[Release-1.26] Support generic "cis" profile (#4798)

* Support generic "cis" profile

Signed-off-by: Derek Nola <[email protected]>
Co-authored-by: Brad Davidson <[email protected]>

pkg/cli/cmds/profile_linux.go

@@ -105,7 +105,7 @@ func setCISFlags(clx *cli.Context) error {
 
 func validateProfile(clx *cli.Context, role CLIRole) {
 	switch clx.String("profile") {
-	case rke2.CISProfile123:
+	case rke2.CISProfile123, rke2.CISProfile:
 		if err := validateCISReqs(role); err != nil {
 			logrus.Fatal(err)
 		}

pkg/cli/cmds/root.go

@@ -84,7 +84,7 @@ var (
 		},
 		&cli.StringFlag{
 			Name:   "profile",
-			Usage:  "(security) Validate system configuration against the selected benchmark (valid items: " + rke2.CISProfile123 + " )",
+			Usage:  "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))",
 			EnvVar: "RKE2_CIS_PROFILE",
 		},
 		&cli.StringFlag{

pkg/rke2/rke2.go

@@ -64,6 +64,7 @@ type ExtraEnv struct {
 // Valid CIS Profile versions
 const (
 	CISProfile123          = "cis-1.23"
+	CISProfile             = "cis"
 	defaultAuditPolicyFile = "/etc/rancher/rke2/audit-policy.yaml"
 	containerdSock         = "/run/k3s/containerd/containerd.sock"
 	KubeAPIServer          = "kube-apiserver"
@@ -269,7 +270,10 @@ func removeDisabledPods(dataDir, containerRuntimeEndpoint string, disabledItems
 
 func isCISMode(clx *cli.Context) bool {
 	profile := clx.String("profile")
-	return profile == CISProfile123
+	if profile == CISProfile123 {
+		logrus.Warn("cis-1.23 profile is deprecated and will be removed in v1.29. Please use cis instead.")
+	}
+	return profile == CISProfile123 || profile == CISProfile
 }
 
 // TODO: move this into the podexecutor package, this logic is specific to that executor and should be there instead of here.