736 /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml
+        fi