Merge pull request #21 from omok314159/issue20

Changed several files for fixing issue20

Author: atomicturtle

ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8

@@ -1,41 +1,41 @@
 diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
---- content.org/CMakeLists.txt	2021-05-03 07:27:49.961754374 +0900
-+++ content/CMakeLists.txt	2021-05-03 07:29:29.739430343 +0900
-@@ -92,6 +92,7 @@
+--- content.org/CMakeLists.txt  2021-08-21 18:13:55.050097584 +0900
++++ content/CMakeLists.txt      2021-08-21 18:21:16.258038611 +0900
+@@ -93,6 +93,7 @@
  option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 +option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- 
+
  option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
  option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-@@ -285,6 +286,7 @@
+@@ -288,6 +289,7 @@
  message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
  message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
  message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
 +message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}")
- 
- 
- 
-@@ -407,6 +409,10 @@
+
+
+
+@@ -410,6 +412,10 @@
  if (SSG_PRODUCT_WRLINUX1019)
      add_subdirectory("products/wrlinux1019" "wrlinux1019")
  endif()
 +if (SSG_PRODUCT_ROCKY8)
 +    add_subdirectory("products/rocky8" "rocky8")
 +endif()
 +
- 
+
  # ZIP only contains source datastreams and kickstarts, people who
  # want sources to build from should get the tarball instead.
 
 diff -Nru content.org/build_product content/build_product
---- content.org/build_product	2021-05-03 07:27:50.029755540 +0900
-+++ content/build_product	2021-05-03 07:29:29.739430343 +0900
-@@ -309,6 +309,7 @@
- 	VSEL
+--- content.org/build_product   2021-08-21 18:13:55.110097683 +0900
++++ content/build_product       2021-08-21 18:22:19.417937147 +0900
+@@ -310,6 +310,7 @@
  	WRLINUX8
  	WRLINUX1019
+ 	MACOS1015
 +	ROCKY8
  )
 
@@ -52,9 +52,15 @@ diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/
        <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
        should be installed.</description>
 diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
---- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:27:50.325760613 +0900
-+++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:30:19.808247714 +0900
-@@ -14,6 +14,7 @@
+--- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml       2021-08-21 18:13:55.326098038 +0900
++++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml   2021-08-21 18:21:37.030007098 +0900
+@@ -9,11 +9,12 @@
+ 	<platform>multi_platform_opensuse</platform>
+ 	<platform>multi_platform_ol</platform>
+ 	<platform>multi_platform_rhcos</platform>
+-	<platform>multi_platform_rhel</platform>
++	<platform>multi_platform_rhel,multi_platform_rocky</platform>
+ 	<platform>multi_platform_rhv</platform>
  	<platform>multi_platform_sle</platform>
  	<platform>multi_platform_ubuntu</platform>
  	<platform>multi_platform_wrlinux</platform>
@@ -63,8 +69,8 @@ diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/
        <description>Disables IPv6 for all network interfaces.</description>
      </metadata>
 diff -Nru content.org/ssg/constants.py content/ssg/constants.py
---- content.org/ssg/constants.py	2021-05-03 07:27:50.369761368 +0900
-+++ content/ssg/constants.py	2021-05-03 07:29:29.739430343 +0900
+--- content.org/ssg/constants.py        2021-08-21 18:13:55.362098097 +0900
++++ content/ssg/constants.py    2021-08-21 18:21:16.258038611 +0900
 @@ -24,7 +24,8 @@
      'sle12', 'sle15',
      'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
@@ -73,38 +79,36 @@ diff -Nru content.org/ssg/constants.py content/ssg/constants.py
 +    'wrlinux8', 'wrlinux1019',
 +    'rocky8'
  ]
- 
+
  JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
-@@ -181,6 +182,7 @@
+@@ -182,6 +183,7 @@
      "Ubuntu 20.04": "ubuntu2004",
      "WRLinux 8": "wrlinux8",
      "WRLinux 1019": "wrlinux1019",
 +    "Rocky Linux 8": "rocky8",
  }
- 
- 
-@@ -195,7 +197,7 @@
+
+
+@@ -196,7 +198,7 @@
  }
- 
+
  MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
 -                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
 +                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rocky", "example"]
- 
+
  MULTI_PLATFORM_MAPPING = {
      "multi_platform_debian": ["debian9", "debian10"],
-@@ -211,6 +213,7 @@
+@@ -212,6 +214,7 @@
      "multi_platform_sle": ["sle12", "sle15"],
      "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
      "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
-+    "multi_platform_wrlinux": ["rocky8"],
++    "multi_platform_rocky": ["rocky8"],
  }
- 
+
  RHEL_CENTOS_CPE_MAPPING = {
-@@ -376,6 +379,7 @@
+@@ -377,6 +380,7 @@
      'ol': 'Oracle Linux',
      'ocp': 'Red Hat OpenShift Container Platform',
      'rhcos': 'Red Hat Enterprise Linux CoreOS',
 +    'rocky': 'Rocky Linux',
  }
- 
- 

ComplianceAsCode/content_for_supporting_rocky8/files/disa-stig-rocky8-v1r3-xccdf-manual.xml

@@ -27,7 +27,9 @@ ssg_build_html_cce_table(${PRODUCT})
 
 ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
 
-ssg_build_html_stig_tables(${PRODUCT} "stig")
+ssg_build_html_stig_tables(${PRODUCT})
+ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig")
+ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig_gui")
 
 #ssg_build_html_stig_tables(${PRODUCT} "ospp")
 

ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt

@@ -1,14 +1,11 @@
-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 8 Server
+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 8 Server
 # Version: 0.0.1
-# Date: 2020-03-30
+# Date: 2021-08-12
 #
 # Based on:
 # https://pykickstart.readthedocs.io/en/latest/
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
 
-# Install a fresh new system (optional)
-install
-
 # Specify installation method to use for installation
 # To use a different one comment out the 'url' one below, update
 # the selected choice with proper options & un-comment it

ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg

@@ -0,0 +1,133 @@
+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis_server_l1
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject