Add ACSC Essential Eight and ISM Official profiles for Ubuntu 22.04 and 24.04

[ndfivegn]

Description:

Adds e8 (ACSC Essential Eight) and ism_o (ACSC ISM OFFICIAL) profiles to the ubuntu2204 and ubuntu2404 products. The shared control files controls/e8.yml and controls/ism_o.yml were previously consumed only by RHEL-family products (rhel8/9/10, ol8/9/10); this is the first non-RHEL product to use them.

The control files are unchanged. Each profile selects e8:all / ism_o:all, unselects the rules that target RHEL-only mechanisms, and re-covers the same control areas with the Ubuntu equivalents that already exist as rules:

Control area	RHEL mechanism (unselected)	Ubuntu equivalent (selected)
Application control (ISM-1657)	fapolicyd	package_apparmor_installed, all_apparmor_profiles_enforced
Software firewall (ISM-1416)	firewalld	package_ufw_installed, service_ufw_enabled, ufw_default_incoming_rule
Package authenticity (ISM-1493)	dnf/yum gpgcheck, GPG keys	apt_conf_disallow_unauthenticated, apt_sources_list_official
Cryptography (ISM-1446)	system-wide crypto-policies, FIPS	sshd_use_strong_ciphers, sshd_use_strong_macs, sshd_use_strong_kex
Automatic patching (ISM-1467/1483)	dnf-automatic, subscription-manager	package_unattended-upgrades_installed
SELinux / RPM verify / authselect / pam_tally2	(RHEL-only)	unselected, no Ubuntu equivalent

This also adds one new rule, package_unattended-upgrades_installed (first commit), as the Debian/Ubuntu analogue of package_dnf-automatic_installed. It uses the package_installed template and is mapped to the apt component.

Commits:

1. Add package_unattended-upgrades_installed rule (+ apt component mapping).
2. Add the four Ubuntu e8/ism_o profiles (+ profile-stability fixtures).

Rationale:

Provides ACSC Essential Eight and ISM OFFICIAL compliance scanning for Ubuntu LTS, matching the existing RHEL/OL coverage. This is a frequent request for Australian-government Ubuntu fleets that currently only have CIS/STIG profiles.

Control-coverage parity with the OL9 profiles was verified rule-by-rule: every e8/ism_o control that is covered on OL9 is also covered on Ubuntu via a mapped rule or its Ubuntu equivalent (0 unhandled gaps). The only controls not covered on Ubuntu are ones not covered on OL9 either (ISM-1277/1552, whose sole rule openssl_use_strong_entropy has platform: RHEL8/OL8). Each Ubuntu adaptation is documented in the profile with the relevant ISM control text.

Fixes: none / N/A

Review Hints:

• Build: ./build_product ubuntu2204 ubuntu2404 succeeds; both profiles appear in oscap info build/ssg-ubuntu2404-ds.xml.
• Resolved sizes: e8 = 78 rules, ism_o = 160 rules; no RHEL-only rules leak through :all.
• Local checks passing: tests/test_profile_stability.py (fixtures included) and build-scripts/verify_references.py for both products.
• The RHEL-only unselections are driven by Ubuntu applicability (cross-checked against the existing Ubuntu CIS/STIG profiles), not copied from the RHEL profiles whose unselect lists reflect RHEL-specific tuning.
• Most-important files: the four products/ubuntu*/profiles/{e8,ism_o}.profile, and the new linux_os/guide/system/software/updating/package_unattended-upgrades_installed/rule.yml.
• Opened as draft: full upstream CI (per-profile ansible-lint, shellcheck, schematron) has not been run locally.

[openshift-ci]

Hi @ndfivegn. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.