1. Proposed title of this feature request:
Need CIS RHCOS profile in Compliance Operator

2. What is the nature and description of the request?
As per the discussion[1], we found we don't have a CIS profile for the RHCOS that's why some of the rules are not generating the CCR. Here is an example of rule: rhcos4-auditd-overflow-action

During the lab testing, I found there is no CCR is generated for the rule: rhcos4-auditd-overflow-action

Version-Release number of selected component (if applicable)
OCP version 4.10.28
ComplianceOperator 0.1.53

How reproducible:
Steps to Reproduce:

1. Scan the cluster and you find that no CCR found for the rule rhcos4-auditd-overflow-action
2. Although when I checked I found the setting is present on the node as per the rule:
~~~

1. sudo grep -i overflow_action /etc/audit/auditd.conf
   overflow_action = SYSLOG
   ~~~
   3. Still no CCR with Pass or Fail or manual.

I tried to find from which profile this rule was coming I only found profilebundle name not the profile name and Here is the rule definition as per the Compliance Operator:
~~~

1. oc get rule rhcos4-auditd-overflow-action -o yaml
   apiVersion: compliance.openshift.io/v1alpha1
   checkType: Node
   description: 'The audit system should have an action setup in the event the internal
   event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf.
   Set overflow_action to one of the following values: syslog , single , halt.'
   id: xccdf_org.ssgproject.content_rule_auditd_overflow_action
   instructions: |-
   Verify the audit system is configured to take an appropriate action when the internal event queue is full:
   $ sudo grep -i overflow_action /etc/audit/auditd.conf

The output should contain overflow_action = syslog

If the value of the "overflow_action" option is not set to syslog,
single, halt or the line is commented out, ask the System Administrator
to indicate how the audit logs are off-loaded to a different system or media.
kind: Rule
metadata:
annotations:
compliance.openshift.io/image-digest: pb-rhcos4slg52
compliance.openshift.io/rule: auditd-overflow-action
control.compliance.openshift.io/NIST-800-53: AU-4(1)
policies.open-cluster-management.io/controls: AU-4(1)
policies.open-cluster-management.io/standards: NIST-800-53
creationTimestamp: "2022-09-08T12:02:49Z"
generation: 1
labels:
compliance.openshift.io/profile-bundle: rhcos4
name: rhcos4-auditd-overflow-action
namespace: openshift-compliance
ownerReferences:

• apiVersion: compliance.openshift.io/v1alpha1
  blockOwnerDeletion: true
  controller: true
  kind: ProfileBundle
  name: rhcos4
  uid: 8fd40142-c3cc-480c-ae2c-9d3a35977398
  resourceVersion: "105209"
  uid: af413747-e7f7-4065-b55f-e33de3861f28
  rationale: The audit system should have an action setup in the event the internal
  event queue becomes full so that no data is lost.
  severity: medium
  title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
  ~~~

discussion[1]: https://coreos.slack.com/archives/CHCRR73PF/p1662970359089589

3. Why does the customer need this? (List the business requirements here)
>> Tested in the lab environment and found that some of the profiles are required.

4. List any affected packages or components.
Openshift Compliance Operator