move bsi os checks into os profile

Author: sluetze

controls/bsi_app_4_4.yml

@@ -81,16 +81,9 @@ controls:
       minimum, this isolation MUST include process IDs, inter-process communication, user IDs,
       the file system, and the network (including the hostname).
     notes: >-
-      TBD
+      Since these are OS based requirements, they are included in the rhcos4 bsi profile
     status: pending
-    rules:
-      - coreos_enable_selinux_kernel_argument
-      # the following var is in repo, but unknown to build scripts
-      # - var_selinux_policy_name=targeted
-      - selinux_policytype
-      # the following var is in repo, but unknown to build scripts
-      # - var_selinux_state=enforcing
-      - selinux_state
+    # rules:
 
   - id: APP.4.4.A5
     title: Backup in the Cluster

products/rhcos4/profiles/bsi.profile

@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
+
+description: |-
+    This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
+    Basic-Protection.
+
+    This baseline implements OS-Level configuration requirements from the following
+    sources:
+
+    - Building-Block SYS.1.6 Containerisation
+    - Building-Block APP.4.4 Kubernetes
+
+    THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
+
+selections:
+    # BSI APP.4.4.A4
+    - coreos_enable_selinux_kernel_argument
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+    - var_selinux_state=enforcing
+    - selinux_state