Merge pull request #22 from atomicturtle/spec

Init base 0.1.54 package

Author: atomicturtle

package/0.1.54/SOURCES/0001-Add-Rocky-Linux-content.patch

@@ -0,0 +1,109 @@
+From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 3 Dec 2020 14:35:47 +0100
+Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
+
+---
+ rhel8/CMakeLists.txt                           | 6 ------
+ rhel8/profiles/anssi_bp28_high.profile         | 2 +-
+ rhel8/profiles/cjis.profile                    | 2 +-
+ rhel8/profiles/ism_o.profile                   | 2 +-
+ rhel8/profiles/rhelh-stig.profile              | 2 +-
+ rhel8/profiles/rhelh-vpp.profile               | 2 +-
+ rhel8/profiles/rht-ccp.profile                 | 2 +-
+ rhel8/profiles/standard.profile                | 2 +-
+ 11 files changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
+index d61689c97..5e444a101 100644
+--- a/rhel8/CMakeLists.txt
++++ b/rhel8/CMakeLists.txt
+@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
+ ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
+ ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+ 
+-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+ ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+ 
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+-
+ ssg_build_html_cce_table(${PRODUCT})
+ 
+ ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index ccad93d67..6a854378c 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: 'ANSSI BP-028 (high)'
+ 
+diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
+index 035d2705b..c6475f33e 100644
+--- a/rhel8/profiles/cjis.profile
++++ b/rhel8/profiles/cjis.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ metadata:
+     version: 5.4
+diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
+index a3c427c01..4605dea3b 100644
+--- a/rhel8/profiles/ism_o.profile
++++ b/rhel8/profiles/ism_o.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ metadata:
+     SMEs:
+diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
+index 1efca5f44..c3d0b0964 100644
+--- a/rhel8/profiles/rhelh-stig.profile
++++ b/rhel8/profiles/rhelh-stig.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
+ 
+diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
+index 2baee6d66..8592d7aaf 100644
+--- a/rhel8/profiles/rhelh-vpp.profile
++++ b/rhel8/profiles/rhelh-vpp.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
+ 
+diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
+index c84579592..164ec98c4 100644
+--- a/rhel8/profiles/rht-ccp.profile
++++ b/rhel8/profiles/rht-ccp.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
+ 
+diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
+index a63ae2cf3..da669bb84 100644
+--- a/rhel8/profiles/standard.profile
++++ b/rhel8/profiles/standard.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
+ 
+-- 
+2.26.2
+

package/0.1.54/SOURCES/disable-not-in-good-shape-profiles.patch

@@ -0,0 +1,187 @@
+From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 17 Feb 2021 15:36:59 +0100
+Subject: [PATCH] Remove kickstart for profile not shipped
+
+RHEL-8 ANSSI high is not shipped at the momment
+---
+ .../ssg-rhel8-anssi_bp28_high-ks.cfg          | 167 ------------------
+ 1 file changed, 167 deletions(-)
+ delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+deleted file mode 100644
+index b5c09253a..000000000
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
++++ /dev/null
+@@ -1,167 +0,0 @@
+-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
+-# Version: 0.0.1
+-# Date: 2020-12-10
+-#
+-# Based on:
+-# https://pykickstart.readthedocs.io/en/latest/
+-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+-
+-# Specify installation method to use for installation
+-# To use a different one comment out the 'url' one below, update
+-# the selected choice with proper options & un-comment it
+-#
+-# Install from an installation tree on a remote server via FTP or HTTP:
+-# --url		the URL to install from
+-#
+-# Example:
+-#
+-# url --url=http://192.168.122.1/image
+-#
+-# Modify concrete URL in the above example appropriately to reflect the actual
+-# environment machine is to be installed in
+-#
+-# Other possible / supported installation methods:
+-# * install from the first CD-ROM/DVD drive on the system:
+-#
+-# cdrom
+-#
+-# * install from a directory of ISO images on a local drive:
+-#
+-# harddrive --partition=hdb2 --dir=/tmp/install-tree
+-#
+-# * install from provided NFS server:
+-#
+-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+-#
+-# Set language to use during installation and the default language to use on the installed system (required)
+-lang en_US.UTF-8
+-
+-# Set system keyboard type / layout (required)
+-keyboard us
+-
+-# Configure network information for target system and activate network devices in the installer environment (optional)
+-# --onboot	enable device at a boot time
+-# --device	device to be activated and / or configured with the network command
+-# --bootproto	method to obtain networking configuration for device (default dhcp)
+-# --noipv6	disable IPv6 on this device
+-#
+-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+-#       "--bootproto=static" must be used. For example:
+-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+-#
+-network --onboot yes --bootproto dhcp --noipv6
+-
+-# Set the system's root password (required)
+-# Plaintext password is: server
+-# Refer to e.g.
+-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+-# to see how to create encrypted password form for different plaintext password
+-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+-
+-# The selected profile will restrict root login
+-# Add a user that can login and escalate privileges
+-# Plaintext password is: admin123
+-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+-
+-# Configure firewall settings for the system (optional)
+-# --enabled	reject incoming connections that are not in response to outbound requests
+-# --ssh		allow sshd service through the firewall
+-firewall --enabled --ssh
+-
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+-# Set the system time zone (required)
+-timezone --utc America/New_York
+-
+-# Specify how the bootloader should be installed (required)
+-# Plaintext password is: password
+-# Refer to e.g.
+-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+-# to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+-
+-# Initialize (format) all disks (optional)
+-zerombr
+-
+-# The following partition layout scheme assumes disk of size 20GB or larger
+-# Modify size of partitions appropriately to reflect actual machine's hardware
+-# 
+-# Remove Linux partitions from the system prior to creating new ones (optional)
+-# --linux	erase all Linux partitions
+-# --initlabel	initialize the disk label to the default based on the underlying architecture
+-clearpart --linux --initlabel
+-
+-# Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+-part pv.01 --grow --size=1
+-
+-# Create a Logical Volume Management (LVM) group (optional)
+-volgroup VolGroup --pesize=4096 pv.01
+-
+-# Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+-# Ensure /usr Located On Separate Partition
+-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+-# Ensure /opt Located On Separate Partition
+-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /srv Located On Separate Partition
+-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /home Located On Separate Partition
+-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+-# Ensure /tmp Located On Separate Partition
+-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/tmp Located On Separate Partition
+-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+-# Ensure /var/log Located On Separate Partition
+-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/log/audit Located On Separate Partition
+-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+-logvol swap --name=swap --vgname=VolGroup --size=2016
+-
+-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+-# content - security policies - on the installed system.This add-on has been enabled by default
+-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+-# functionality will automatically be installed. However, by default, no policies are enforced,
+-# meaning that no checks are performed during or after installation unless specifically configured.
+-#  
+-#  Important
+-#   Applying a security policy is not necessary on all systems. This screen should only be used
+-#   when a specific policy is mandated by your organization rules or government regulations.
+-#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+-#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+-#   Values can be optionally enclosed in single quotes (') or double quotes (").
+-#   
+-#  The following keys are recognized by the add-on:
+-#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+-#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+-#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+-#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+-#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+-#    xccdf-id - ID of the benchmark you want to use.
+-#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+-#    profile - ID of the profile to be applied. Use default to apply the default profile.
+-#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+-#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+-#
+-#  The following is an example %addon org_fedora_oscap section which uses content from the
+-#  scap-security-guide on the installation media: 
+-%addon org_fedora_oscap
+-	content-type = scap-security-guide
+-	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
+-%end
+-
+-# Packages selection (%packages section is required)
+-%packages
+-
+-# Require @Base
+-@Base
+-
+-%end # End of %packages section
+-
+-# Reboot after the installation is complete (optional)
+-# --eject	attempt to eject CD or DVD media before rebooting
+-reboot --eject
+-- 
+2.26.2
+