diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
index 097ac1d8..5da63a85 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
@@ -1,114 +1,77 @@
 diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
---- content.org/CMakeLists.txt  2021-08-21 18:13:55.050097584 +0900
-+++ content/CMakeLists.txt      2021-08-21 18:21:16.258038611 +0900
-@@ -93,6 +93,7 @@
+--- content.org/CMakeLists.txt	2020-12-25 08:21:12.953946957 +0900
++++ content/CMakeLists.txt	2020-12-25 08:30:03.918555175 +0900
+@@ -87,6 +87,7 @@
  option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 +option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-
+ 
  option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
  option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-@@ -288,6 +289,7 @@
+@@ -267,6 +268,8 @@
  message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
  message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
  message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
 +message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}")
-
-
-
-@@ -410,6 +412,10 @@
++
+ 
+ 
+ 
+@@ -386,6 +389,10 @@
  if (SSG_PRODUCT_WRLINUX1019)
-     add_subdirectory("products/wrlinux1019" "wrlinux1019")
+     add_subdirectory("wrlinux1019")
  endif()
 +if (SSG_PRODUCT_ROCKY8)
-+    add_subdirectory("products/rl8" "rl8")
++    add_subdirectory("rocky8")
 +endif()
 +
-
+ 
  # ZIP only contains source datastreams and kickstarts, people who
  # want sources to build from should get the tarball instead.
-
 diff -Nru content.org/build_product content/build_product
---- content.org/build_product   2021-08-21 18:13:55.110097683 +0900
-+++ content/build_product       2021-08-21 18:22:19.417937147 +0900
-@@ -310,6 +310,7 @@
+--- content.org/build_product	2020-12-25 08:21:13.001947373 +0900
++++ content/build_product	2020-12-25 08:31:11.339141097 +0900
+@@ -294,6 +294,7 @@
+ 	VSEL
  	WRLINUX8
  	WRLINUX1019
- 	MACOS1015
 +	ROCKY8
  )
  
  DEFAULT_OVAL_MAJOR_VERSION=5
-diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/checks/oval/install_mcafee_hbss.xml
---- content.org/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:27:50.321760545 +0900
-+++ content/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:29:57.423884084 +0900
-@@ -14,6 +14,7 @@
- 	<platform>multi_platform_sle</platform>
- 	<platform>multi_platform_ubuntu</platform>
- 	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rl</platform>
-       </affected>
-       <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
-       should be installed.</description>
-diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
---- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml       2021-08-21 18:13:55.326098038 +0900
-+++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml   2021-08-21 18:21:37.030007098 +0900
-@@ -9,11 +9,12 @@
- 	<platform>multi_platform_opensuse</platform>
- 	<platform>multi_platform_ol</platform>
- 	<platform>multi_platform_rhcos</platform>
--	<platform>multi_platform_rhel</platform>
-+	<platform>multi_platform_rhel,multi_platform_rl</platform>
- 	<platform>multi_platform_rhv</platform>
- 	<platform>multi_platform_sle</platform>
- 	<platform>multi_platform_ubuntu</platform>
- 	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rl</platform>
-       </affected>
-       <description>Disables IPv6 for all network interfaces.</description>
-     </metadata>
 diff -Nru content.org/ssg/constants.py content/ssg/constants.py
---- content.org/ssg/constants.py        2021-08-21 18:13:55.362098097 +0900
-+++ content/ssg/constants.py    2021-08-21 18:21:16.258038611 +0900
-@@ -24,7 +24,8 @@
-     'sle12', 'sle15',
+--- content.org/ssg/constants.py	2020-12-25 08:21:13.281949799 +0900
++++ content/ssg/constants.py	2020-12-25 08:43:05.253350090 +0900
+@@ -24,6 +24,7 @@
      'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
      'vsel',
--    'wrlinux8', 'wrlinux1019'
-+    'wrlinux8', 'wrlinux1019',
-+    'rl8'
+     'wrlinux8', 'wrlinux1019'
++    'rocky8'
  ]
-
+ 
  JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
-@@ -182,6 +183,7 @@
+@@ -167,6 +168,7 @@
      "Ubuntu 20.04": "ubuntu2004",
      "WRLinux 8": "wrlinux8",
      "WRLinux 1019": "wrlinux1019",
-+    "Rocky Linux 8": "rl8",
++    "Rocky Linux 8": "rocky8",
  }
-
-
-@@ -196,7 +198,7 @@
- }
-
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
--                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
-+                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"]
-
- MULTI_PLATFORM_MAPPING = {
-     "multi_platform_debian": ["debian9", "debian10"],
-@@ -212,6 +214,7 @@
+ 
+ 
+@@ -197,6 +199,7 @@
      "multi_platform_sle": ["sle12", "sle15"],
      "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
      "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
-+    "multi_platform_rl": ["rl8"],
++    "multi_platform_rocky": ["rocky8"],
  }
-
+ 
  RHEL_CENTOS_CPE_MAPPING = {
-@@ -377,6 +380,7 @@
+@@ -362,6 +365,7 @@
      'ol': 'Oracle Linux',
      'ocp': 'Red Hat OpenShift Container Platform',
      'rhcos': 'Red Hat Enterprise Linux CoreOS',
-+    'rl': 'Rocky Linux',
++    'rocky': 'Rocky Linux',
  }
+ 
+ 
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml
new file mode 100644
index 00000000..cd3f9ca8
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml
@@ -0,0 +1,59 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rocky8" version="1">
+    <metadata>
+      <title>Rocky Linux 8</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:rocky:rocky_linux:8"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Rocky Linux 8</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_rocky8_unix_family" />
+      <criteria operator="OR">
+        <criterion comment="Rocky Linux 8 is installed" test_ref="test_rocky8" />
+        <criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
+          <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
+          <criterion comment="Red Hat Enterprise Virtualization Host is based on Rocky Linux 8" test_ref="test_rhevh_rocky8_version" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_rocky8_unix_family" version="1">
+    <ind:object object_ref="obj_rocky8_unix_family" />
+    <ind:state state_ref="state_rocky8_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_rocky8_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_rocky8_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="test_rocky8" version="1">
+    <linux:object object_ref="obj_rocky8" />
+    <linux:state state_ref="state_rocky8" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_rocky8" version="1">
+    <linux:version operation="pattern match">^8.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_rocky8" version="1">
+    <linux:name>redhat-release</linux:name>
+  </linux:rpminfo_object>
+
+  <ind:textfilecontent54_test check="all" comment="RHEVH base Rocky Linux is version 8" id="test_rhevh_rocky8_version" version="1">
+    <ind:object object_ref="obj_rhevh_rocky8_version" />
+    <ind:state state_ref="state_rhevh_rocky8_version" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhevh_rocky8_version" version="1">
+    <ind:filepath>/etc/redhat-release</ind:filepath>
+    <ind:pattern operation="pattern match">^Rocky Linux release (\d)\.\d+$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhevh_rocky8_version" version="1">
+    <ind:subexpression operation="pattern match">8</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt
index 658eb1ed..08dc5124 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way.
+# Sometimes our users will try to do: "cd rl8; cmake ." That needs to error in a nice way.
 if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
     message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
 endif()
@@ -8,20 +8,16 @@ set(DISA_SRG_TYPE "os")
 
 ssg_build_product(${PRODUCT})
 
-ssg_build_html_table_by_ref(${PRODUCT} "nist")
-ssg_build_html_table_by_ref(${PRODUCT} "cui")
-ssg_build_html_table_by_ref(${PRODUCT} "cis")
-ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
-ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
 
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
-ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
-ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
 
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_enhanced" "${PRODUCT}" "anssi_bp28_enhanced" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_intermediary" "${PRODUCT}" "anssi_bp28_intermediary" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_high" "${PRODUCT}" "anssi_bp28_high" "anssi")
 
 ssg_build_html_cce_table(${PRODUCT})
 
@@ -32,7 +28,3 @@ ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig")
 ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig_gui")
 
 #ssg_build_html_stig_tables(${PRODUCT} "ospp")
-
-#if (SSG_CENTOS_DERIVATIVES_ENABLED)
-#    ssg_build_derivative_product(${PRODUCT} "centos" "centos8")
-#endif()
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg
index b73d5c12..48c5873a 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg
index 33bd9dd2..9d7c70d6 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml
index f289ab6b..53fb28a1 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml
@@ -2,6 +2,7 @@ product: rl8
 full_name: Rocky Linux 8
 type: platform
 
+benchmark_id: RL-8
 benchmark_root: "../../linux_os/guide"
 
 profiles_root: "./profiles"
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile
index 37ceeff7..30eb9c59 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile
@@ -37,7 +37,7 @@ selections:
   - service_squid_disabled
 
   ### Software update
-#  - ensure_redhat_gpgkey_installed
+  - ensure_redhat_gpgkey_installed
   - ensure_gpgcheck_never_disabled
   - ensure_gpgcheck_local_packages
   - ensure_gpgcheck_globally_activated
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile
index c42e6982..edfba53e 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile
@@ -86,7 +86,7 @@ selections:
     - sysctl_kernel_randomize_va_space
     - rpm_verify_hashes
     - rpm_verify_permissions
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
     - ensure_gpgcheck_local_packages
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile
index 95cdfc4e..2e78dc87 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile
@@ -52,6 +52,7 @@ selections:
   ## Identifiers 1418
   - package_usbguard_installed
   - service_usbguard_enabled
+  - usbguard_allow_hid_and_hub
 
   ## Authentication hardening
   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile
index 25991d1c..8936c4d5 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile
@@ -113,7 +113,7 @@ selections:
     - accounts_umask_etc_csh_cshrc
 
     ### Software update
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_local_packages
     - ensure_gpgcheck_never_disabled
@@ -205,7 +205,7 @@ selections:
     - package_nfs-utils_removed
     - package_krb5-workstation_removed
     - package_abrt-addon-kerneloops_removed
-    - package_abrt-addon-python_removed
+    - package_python3-abrt-addon_removed
     - package_abrt-addon-ccpp_removed
     - package_abrt-plugin-rhtsupport_removed
     - package_abrt-plugin-logger_removed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile
index b558a8b9..fed33640 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile
@@ -114,7 +114,7 @@ selections:
     - accounts_password_pam_lcredit
     - accounts_password_pam_unix_remember
     - accounts_maximum_age_login_defs
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
     - security_patches_up_to_date
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile
index ed2b7612..15abd98a 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile
@@ -33,7 +33,7 @@ selections:
     - partition_for_var_log_audit
     - selinux_state
     - selinux_policytype
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - security_patches_up_to_date
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile
index 5905056e..a63ae2cf 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile
@@ -8,7 +8,7 @@ description: |-
     all of these checks should pass.
 
 selections:
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - rpm_verify_permissions
     - rpm_verify_hashes
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile
index 10dbc150..7fb81894 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R3
+    version: V1R4
     SMEs:
         - ggbecker
 
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Red Hat Enterprise Linux 8 V1R3.
+    DISA STIG for Red Hat Enterprise Linux 8 V1R4.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
     configuration baseline as applicable to the operating system tier of
@@ -70,6 +70,8 @@ selections:
     - var_auditd_disk_error_action=halt
     - var_auditd_max_log_file_action=syslog
     - var_auditd_disk_full_action=halt
+    - var_sssd_certificate_verification_digest_function=sha1
+    - login_banner_text=dod_banners
 
     ### Enable / Configure FIPS
     - enable_fips_mode
@@ -161,8 +163,6 @@ selections:
     # RHEL-08-010171
     - package_policycoreutils_installed
 
-    # RHEL-08-010180
-
     # RHEL-08-010190
     - dir_perms_world_writable_sticky_bits
 
@@ -279,6 +279,7 @@ selections:
     - install_smartcard_packages
 
     # RHEL-08-010400
+    - sssd_certificate_verification
 
     # RHEL-08-010410
     - package_opensc_installed
@@ -350,7 +351,6 @@ selections:
     - partition_for_tmp
 
     # RHEL-08-010544
-    ### NOTE: Will probably show up in V1R3 - Q3 of 21'
     - partition_for_var_tmp
 
     # RHEL-08-010550
@@ -619,6 +619,8 @@ selections:
 
     # RHEL-08-020353
     - accounts_umask_etc_bashrc
+    - accounts_umask_etc_csh_cshrc
+    - accounts_umask_etc_profile
 
     # RHEL-08-030000
     - audit_rules_suid_privilege_function
@@ -944,7 +946,7 @@ selections:
     - package_abrt_removed
     - package_abrt-addon-ccpp_removed
     - package_abrt-addon-kerneloops_removed
-    - package_abrt-addon-python_removed
+    - package_python3-abrt-addon_removed
     - package_abrt-cli_removed
     - package_abrt-plugin-logger_removed
     - package_abrt-plugin-rhtsupport_removed
@@ -1158,9 +1160,7 @@ selections:
     - sysctl_net_core_bpf_jit_harden
 
     # RHEL-08-040290
-    # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
-    # there needs to be a new platform check to identify when postfix is installed or not
-    # - postfix_prevent_unrestricted_relay
+    - postfix_prevent_unrestricted_relay
 
     # RHEL-08-040300
     - aide_verify_ext_attributes
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile
index 0fdd7556..e1f0f715 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R3
+    version: V1R4
     SMEs:
         - ggbecker
 
@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
+    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R4.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
     configuration baseline as applicable to the operating system tier of
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt
index dc73976b..b9400aff 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt
@@ -8,14 +8,6 @@
 <xsl:variable name="prod_type">rhel8</xsl:variable>
 
 <xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
-<xsl:variable name="product_guide_id_name">RHEL-8</xsl:variable>
-<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
 <xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
 
-<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
-<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
-
-<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
-<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
-
 </xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch
index 3617559a..add2beeb 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch
@@ -1,7 +1,7 @@
 diff -ruN scap-security-guide-0.1.57/build_product b/build_product
 --- scap-security-guide-0.1.57/build_product	2021-07-27 10:51:15.000000000 -0400
 +++ b/build_product	2021-10-16 14:14:27.167238394 -0400
-@@ -297,6 +297,7 @@
+@@ -299,6 +299,7 @@
  	OPENSUSE
  	RHEL7
  	RHEL8
@@ -12,7 +12,7 @@ diff -ruN scap-security-guide-0.1.57/build_product b/build_product
 diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt
 --- scap-security-guide-0.1.57/CMakeLists.txt	2021-10-16 13:57:11.850990039 -0400
 +++ b/CMakeLists.txt	2021-10-16 14:14:00.232789690 -0400
-@@ -92,6 +92,7 @@
+@@ -97,6 +97,7 @@
  option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -20,7 +20,7 @@ diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt
  
  option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
  option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-@@ -287,6 +288,7 @@
+@@ -302,6 +303,7 @@
  message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
  message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
  message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
@@ -28,7 +28,7 @@ diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt
  
  
  
-@@ -409,6 +411,10 @@
+@@ -428,6 +430,10 @@
  if (SSG_PRODUCT_WRLINUX1019)
      add_subdirectory("products/wrlinux1019" "wrlinux1019")
  endif()
@@ -70,7 +70,7 @@ diff -ruN scap-security-guide-0.1.57/shared/checks/oval/sysctl_kernel_ipv6_disab
 diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py
 --- scap-security-guide-0.1.57/ssg/constants.py	2021-07-27 10:51:15.000000000 -0400
 +++ b/ssg/constants.py	2021-10-16 14:14:00.233789707 -0400
-@@ -24,7 +24,8 @@
+@@ -57,7 +57,8 @@
      'sle12', 'sle15',
      'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
      'vsel',
@@ -80,7 +80,7 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py
  ]
  
  JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
-@@ -181,6 +182,7 @@
+@@ -224,6 +225,7 @@
      "Ubuntu 20.04": "ubuntu2004",
      "WRLinux 8": "wrlinux8",
      "WRLinux 1019": "wrlinux1019",
@@ -88,16 +88,16 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py
  }
  
  
-@@ -195,7 +197,7 @@
- }
+@@ -262,7 +264,7 @@
  
+
  MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
--                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
-+                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"]
+-                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos",
++                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl",
+                        "example", "eks"]
  
  MULTI_PLATFORM_MAPPING = {
-     "multi_platform_debian": ["debian9", "debian10"],
-@@ -211,6 +213,7 @@
+@@ -280,6 +282,7 @@
      "multi_platform_sle": ["sle12", "sle15"],
      "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
      "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
@@ -105,11 +105,9 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py
  }
  
  RHEL_CENTOS_CPE_MAPPING = {
-@@ -376,6 +379,7 @@
-     'ol': 'Oracle Linux',
+@@ -447,6 +450,7 @@
      'ocp': 'Red Hat OpenShift Container Platform',
      'rhcos': 'Red Hat Enterprise Linux CoreOS',
+     'eks': 'Amazon Elastic Kubernetes Service',
 +    'rl': 'Rocky Linux',
  }
- 
- 
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt
new file mode 100644
index 00000000..ea8ac38b
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt
@@ -0,0 +1,34 @@
+# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rocky8")
+set(DISA_SRG_TYPE "os")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_table_by_ref(${PRODUCT} "nist")
+ssg_build_html_table_by_ref(${PRODUCT} "cui")
+ssg_build_html_table_by_ref(${PRODUCT} "cis")
+ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
+ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+
+ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+#if (SSG_CENTOS_DERIVATIVES_ENABLED)
+#    ssg_build_derivative_product(${PRODUCT} "centos" "centos8")
+#endif()
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh
new file mode 100644
index 00000000..077a6444
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+sed s/
+
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
new file mode 100644
index 00000000..cf2f392a
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -0,0 +1,176 @@
+# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2020-12-10
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="noauto"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+# Ensure /usr Located On Separate Partition
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+# Ensure /opt Located On Separate Partition
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /srv Located On Separate Partition
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg
new file mode 100644
index 00000000..bf3804b3
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg
@@ -0,0 +1,146 @@
+# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-03-30
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg
new file mode 100644
index 00000000..6e0f83eb
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_cui
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg
new file mode 100644
index 00000000..591d3026
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2019-11-13
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_e8
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 00000000..dc4a44c8
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg
new file mode 100644
index 00000000..119e9836
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide OSPP profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_ospp
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg
new file mode 100644
index 00000000..21a50f52
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg
@@ -0,0 +1,157 @@
+# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url	        the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+network --onboot yes --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+#
+# PASSWORD TEMPORARILY DISABLED
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
+# CCE-26557-9: Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# CCE-26435-8: Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# CCE-26639-5: Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# CCE-26215-4: Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_pci-dss
+%end
+
+# Packages selection (%packages section is required)
+%packages
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg
new file mode 100644
index 00000000..a3e5e5fe
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_stig
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml
new file mode 100644
index 00000000..7c89f520
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL8 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels.  The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+     - satisfied (through design and implementation)
+     - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+     - satisfied (by Rules in the guidance, which include the reference)
+     - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL8 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - selected in a DoD baseline
+     - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+     it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates.  If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml
new file mode 100644
index 00000000..b0bfc444
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml
@@ -0,0 +1,32 @@
+product: rocky8
+full_name: Rocky Linux 8
+type: platform
+
+benchmark_root: "../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "yum"
+
+init_system: "systemd"
+
+# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+pkg_release: "PKG_RELASE"
+pkg_version: "PKG_VERSION"
+aux_pkg_release: "AUX_PKG_RELEASE"
+aux_pkg_version: "AUX_PKG_VERSION"
+
+release_key_fingerprint: "RELEASE_KEY_FINGERPRINT"
+auxiliary_key_fingerprint: "AUXILIARY_KEY_FINGERPRINT"
+oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+
+cpes_root: "../shared/applicability"
+cpes:
+  - rhel8:
+      name: "cpe:/o:rocky:rocky_linux:8"
+      title: "Rocky Linux 8"
+      check_id: installed_OS_is_rocky8
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile
new file mode 100644
index 00000000..e7e2f287
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,59 @@
+documentation_complete: true
+
+title: 'ANSSI BP-028 (enhanced)'
+
+description: 
+    ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
+    Agence nationale de la sécurité des systèmes d'information. Based on
+    https://www.ssi.gouv.fr/.
+
+extends: anssi_bp28_intermediary
+
+selections:
+    # Principle of least privilege
+
+    # Network services partitioning
+
+    # Logging of service activity
+
+    # Access Restrictions on /boot directory
+    - file_permissions_systemmap
+
+    # Hardened package repositories
+
+    # Boot loader password
+    - grub2_password
+    - grub2_uefi_password
+
+    # Installation of secret or trusted elements
+
+    # Disabling the loading of kernel modules
+    # kernel.modules_disabled = 1
+
+    # Yama module sysctl configuration
+    - sysctl_kernel_yama_ptrace_scope
+
+    # Uniqueness and exclusivity of system service accounts
+
+    # User session timeout
+    - accounts_tmout
+    - sshd_set_idle_timeout
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_keepalive
+
+    # umask value
+    - var_accounts_user_umask=077
+    - accounts_umask_etc_login_defs
+    - accounts_umask_etc_profile
+
+    # Executable setuid root
+    - file_permissions_unauthorized_suid
+    - file_permissions_unauthorized_sgid
+
+    # Logging activity by auditd
+
+    # Restricting access of deployed services
+
+    # Virtualization components hardening
+
+    # Limiting the number of commands requiring the use of the EXEC option
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile
new file mode 100644
index 00000000..ccad93d6
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+title: 'ANSSI BP-028 (high)'
+
+description: 
+    ANSSI BP-028 compliance at the high level. ANSSI stands for
+    Agence nationale de la sécurité des systèmes d'information. Based on
+    https://www.ssi.gouv.fr/.
+
+extends: anssi_bp28_enhanced
+
+selections:
+    # Using access control features
+    - selinux_state
+    - var_selinux_state=enforcing
+
+    # IOMMU Configuration Guidelines
+
+    # Partitioning the syslog service by container
+
+    # Sealing and integrity of files
+    - package_aide_installed
+    - aide_build_database
+    - aide_periodic_cron_checking
+    - aide_scan_notification
+    - aide_verify_acls
+    - aide_verify_ext_attributes
+
+    # Enabling SELinux Targeted Policy
+    - selinux_policytype
+    - var_selinux_policy_name=targeted
+
+    # Setting SELinux booleans
+    - sebool_selinuxuser_execheap
+    - sebool_cups_execmem
+    - sebool_httpd_execmem
+    - sebool_boinc_execmem
+    - sebool_xserver_execmem
+    - sebool_deny_execmem
+    - sebool_cluster_use_execmem
+    - sebool_glance_use_execmem
+    - sebool_virt_use_execmem
+    - sebool_selinuxuser_execstack
+    - sebool_secure_mode_insmod
+    - sebool_ssh_sysadm_login
+
+    # Uninstalling SELinux Policy Debugging Tools
+    - package_setroubleshoot_removed
+
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile
new file mode 100644
index 00000000..638e60e0
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile
@@ -0,0 +1,144 @@
+documentation_complete: true
+
+title: 'ANSSI BP-028 (intermediary)'
+
+description: 
+    ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
+    Agence nationale de la sécurité des systèmes d''information. Based on
+    https://www.ssi.gouv.fr/.
+
+extends: anssi_bp28_minimal
+
+selections:
+    # Minimization of configuration
+
+    # 32 and 64 bit architecture
+
+    # Partitioning type
+    - partition_for_tmp
+    - mount_option_tmp_nosuid
+    - mount_option_tmp_nodev
+    - mount_option_tmp_noexec
+    - partition_for_home
+    - mount_option_home_nosuid
+    - mount_option_home_nodev
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_tmp
+    - mount_option_var_tmp_nosuid
+    - mount_option_var_tmp_nodev
+    - mount_option_var_tmp_noexec
+
+    # Installation of packages reduced to the bare necessities
+
+    # Accountability of administration
+    - no_direct_root_logins
+    - sshd_disable_root_login
+
+    # Hardening and monitoring of services subject to arbitrary flows
+
+    # Setting up network sysctl
+    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_conf_all_rp_filter
+    - sysctl_net_ipv4_conf_default_rp_filter
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_all_secure_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv4_conf_default_secure_redirects
+    - sysctl_net_ipv4_conf_all_log_martians
+    # net.ipv4.tcp_rfc1337 = 1
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+    # net.ipv4.ip_local_port_ranges = 32768 65535
+    - sysctl_net_ipv4_tcp_syncookies
+    # net.ipv6.conf.all.router_solicitations = 0
+    # net.ipv6.conf.default.router_solicitations = 0
+    # net.ipv6.conf.all.accept_ra_rtr_pref = 0
+    # net.ipv6.conf.default.accept_ra_rtr_pref = 0
+    # net.ipv6.conf.all.accept_ra_pinfo = 0
+    # net.ipv6.conf.default.accept_ra_pinfo = 0
+    # net.ipv6.conf.all.accept_ra_defrtr = 0
+    # net.ipv6.conf.default.accept_ra_defrtr = 0
+    # net.ipv6.conf.all.autoconf = 0
+    # net.ipv6.conf.default.autoconf = 0
+    # net.ipv6.conf.all_accept_redirects = 0
+    - sysctl_net_ipv6_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route
+    # net.ipv6.conf.all.max_addresses = 1
+    # net.ipv6.conf.default.max_addresses = 1
+
+    # Setting system sysctl
+    - sysctl_fs_suid_dumpable
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+    - sysctl_kernel_randomize_va_space
+    # vm.mmap_min_addr = 65536
+    # kernel.pid_max = 65536
+    - sysctl_kernel_kptr_restrict
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_perf_event_paranoid
+    # kernel.perf_event_paranoid = 2
+    # kernel.perf_event_max_sample_rate = 1
+    # kernel.perf_cpu_time_max_percent = 1
+
+    # Disabling service accounts
+
+    # Securing PAM Authentication Network Services
+
+    # Securing access to remote user databases
+
+    # Rights to access sensitive content files
+    # Sensitive content files should only be readable by users with strict need to know.
+    - file_owner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_gshadow
+    - file_permissions_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_permissions_etc_group
+
+    # Temporary directories dedicated to accounts
+
+    # Sticky bit and write access rights
+
+    # All writable directories must have all the sticky bit armed.
+
+
+    # Securing access for named sockets and pipes
+
+    # Hardening and configuring the syslog
+    - rsyslog_files_ownership
+    - rsyslog_files_groupownership
+    - rsyslog_files_permissions
+    - ensure_logrotate_activated
+    - rsyslog_remote_loghost
+
+    # Partitioning the syslog service by chroot
+    
+    # Service Activity Logs
+
+    # Dedicated partition for logs
+
+    # Configuring the local messaging service
+
+    # Messaging Aliases for Service Accounts
+
+    # chroot jail and access right for partitioned service
+
+    # Enablement and usage of chroot by a service
+
+    # Group dedicated to the use of sudo
+
+    # Sudo configuration guidelines
+
+    # Privileges of target sudo users
+
+    # Good use of negation in a sudoers file
+
+    # Explicit arguments in sudo specifications
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile
new file mode 100644
index 00000000..45cbba8f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+title: 'ANSSI BP-028 (minimal)'
+
+description: 
+    ANSSI BP-028 compliance at the minimal level. ANSSI stands for
+    Agence nationale de la sécurité des systèmes d'information. Based on
+    https://www.ssi.gouv.fr/.
+
+selections:
+    # Minimization of installed services
+    - package_dhcp_removed
+    - package_sendmail_removed
+    - package_telnetd_removed
+
+    # In-depth defense principle
+    - sudo_remove_no_authenticate
+
+    # * centralized logging of events at the systems and services level
+    - package_rsyslog_installed
+    - service_rsyslog_enabled
+
+    # Regular updates
+    - security_patches_up_to_date
+
+    #  Package repositories selection
+    # Only up-to-date official repositories of the distribution must be used.
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_never_disabled
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_local_packages
+
+    # Administrator password robustness
+
+    # Applications using PAM
+
+    # Protecting stored passwords
+    # In the file /etc/login.defs:
+    # ENCRYPT_METHOD SHA512
+    - set_password_hashing_algorithm_logindefs
+    # SHA_CRYPT_MIN_ROUNDS 65536
+
+    # Executables with setuid and/or setgid bits
+
+    # In memory services and daemons
+
+    # User authentication running sudo
+    - sudo_remove_nopasswd
+
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile
new file mode 100644
index 00000000..9ceeb74f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile
@@ -0,0 +1,1089 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+
+description: |-
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+    # Necessary for dconf rules
+    - dconf_db_up_to_date
+
+    ### Partitioning
+    - mount_option_home_nodev
+
+    ## 1.1 Filesystem Configuration
+
+    ### 1.1.1 Disable unused filesystems
+
+    #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
+    - kernel_module_cramfs_disabled
+
+    #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
+    - kernel_module_vfat_disabled
+
+    #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
+    - kernel_module_squashfs_disabled
+
+    #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
+    - kernel_module_udf_disabled
+
+    ### 1.1.2 Ensure /tmp is configured (Scored)
+    - partition_for_tmp
+
+    ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
+    - mount_option_tmp_nodev
+
+    ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
+    - mount_option_tmp_nosuid
+
+    ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
+    - mount_option_tmp_noexec
+
+    ### 1.1.6 Ensure separate partition exists for /var (Scored)
+    - partition_for_var
+
+    ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
+    - partition_for_var_tmp
+
+    ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_nodev
+
+    ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_nosuid
+
+    ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_noexec
+
+    ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
+    - partition_for_var_log
+
+    ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
+    - partition_for_var_log_audit
+
+    ### 1.1.13 Ensure separate partition exists for /home (Scored)
+    - partition_for_home
+
+    ### 1.1.14 Ensure nodev option set on /home partition (Scored)
+    - mount_option_home_nodev
+
+    ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_nodev
+
+    ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_nosuid
+
+    ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_noexec
+
+    ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
+    - mount_option_nodev_removable_partitions
+
+    ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
+    - mount_option_nosuid_removable_partitions
+
+    ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
+    - mount_option_noexec_removable_partitions
+
+    ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
+    - dir_perms_world_writable_sticky_bits
+
+    ### 1.1.22 Disable Automounting (Scored)
+    - service_autofs_disabled
+
+    ### 1.1.23 Disable USB Storage (Scored)
+    - kernel_module_usb-storage_disabled
+
+    ## 1.2 Configure Software Updates
+
+    ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
+
+    ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
+    - service_rhnsd_disabled
+
+    ### 1.2.3 Ensure GPG keys are configured (Not Scored)
+    - ensure_redhat_gpgkey_installed
+
+    ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
+    - ensure_gpgcheck_globally_activated
+
+    ### 1.2.5 Ensure package manager repositories are configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
+
+    ## 1.3 Configure sudo
+
+    ### 1.3.1 Ensure sudo is installed (Scored)
+    - package_sudo_installed
+
+    ### 1.3.2 Ensure sudo commands use pty (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
+
+    ### 1.3.3 Ensure sudo log file exists (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
+
+    ## 1.4 Filesystem Integrity Checking
+
+    ### 1.4.1 Ensure AIDE is installed (Scored)
+    - package_aide_installed
+
+    ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
+    - aide_periodic_cron_checking
+
+    ## Secure Boot Settings
+
+    ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+    #### chown root:root /boot/grub2/grub.cfg
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+
+    #### chmod og-rwx /boot/grub2/grub.cfg
+    - file_permissions_grub2_cfg
+
+    #### chown root:root /boot/grub2/grubenv
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+    #### chmod og-rwx /boot/grub2/grubenv
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+    ### 1.5.2 Ensure bootloader password is set (Scored)
+    - grub2_password
+
+    ### 1.5.3 Ensure authentication required for single user mode (Scored)
+    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+    - require_singleuser_auth
+
+    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+    - require_emergency_target_auth
+
+    ## 1.6 Additional Process Hardening
+
+    ### 1.6.1 Ensure core dumps are restricted (Scored)
+    #### * hard core 0
+    - disable_users_coredumps
+
+    #### fs.suid_dumpable = 0
+    - sysctl_fs_suid_dumpable
+
+    #### ProcessSizeMax=0
+    - coredump_disable_backtraces
+
+    #### Storage=none
+    - coredump_disable_storage
+
+    ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
+    - sysctl_kernel_randomize_va_space
+
+    ## 1.7 Mandatory Access Control
+
+    ### 1.7.1 Configure SELinux
+
+    #### 1.7.1.1 Ensure SELinux is installed (Scored)
+    - package_libselinux_installed
+
+    #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
+    - grub2_enable_selinux
+
+    #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+ 
+    #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
+    - var_selinux_state=enforcing
+    - selinux_state
+
+    #### 1.7.1.5 Ensure no unconfied services exist (Scored)
+    - selinux_confinement_of_daemons
+
+    #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
+    - package_setroubleshoot_removed
+
+    #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
+    - package_mcstrans_removed
+
+    ## Warning Banners
+
+    ### 1.8.1 Command Line Warning Baners
+
+    #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
+    - banner_etc_motd
+
+    #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
+    - banner_etc_issue
+
+    #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
+
+    #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
+    # chmod u-x,go-wx /etc/motd
+    - file_permissions_etc_motd
+
+    #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
+    # chmod u-x,go-wx /etc/issue
+    - file_permissions_etc_issue
+
+    #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+    # Previously addressed via 'rpm_verify_permissions' rule
+
+    ### 1.8.2 Ensure GDM login banner is configured (Scored)
+    #### banner-message-enable=true
+    - dconf_gnome_banner_enabled
+
+    #### banner-message-text='<banner message>'
+    - dconf_gnome_login_banner_text
+
+    ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
+    - security_patches_up_to_date
+
+    ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
+    #- var_system_crypto_policy
+    - configure_crypto_policy
+
+    ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
+    # Previously addressed via 'configure_crypto_policy' rule
+
+    # Services
+
+    ## 2.1 inetd Services
+
+    ### 2.1.1 Ensure xinetd is not installed (Scored)
+    - package_xinetd_removed
+
+    ## 2.2 Special Purpose Services
+
+    ### 2.2.1 Time Synchronization
+
+    #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+    - package_chrony_installed
+
+    #### 2.2.1.2 Ensure chrony is configured (Scored)
+    - service_chronyd_enabled
+    - chronyd_specify_remote_server
+    - chronyd_run_as_chrony_user
+
+    ### 2.2.2 Ensure X Window System is not installed (Scored)
+    - package_xorg-x11-server-common_removed
+    - xwindows_runlevel_target
+
+    ### 2.2.3 Ensure rsync service is not enabled (Scored)
+    - service_rsyncd_disabled
+
+    ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
+    - service_avahi-daemon_disabled
+
+    ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
+    - service_snmpd_disabled
+
+    ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
+    - package_squid_removed
+
+    ### 2.2.7 Ensure Samba is not enabled (Scored)
+    - service_smb_disabled
+
+    ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
+    - service_dovecot_disabled
+
+    ### 2.2.9 Ensure HTTP server is not enabled (Scored)
+    - service_httpd_disabled
+
+    ### 2.2.10 Ensure FTP Server is not enabled (Scored)
+    - service_vsftpd_disabled
+
+    ### 2.2.11 Ensure DNS Server is not enabled (Scored)
+    - service_named_disabled
+
+    ### 2.2.12 Ensure NFS is not enabled (Scored)
+    - service_nfs_disabled
+
+    ### 2.2.13 Ensure RPC is not enabled (Scored)
+    - service_rpcbind_disabled
+
+    ### 2.2.14 Ensure LDAP service is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
+
+    ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
+    - service_dhcpd_disabled
+
+    ### 2.2.16 Ensure CUPS is not enabled (Scored)
+    - service_cups_disabled
+
+    ### 2.2.17 Ensure NIS Server is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
+
+    ### 2.2.18 Ensure mail transfer agent is configured for
+    ###        local-only mode (Scored)
+    - postfix_network_listening_disabled
+
+    ## 2.3 Service Clients
+
+    ### 2.3.1 Ensure NIS Client is not installed (Scored)
+    - package_ypbind_removed
+
+    ### 2.3.2 Ensure telnet client is not installed (Scored)
+    - package_telnet_removed
+
+    ### Ensure LDAP client is not installed
+    - package_openldap-clients_removed
+
+    # 3 Network Configuration
+
+    ## 3.1 Network Parameters (Host Only)
+
+    ### 3.1.1 Ensure IP forwarding is disabled (Scored)
+    #### net.ipv4.ip_forward = 0
+    - sysctl_net_ipv4_ip_forward
+
+    #### net.ipv6.conf.all.forwarding = 0
+    - sysctl_net_ipv6_conf_all_forwarding
+
+    ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
+    #### net.ipv4.conf.all.send_redirects = 0
+    - sysctl_net_ipv4_conf_all_send_redirects
+
+    #### net.ipv4.conf.default.send_redirects = 0
+    - sysctl_net_ipv4_conf_default_send_redirects
+
+    ## 3.2 Network Parameters (Host and Router)
+
+    ### 3.2.1 Ensure source routed packets are not accepted (Scored)
+    #### net.ipv4.conf.all.accept_source_route = 0
+    - sysctl_net_ipv4_conf_all_accept_source_route
+
+    #### net.ipv4.conf.default.accept_source_route = 0
+    - sysctl_net_ipv4_conf_default_accept_source_route
+
+    #### net.ipv6.conf.all.accept_source_route = 0
+    - sysctl_net_ipv6_conf_all_accept_source_route
+
+    #### net.ipv6.conf.default.accept_source_route = 0
+    - sysctl_net_ipv6_conf_default_accept_source_route
+
+    ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+    #### net.ipv4.conf.all.accept_redirects = 0
+    - sysctl_net_ipv4_conf_all_accept_redirects
+
+    #### net.ipv4.conf.default.accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+
+    #### net.ipv6.conf.all.accept_redirects = 0
+    - sysctl_net_ipv6_conf_all_accept_redirects
+
+    #### net.ipv6.conf.defaults.accept_redirects = 0
+    - sysctl_net_ipv6_conf_default_accept_redirects
+
+    ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+    #### net.ipv4.conf.all.secure_redirects = 0
+    - sysctl_net_ipv4_conf_all_secure_redirects
+
+    #### net.ipv4.cof.default.secure_redirects = 0
+    - sysctl_net_ipv4_conf_default_secure_redirects
+
+    ### 3.2.4 Ensure suspicious packets are logged (Scored)
+    #### net.ipv4.conf.all.log_martians = 1
+    - sysctl_net_ipv4_conf_all_log_martians
+
+    #### net.ipv4.conf.default.log_martians = 1
+    - sysctl_net_ipv4_conf_default_log_martians
+
+    ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+    ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+
+    ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+    #### net.ipv4.conf.all.rp_filter = 1
+    - sysctl_net_ipv4_conf_all_rp_filter
+    
+    #### net.ipv4.conf.default.rp_filter = 1
+    - sysctl_net_ipv4_conf_default_rp_filter
+
+    ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+    - sysctl_net_ipv4_tcp_syncookies
+
+    ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+    #### net.ipv6.conf.all.accept_ra = 0
+    - sysctl_net_ipv6_conf_all_accept_ra
+
+    #### net.ipv6.conf.default.accept_ra = 0
+    - sysctl_net_ipv6_conf_default_accept_ra
+
+    ## 3.3 Uncommon Network Protocols
+
+    ### 3.3.1 Ensure DCCP is disabled (Scored)
+    - kernel_module_dccp_disabled
+
+    ### Ensure SCTP is disabled (Scored)
+    - kernel_module_sctp_disabled
+
+    ### 3.3.3 Ensure RDS is disabled (Scored)
+    - kernel_module_rds_disabled
+
+    ### 3.3.4 Ensure TIPC is disabled (Scored)
+    - kernel_module_tipc_disabled
+
+    ## 3.4 Firewall Configuration
+
+    ### 3.4.1 Ensure Firewall software is installed
+
+    #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
+    ##### firewalld
+    - package_firewalld_installed
+
+    ##### nftables
+    #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
+
+    ##### iptables
+    #- package_iptables_installed
+
+    ### 3.4.2 Configure firewalld
+
+    #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
+    - service_firewalld_enabled
+
+    #### 3.4.2.2 Ensure iptables is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
+
+    #### 3.4.2.3 Ensure nftables is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
+
+    #### 3.4.2.4 Ensure default zone is set (Scored)
+    - set_firewalld_default_zone
+
+    #### 3.4.2.5 Ensure network interfaces are assigned to
+    ####         appropriate zone (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
+
+    #### 3.4.2.6 Ensure unnecessary services and ports are not
+    ####         accepted (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
+
+    ### 3.4.3 Configure nftables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
+
+    #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
+
+    #### 3.4.3.2 Ensure a table exists (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
+
+    #### 3.4.3.3 Ensure base chains exist (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
+
+    #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
+
+    #### 3.4.3.5 Ensure outbound and established connections are
+    ####         configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
+
+    #### 3.4.3.6 Ensure default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
+
+    #### 3.4.3.7 Ensure nftables service is enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
+
+    #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
+
+    ### 3.4.4 Configure iptables
+
+    #### 3.4.4.1 Configure IPv4 iptables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
+
+    ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
+
+    ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
+
+    ##### 3.4.4.1.3 Ensure outbound and established connections are
+    #####           configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
+
+    ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
+
+    #### 3.4.4.2 Configure IPv6 ip6tables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
+
+    ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
+
+    ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
+
+    ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
+    #####           configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
+
+    ## 3.5 Ensure wireless interfaces are disabled (Scored)
+    - wireless_disable_interfaces
+
+    ## 3.6 Disable IPv6 (Not Scored)
+    - kernel_module_ipv6_option_disabled
+
+    # Logging and Auditing
+
+    ## 4.1 Configure System Accounting (auditd)
+
+    ### 4.1.1 Ensure auditing is enabled
+
+    #### 4.1.1.1 Ensure auditd is installed (Scored)
+    - package_audit_installed
+
+    #### 4.1.1.2 Ensure auditd service is enabled (Scored)
+    - service_auditd_enabled
+
+    #### 4.1.1.3 Ensure auditing for processes that start prior to audit
+    ####         is enabled (Scored)
+    - grub2_audit_argument
+
+    #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+    - grub2_audit_backlog_limit_argument
+
+    ### 4.1.2 Configure Data Retention
+
+    #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
+    - auditd_data_retention_max_log_file
+
+    #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
+    - auditd_data_retention_max_log_file_action
+
+    #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
+    - var_auditd_space_left_action=email
+    - auditd_data_retention_space_left_action
+
+    ##### action_mail_acct = root
+    - var_auditd_action_mail_acct=root
+    - auditd_data_retention_action_mail_acct
+
+    ##### admin_space_left_action = halt
+    - var_auditd_admin_space_left_action=halt
+    - auditd_data_retention_admin_space_left_action 
+
+    ### 4.1.3 Ensure changes to system administration scope
+    ###       (sudoers) is collected (Scored)
+    - audit_rules_sysadmin_actions
+
+    ### 4.1.4 Ensure login and logout events are collected (Scored)
+    - audit_rules_login_events_faillock
+    - audit_rules_login_events_lastlog
+
+    ### 4.1.5 Ensure session initiation information is collected (Scored)
+    - audit_rules_session_events
+
+    ### 4.1.6 Ensure events that modify date and time information
+    ###       are collected (Scored)
+    #### adjtimex
+    - audit_rules_time_adjtimex
+
+    #### settimeofday
+    - audit_rules_time_settimeofday
+
+    #### stime
+    - audit_rules_time_stime
+
+    #### clock_settime
+    - audit_rules_time_clock_settime
+
+    #### -w /etc/localtime -p wa
+    - audit_rules_time_watch_localtime
+
+    ### 4.1.7 Ensure events that modify the system's Mandatory
+    ###       Access Control are collected (Scored)
+    #### -w /etc/selinux/ -p wa
+    - audit_rules_mac_modification
+
+    #### -w /usr/share/selinux/ -p wa
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
+
+    ### 4.1.8 Ensure events that modify the system's network
+    ###       enironment are collected (Scored)
+    - audit_rules_networkconfig_modification
+
+    ### 4.1.9 Ensure discretionary access control permission modification
+    ###       events are collected (Scored)
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_fremovexattr
+    
+    ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+    ###        collected (Scored)
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    # Opinionated selection
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+    ### 4.1.11 Ensure events that modify user/group information are
+    ###        collected (Scored)
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_shadow
+    - audit_rules_usergroup_modification_opasswd
+
+    ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+    - audit_rules_media_export
+
+    ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+    - audit_rules_privileged_commands
+
+    ### 4.1.14 Ensure file deletion events by users are collected
+    ###        (Scored)
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_renameat
+    # Opinionated selection
+    - audit_rules_file_deletion_events_rmdir
+
+    ### 4.1.15 Ensure kernel module loading and unloading is collected
+    ###        (Scored)
+    - audit_rules_kernel_module_loading
+
+    ### 4.1.16 Ensure system administrator actions (sudolog) are
+    ###        collected (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
+
+    ### 4.1.17 Ensure the audit configuration is immutable (Scored)
+    - audit_rules_immutable
+
+    ## 4.2 Configure Logging
+
+    ### 4.2.1 Configure rsyslog
+
+    #### 4.2.1.1 Ensure rsyslog is installed (Scored)
+    - package_rsyslog_installed
+
+    #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
+    - service_rsyslog_enabled
+
+    #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+    - rsyslog_files_permissions
+
+    #### 4.2.1.4 Ensure logging is configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
+
+    #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
+    ####         log host (Scored)   
+    - rsyslog_remote_loghost
+
+    #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
+    ####         designated log hosts (Not Scored)
+    - rsyslog_nolisten
+
+    ### 4.2.2 Configure journald
+
+    #### 4.2.2.1 Ensure journald is configured to send logs to
+    ####         rsyslog (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
+
+    #### 4.2.2.2 Ensure journald is configured to compress large
+    ####         log files (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
+
+
+    #### 4.2.2.3 Ensure journald is configured to write logfiles to
+    ####         persistent disk (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
+
+    ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
+
+    ## 4.3 Ensure logrotate is conifgured (Not Scored)
+    - ensure_logrotate_activated
+
+    # 5 Access, Authentication and Authorization
+
+    ## 5.1 Configure cron
+
+    ### 5.1.1 Ensure cron daemon is enabled (Scored)
+    - service_crond_enabled
+
+
+    ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+    # chown root:root /etc/crontab
+    - file_owner_crontab
+    - file_groupowner_crontab
+    # chmod og-rwx /etc/crontab
+    - file_permissions_crontab
+
+    ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+    # chown root:root /etc/cron.hourly
+    - file_owner_cron_hourly
+    - file_groupowner_cron_hourly
+    # chmod og-rwx /etc/cron.hourly
+    - file_permissions_cron_hourly
+
+    ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+    # chown root:root /etc/cron.daily
+    - file_owner_cron_daily
+    - file_groupowner_cron_daily
+    # chmod og-rwx /etc/cron.daily
+    - file_permissions_cron_daily
+
+    ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+    # chown root:root /etc/cron.weekly
+    - file_owner_cron_weekly
+    - file_groupowner_cron_weekly
+    # chmod og-rwx /etc/cron.weekly
+    - file_permissions_cron_weekly
+
+    ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+    # chown root:root /etc/cron.monthly
+    - file_owner_cron_monthly
+    - file_groupowner_cron_monthly
+    # chmod og-rwx /etc/cron.monthly
+    - file_permissions_cron_monthly
+
+    ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+    # chown root:root /etc/cron.d
+    - file_owner_cron_d
+    - file_groupowner_cron_d
+    # chmod og-rwx /etc/cron.d
+    - file_permissions_cron_d
+
+    ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+
+
+    ## 5.2 SSH Server Configuration
+
+    ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+    # chown root:root /etc/ssh/sshd_config
+    - file_owner_sshd_config
+    - file_groupowner_sshd_config
+
+    # chmod og-rwx /etc/ssh/sshd_config
+    - file_permissions_sshd_config
+
+    ### 5.2.2 Ensure SSH access is limited (Scored) 
+
+
+    ### 5.2.3 Ensure permissions on SSH private host key files are
+    ###       configured (Scored)
+    # TO DO: The rule sets to 640, but benchmark wants 600
+    - file_permissions_sshd_private_key
+    # TO DO: check owner of private keys in /etc/ssh is root:root
+
+    ### 5.2.4 Ensure permissions on SSH public host key files are configured
+    ###      (Scored)
+    - file_permissions_sshd_pub_key
+    # TO DO: check owner of pub keys in /etc/ssh is root:root
+
+    ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+    - sshd_set_loglevel_info
+
+    ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
+    - sshd_disable_x11_forwarding
+
+    ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+    - sshd_max_auth_tries_value=4
+    - sshd_set_max_auth_tries
+
+    ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
+    - sshd_disable_rhosts
+
+    ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+    - disable_host_auth
+
+    ### 5.2.10 Ensure SSH root login is disabled (Scored)
+    - sshd_disable_root_login
+
+    ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+    - sshd_disable_empty_passwords
+
+    ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+    - sshd_do_not_permit_user_env
+
+    ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
+    # ClientAliveInterval 300
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+
+    # ClientAliveCountMax 0
+    - sshd_set_keepalive
+
+    ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
+    ###        or less (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
+
+    ### 5.2.15 Ensure SSH warning banner is configured (Scored)
+    - sshd_enable_warning_banner
+
+    ### 5.2.16 Ensure SSH PAM is enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
+
+    ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
+    - sshd_disable_tcp_forwarding
+
+    ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
+
+    ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
+    - sshd_set_max_sessions
+    - var_sshd_max_sessions=4
+
+    ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
+    - configure_ssh_crypto_policy
+
+    ## 5.3 Configure authselect
+
+
+    ### 5.3.1 Create custom authselectet profile (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
+
+    ### 5.3.2 Select authselect profile (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
+
+    ### 5.3.3 Ensure authselect includes with-faillock (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
+
+    ## 5.4 Configure PAM
+
+    ### 5.4.1 Ensure password creation requirements are configured (Scored)
+    # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
+    - accounts_password_pam_retry
+    - var_password_pam_minlen=14
+    - accounts_password_pam_minlen
+    - var_password_pam_minclass=4
+    - accounts_password_pam_minclass
+
+    ### 5.4.2 Ensure lockout for failed password attempts is
+    ###       configured (Scored)
+    - var_accounts_passwords_pam_faillock_unlock_time=900
+    - var_accounts_passwords_pam_faillock_deny=5
+    - accounts_passwords_pam_faillock_unlock_time
+    - accounts_passwords_pam_faillock_deny
+
+    ### 5.4.3 Ensure password reuse is limited (Scored)
+    - var_password_pam_unix_remember=5
+    - accounts_password_pam_unix_remember
+
+    ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
+    - set_password_hashing_algorithm_systemauth
+
+    ## 5.5 User Accounts and Environment
+
+    ### 5.5.1 Set Shadow Password Suite Parameters
+
+    #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
+    - var_accounts_maximum_age_login_defs=365
+    - accounts_maximum_age_login_defs
+
+    #### 5.5.1.2 Ensure minimum days between password changes is 7
+    ####         or more (Scored)
+    - var_accounts_minimum_age_login_defs=7
+    - accounts_minimum_age_login_defs
+
+    #### 5.5.1.3 Ensure password expiration warning days is
+    ####         7 or more (Scored)
+    - var_accounts_password_warn_age_login_defs=7
+    - accounts_password_warn_age_login_defs
+
+    #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
+    # TODO: Rule doesn't check list of users
+    # https://github.com/ComplianceAsCode/content/issues/5536
+    - var_account_disable_post_pw_expiration=30
+    - account_disable_post_pw_expiration
+
+    #### 5.5.1.5 Ensure all users last password change date is
+    ####         in the past (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
+
+    ### 5.5.2 Ensure system accounts are secured (Scored)
+    - no_shelllogin_for_systemaccounts
+
+    ### 5.5.3 Ensure default user shell timeout is 900 seconds
+    ###       or less (Scored)
+    - var_accounts_tmout=15_min
+    - accounts_tmout
+
+    ### 5.5.4 Ensure default group for the root account is
+    ###       GID 0 (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
+
+    ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
+    - var_accounts_user_umask=027
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_profile
+
+    ## 5.6 Ensure root login is restricted to system console (Not Scored)
+    - securetty_root_login_console_only
+    - no_direct_root_logins
+
+    ## 5.7 Ensure access to the su command is restricted (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
+
+    # System Maintenance
+
+    ## 6.1 System File Permissions
+
+    ### 6.1.1 Audit system file permissions (Not Scored)
+    - rpm_verify_permissions
+    - rpm_verify_ownership
+    
+    ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+    # chown root:root /etc/passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+
+    # chmod 644 /etc/passwd
+    - file_permissions_etc_passwd
+
+    ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
+    # chown root:root /etc/shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+
+    # chmod o-rwx,g-wx /etc/shadow
+    - file_permissions_etc_shadow
+
+    ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
+    # chown root:root /etc/group
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+
+    # chmod 644 /etc/group
+    - file_permissions_etc_group
+
+    ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
+    # chown root:root /etc/gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+
+    # chmod o-rwx,g-rw /etc/gshadow
+    - file_permissions_etc_gshadow
+
+    ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+    # chown root:root /etc/passwd-
+    - file_owner_backup_etc_passwd
+    - file_groupowner_backup_etc_passwd
+
+    # chmod 644 /etc/passwd-
+    - file_permissions_backup_etc_passwd
+
+    ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+    # chown root:root /etc/shadow-
+    - file_owner_backup_etc_shadow
+    - file_groupowner_backup_etc_shadow
+
+    # chmod 0000 /etc/shadow-
+    - file_permissions_backup_etc_shadow
+
+    ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+    # chown root:root /etc/group-
+    - file_owner_backup_etc_group
+    - file_groupowner_backup_etc_group
+
+    # chmod 644 /etc/group-
+    - file_permissions_backup_etc_group
+    
+    ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+    # chown root:root /etc/gshadow-
+    - file_owner_backup_etc_gshadow
+    - file_groupowner_backup_etc_gshadow
+
+    # chmod 0000 /etc/gshadow-
+    - file_permissions_backup_etc_gshadow
+
+    ### 6.1.10 Ensure no world writable files exist (Scored)
+    - file_permissions_unauthorized_world_writable
+
+    ### 6.1.11 Ensure no unowned files or directories exist (Scored)
+    - no_files_unowned_by_user
+
+    ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
+    - file_permissions_ungroupowned
+
+    ### 6.1.13 Audit SUID executables (Not Scored)
+    - file_permissions_unauthorized_suid
+
+    ### 6.1.14 Audit SGID executables (Not Scored)
+    - file_permissions_unauthorized_sgid
+
+    ## 6.2 User and Group Settings
+
+    ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+    - no_legacy_plus_entries_etc_passwd
+
+    ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+    - no_legacy_plus_entries_etc_shadow
+
+    ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+    - no_legacy_plus_entries_etc_group
+
+    ### 6.2.6 Ensure root is the only UID 0 account (Scored)
+    - accounts_no_uid_except_zero
+
+    ### 6.2.7 Ensure users' home directories permissions are 750
+    ###       or more restrictive (Scored)
+    - file_permissions_home_dirs
+
+    ### 6.2.8 Ensure users own their home directories (Scored)
+    # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
+    - file_groupownership_home_directories
+
+    ### 6.2.9 Ensure users' dot files are not group or world
+    ###       writable (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
+
+    ### 6.2.10 Ensure no users have .forward files (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
+
+    ### 6.2.11 Ensure no users have .netrc files (Scored)
+    - no_netrc_files
+
+    ### 6.2.12 Ensure users' .netrc Files are not group or
+    ###        world accessible (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
+
+    ### 6.2.13 Ensure no users have .rhosts files (Scored)
+    - no_rsh_trust_files
+
+    ### 6.2.14 Ensure all groups in /etc/passwd exist in
+    ###        /etc/group (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
+
+    ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5502
+
+    ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5501
+
+    ### 6.2.17 Ensure no duplicate user names exist (Scored)
+    - account_unique_name
+
+    ### 6.2.18 Ensure no duplicate group names exist (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
+
+    ### 6.2.19 Ensure shadow group is empty (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
+
+    ### 6.2.20 Ensure all users' home directories exist (Scored)
+    - accounts_user_interactive_home_directory_exists
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile
new file mode 100644
index 00000000..56fdc398
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile
@@ -0,0 +1,139 @@
+documentation_complete: true
+
+metadata:
+    version: 5.4
+    SMEs:
+        - carlosmmatos
+
+reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+title: 'Criminal Justice Information Services (CJIS) Security Policy'
+
+description: |-
+    This profile is derived from FBI's CJIS v5.4
+    Security Policy. A copy of this policy can be found at the CJIS Security
+    Policy Resource Center:
+
+    https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+selections:
+    - service_auditd_enabled
+    - grub2_audit_argument
+    - auditd_data_retention_num_logs
+    - auditd_data_retention_max_log_file
+    - auditd_data_retention_max_log_file_action
+    - auditd_data_retention_space_left_action
+    - auditd_data_retention_admin_space_left_action
+    - auditd_data_retention_action_mail_acct
+    - auditd_audispd_syslog_plugin_activated
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification
+    - audit_rules_networkconfig_modification
+    - file_permissions_var_log_audit
+    - file_ownership_var_log_audit
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_login_events
+    - audit_rules_session_events
+    - audit_rules_unsuccessful_file_modification
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading
+    - audit_rules_immutable
+    - account_unique_name
+    - gid_passwd_group_same
+    - accounts_password_all_shadowed
+    - no_empty_passwords
+    - display_login_attempts
+    - var_accounts_password_minlen_login_defs=12
+    - var_accounts_maximum_age_login_defs=90
+    - var_password_pam_unix_remember=10
+    - var_account_disable_post_pw_expiration=0
+    - var_password_pam_minlen=12
+    - var_accounts_minimum_age_login_defs=1
+    - var_password_pam_difok=6
+    - var_accounts_max_concurrent_login_sessions=3
+    - account_disable_post_pw_expiration
+    - accounts_password_pam_minlen
+    - accounts_minimum_age_login_defs
+    - accounts_password_pam_difok
+    - accounts_max_concurrent_login_sessions
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - var_password_pam_retry=5
+    - var_accounts_passwords_pam_faillock_deny=5
+    - var_accounts_passwords_pam_faillock_unlock_time=600
+    - dconf_db_up_to_date
+    - dconf_gnome_screensaver_idle_delay
+    - dconf_gnome_screensaver_idle_activation_enabled
+    - dconf_gnome_screensaver_lock_enabled
+    - dconf_gnome_screensaver_mode_blank
+    - sshd_allow_only_protocol2
+    - sshd_set_idle_timeout
+    - sshd_set_keepalive
+    - disable_host_auth
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_enable_warning_banner
+    - sshd_do_not_permit_user_env
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - kernel_module_dccp_disabled
+    - kernel_module_sctp_disabled
+    - service_firewalld_enabled
+    - set_firewalld_default_zone
+    - firewalld_sshd_port_enabled
+    - sshd_idle_timeout_value=30_minutes
+    - inactivity_timeout_value=30_minutes
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv4_tcp_syncookies
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - var_password_pam_ocredit=1
+    - var_password_pam_dcredit=1
+    - var_password_pam_ucredit=1
+    - var_password_pam_lcredit=1
+    - package_aide_installed
+    - aide_build_database
+    - aide_periodic_cron_checking
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - security_patches_up_to_date
+    - kernel_module_bluetooth_disabled
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile
new file mode 100644
index 00000000..bf6d9511
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+metadata:
+    version: TBD
+    SMEs:
+        - carlosmmatos
+
+title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
+
+description: |-
+    From NIST 800-171, Section 2.2:
+    Security requirements for protecting the confidentiality of CUI in nonfederal
+    information systems and organizations have a well-defined structure that
+    consists of:
+
+    (i) a basic security requirements section;
+    (ii) a derived security requirements section.
+
+    The basic security requirements are obtained from FIPS Publication 200, which
+    provides the high-level and fundamental security requirements for federal
+    information and information systems. The derived security requirements, which
+    supplement the basic security requirements, are taken from the security controls
+    in NIST Special Publication 800-53.
+
+    This profile configures Red Hat Enterprise Linux 8 to the NIST Special
+    Publication 800-53 controls identified for securing Controlled Unclassified
+    Information (CUI)."
+
+extends: ospp
+
+selections:
+    - inactivity_timeout_value=10_minutes
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile
new file mode 100644
index 00000000..552da779
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile
@@ -0,0 +1,149 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - shaneboulden
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-linux-environments
+
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+  This profile contains configuration checks for Red Hat Enterprise Linux 8
+  that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+  A copy of the Essential Eight in Linux Environments guide can be found at the
+  ACSC website:
+
+  https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+selections:
+
+  ### Remove obsolete packages
+  - package_talk_removed
+  - package_talk-server_removed
+  - package_xinetd_removed
+  - service_xinetd_disabled
+  - package_ypbind_removed
+  - package_telnet_removed
+  - service_telnet_disabled
+  - package_telnet-server_removed
+  - package_rsh_removed
+  - package_rsh-server_removed
+  - service_zebra_disabled
+  - package_quagga_removed
+  - service_avahi-daemon_disabled
+  - package_squid_removed
+  - service_squid_disabled
+
+  ### Software update
+  - ensure_redhat_gpgkey_installed
+  - ensure_gpgcheck_never_disabled
+  - ensure_gpgcheck_local_packages
+  - ensure_gpgcheck_globally_activated
+  - security_patches_up_to_date
+  - dnf-automatic_security_updates_only
+
+  ### System security settings
+  - sysctl_kernel_randomize_va_space
+  - sysctl_kernel_exec_shield
+  - sysctl_kernel_kptr_restrict
+  - sysctl_kernel_dmesg_restrict
+  - sysctl_kernel_kexec_load_disabled
+  - sysctl_kernel_yama_ptrace_scope
+  - sysctl_kernel_unprivileged_bpf_disabled
+  - sysctl_net_core_bpf_jit_harden
+
+  ### SELinux
+  - var_selinux_state=enforcing
+  - selinux_state
+  - var_selinux_policy_name=targeted
+  - selinux_policytype
+
+  ### Filesystem integrity
+  - rpm_verify_hashes
+  - rpm_verify_permissions
+  - rpm_verify_ownership
+  - file_permissions_unauthorized_sgid
+  - file_permissions_unauthorized_suid
+  - file_permissions_unauthorized_world_writable
+  - dir_perms_world_writable_sticky_bits
+  - file_permissions_library_dirs
+  - file_ownership_binary_dirs
+  - file_permissions_binary_dirs
+  - file_ownership_library_dirs
+
+  ### Passwords
+  - no_empty_passwords
+
+  ### Partitioning
+  - mount_option_dev_shm_nodev
+  - mount_option_dev_shm_nosuid
+  - mount_option_dev_shm_noexec
+
+  ### Network
+  - package_firewalld_installed
+  - service_firewalld_enabled
+  - network_sniffer_disabled
+
+  ### Admin privileges
+  - accounts_no_uid_except_zero
+  - sudo_remove_nopasswd
+  - sudo_remove_no_authenticate
+  - sudo_require_authentication
+
+  ### Audit
+  - package_rsyslog_installed
+  - service_rsyslog_enabled
+  - service_auditd_enabled
+  - var_auditd_flush=incremental_async
+  - auditd_data_retention_flush
+  - auditd_local_events
+  - auditd_write_logs
+  - auditd_log_format
+  - auditd_freq
+  - auditd_name_format
+  - audit_rules_login_events_tallylog
+  - audit_rules_login_events_faillock
+  - audit_rules_login_events_lastlog
+  - audit_rules_login_events
+  - audit_rules_time_adjtimex
+  - audit_rules_time_clock_settime
+  - audit_rules_time_watch_localtime
+  - audit_rules_time_settimeofday
+  - audit_rules_time_stime
+  - audit_rules_execution_restorecon
+  - audit_rules_execution_chcon
+  - audit_rules_execution_semanage
+  - audit_rules_execution_setsebool
+  - audit_rules_execution_setfiles
+  - audit_rules_execution_seunshare
+  - audit_rules_sysadmin_actions
+  - audit_rules_networkconfig_modification
+  - audit_rules_usergroup_modification
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_kernel_module_loading
+
+  ### Secure access
+  - sshd_disable_root_login
+  - sshd_disable_gssapi_auth
+  - sshd_print_last_log
+  - sshd_do_not_permit_user_env
+  - sshd_disable_rhosts
+  - sshd_set_loglevel_info
+  - sshd_disable_empty_passwords
+  - sshd_disable_user_known_hosts
+  - sshd_enable_strictmodes
+
+  # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
+  - var_system_crypto_policy=default_nosha1
+  - configure_crypto_policy
+  - configure_ssh_crypto_policy
+
+  ### Application whitelisting
+  - package_fapolicyd_installed
+  - service_fapolicyd_enabled
+
+  ### Backup
+  - package_rear_installed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile
new file mode 100644
index 00000000..01f1cb75
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile
@@ -0,0 +1,164 @@
+documentation_complete: True
+
+metadata:
+    SMEs:
+        - jjaswanson4
+        - carlosmmatos
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+    The HIPAA Security Rule establishes U.S. national standards to protect individuals’
+    electronic personal health information that is created, received, used, or
+    maintained by a covered entity. The Security Rule requires appropriate
+    administrative, physical and technical safeguards to ensure the
+    confidentiality, integrity, and security of electronic protected health
+    information.
+
+    This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
+    Rule identified for securing of electronic protected health information.
+    Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).   
+
+selections:
+    - grub2_password
+    - grub2_uefi_password
+    - file_groupowner_grub2_cfg
+    - file_permissions_grub2_cfg
+    - file_owner_grub2_cfg
+    - grub2_disable_interactive_boot
+    - no_direct_root_logins
+    - no_empty_passwords
+    - require_singleuser_auth
+    - restrict_serial_port_logins
+    - securetty_root_login_console_only
+    - service_debug-shell_disabled
+    - disable_ctrlaltdel_reboot
+    - disable_ctrlaltdel_burstaction
+    - dconf_db_up_to_date
+    - dconf_gnome_remote_access_credential_prompt
+    - dconf_gnome_remote_access_encryption
+    - sshd_disable_empty_passwords
+    - sshd_disable_root_login
+    - libreswan_approved_tunnels
+    - no_rsh_trust_files
+    - package_rsh-server_removed
+    - package_talk_removed
+    - package_talk-server_removed
+    - package_telnet_removed
+    - package_telnet-server_removed
+    - package_xinetd_removed
+    - service_crond_enabled
+    - service_rexec_disabled
+    - service_rlogin_disabled
+    - service_telnet_disabled
+    - service_xinetd_disabled
+    - service_zebra_disabled
+    - use_kerberos_security_all_exports
+    - disable_host_auth
+    - sshd_allow_only_protocol2
+    - sshd_disable_compression
+    - sshd_disable_gssapi_auth
+    - sshd_disable_kerb_auth
+    - sshd_do_not_permit_user_env
+    - sshd_enable_strictmodes
+    - sshd_enable_warning_banner
+    - sshd_set_keepalive
+    - encrypt_partitions
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - var_selinux_policy_name=targeted
+    - var_selinux_state=enforcing
+    - grub2_enable_selinux
+    - sebool_selinuxuser_execheap
+    - sebool_selinuxuser_execmod
+    - sebool_selinuxuser_execstack
+    - selinux_confinement_of_daemons
+    - selinux_policytype
+    - selinux_state
+    - service_kdump_disabled
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_exec_shield
+    - sysctl_kernel_randomize_va_space
+    - rpm_verify_hashes
+    - rpm_verify_permissions
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - ensure_gpgcheck_local_packages
+    - grub2_audit_argument
+    - service_auditd_enabled
+    - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_su
+    - audit_rules_immutable
+    - kernel_module_usb-storage_disabled
+    - service_autofs_disabled
+    - auditd_audispd_syslog_plugin_activated
+    - rsyslog_remote_loghost
+    - auditd_data_retention_flush
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_execution_chcon
+    - audit_rules_execution_restorecon
+    - audit_rules_execution_semanage
+    - audit_rules_execution_setsebool
+    - audit_rules_file_deletion_events_renameat
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_rmdir
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_kernel_module_loading_delete
+    - audit_rules_kernel_module_loading_init
+    - audit_rules_login_events_faillock
+    - audit_rules_login_events_lastlog
+    - audit_rules_login_events_tallylog
+    - audit_rules_mac_modification
+    - audit_rules_media_export
+    - audit_rules_networkconfig_modification
+    - audit_rules_privileged_commands_chage
+    - audit_rules_privileged_commands_chsh
+    - audit_rules_privileged_commands_crontab
+    - audit_rules_privileged_commands_gpasswd
+    - audit_rules_privileged_commands_newgrp
+    - audit_rules_privileged_commands_pam_timestamp_check
+    - audit_rules_privileged_commands_passwd
+    - audit_rules_privileged_commands_postdrop
+    - audit_rules_privileged_commands_postqueue
+    - audit_rules_privileged_commands_ssh_keysign
+    - audit_rules_privileged_commands_sudoedit
+    - audit_rules_privileged_commands_umount
+    - audit_rules_privileged_commands_unix_chkpwd
+    - audit_rules_privileged_commands_userhelper
+    - audit_rules_session_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_system_shutdown
+    - audit_rules_time_adjtimex
+    - audit_rules_time_clock_settime
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_watch_localtime
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_opasswd
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_shadow
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile
new file mode 100644
index 00000000..a3c427c0
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile
@@ -0,0 +1,158 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - shaneboulden
+        - wcushen
+        - ahamilto156
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-linux-environments
+
+title: 'Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Official'
+
+description: |-
+  This profile contains configuration checks for Red Hat Enterprise Linux 8
+  that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
+  with the Attorney-General’s Department (AGD)’s applicability marking of OFFICIAL.
+
+  A overview and list of Cyber security guidelines of the 
+  Information Security Manual can be found at the ACSC website:
+
+  https://www.cyber.gov.au/ism
+
+extends: e8
+
+selections:
+
+  ## Operating system configuration
+  ## Identifiers 1491
+  - no_shelllogin_for_systemaccounts
+
+  ## Local administrator accounts
+  ## Identifiers 1410
+  - accounts_password_all_shadowed
+
+  ## Content filtering & Anti virus
+  ## Identifiers 1341 / 1034 / 1417 / 1288
+  - package_aide_installed
+
+  ## Software firewall
+  ## Identifiers 1416
+  - configure_firewalld_ports
+  ## Removing due to build error
+  ## - configure_firewalld_rate_limiting
+  - firewalld_sshd_port_enabled
+  - set_firewalld_default_zone
+
+  ## Endpoint device control software
+  ## Identifiers 1418
+  - package_usbguard_installed
+  - service_usbguard_enabled
+
+  ## Authentication hardening
+  ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
+  ## 1561 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+  - disable_host_auth
+  - require_emergency_target_auth
+  - require_singleuser_auth
+  - sebool_authlogin_nsswitch_use_ldap
+  - sebool_authlogin_radius
+  - sshd_disable_kerb_auth
+  - sshd_set_max_auth_tries
+  - sssd_enable_smartcards
+  - accounts_password_minlen_login_defs
+  - var_password_pam_minlen=14
+  - accounts_password_pam_minlen
+  - accounts_password_pam_minclass
+  - accounts_password_pam_dcredit
+  - accounts_password_pam_lcredit
+  - accounts_password_pam_ocredit
+  - accounts_password_pam_ucredit
+  - accounts_password_pam_maxrepeat
+  - accounts_passwords_pam_faillock_deny
+  - accounts_passwords_pam_faillock_deny_root
+  - accounts_passwords_pam_faillock_interval
+  - accounts_passwords_pam_faillock_unlock_time
+
+  ## Password authentication & Protecting credentials
+  ## Identifiers 1055 / 0418 / 1402
+  - network_nmcli_permissions
+  - configure_kerberos_crypto_policy
+  - kerberos_disable_no_keytab
+  - sebool_kerberos_enabled
+  - sshd_disable_gssapi_auth
+  - enable_ldap_client
+  - set_password_hashing_algorithm_libuserconf
+  - set_password_hashing_algorithm_logindefs
+  - set_password_hashing_algorithm_systemauth
+  - accounts_password_warn_age_login_defs
+  - accounts_maximum_age_login_defs
+  - accounts_minimum_age_login_defs
+ 
+  ## System administration & MFA
+  ## Identifiers 1382 / 1384 / 1386
+  - package_sudo_installed
+  - package_opensc_installed
+  - var_smartcard_drivers=cac
+  - configure_opensc_card_drivers
+  - force_opensc_card_drivers
+  - package_pcsc-lite_installed
+  - service_pcscd_enabled
+  - sssd_enable_smartcards
+
+  ## System patching & Applicatoin versions
+  ## Identifiers 1493 / 1144 / 0940 / 1472 / 1494 / 1495 / 1467 / 1483 
+  - dnf-automatic_apply_updates
+  - package_dnf-plugin-subscription-manager_installed
+  - package_subscription-manager_installed
+
+  ## Centralised logging facility
+  ## Identifiers 1405 / 0988 
+  - rsyslog_cron_logging
+  - rsyslog_files_groupownership
+  - rsyslog_files_ownership
+  - rsyslog_files_permissions
+  - rsyslog_nolisten
+  - rsyslog_remote_loghost
+  - rsyslog_remote_tls
+  - rsyslog_remote_tls_cacert
+  - package_chrony_installed
+  - service_chronyd_enabled
+  - chronyd_or_ntpd_specify_multiple_servers
+  - chronyd_specify_remote_server
+  - service_chronyd_or_ntpd_enabled
+
+  ## Events to be logged
+  ## Identifiers 0584 / 0582 / 0585 / 0586 / 0846 / 0957
+  - display_login_attempts
+  - sebool_auditadm_exec_content
+  - audit_rules_privileged_commands
+  - audit_rules_session_events
+  - audit_rules_unsuccessful_file_modification
+  - audit_access_failed
+  - audit_access_success
+
+  ## Web application & Database servers
+  ## Identifiers 1552 / 1277
+  - openssl_use_strong_entropy
+
+  ## Network design and configuration
+  ## Identifiers 1311 
+  - service_snmpd_disabled
+  - snmpd_use_newer_protocol
+
+  ## Wireless networks
+  ## Identifiers 1315 / 1319
+  - wireless_disable_interfaces
+  - network_ipv6_static_address
+
+  ## ASD Approved Cryptopgraphic Algorithims
+  ## Identifiers 1446
+  - enable_dracut_fips_module
+  - enable_fips_mode
+  - var_system_crypto_policy=fips
+  - configure_crypto_policy
+
+  ## Secure Shell access
+  ## Identifiers 1506 / 1449 / 0487 
+  - sshd_allow_only_protocol2
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile
new file mode 100644
index 00000000..d1d1b8af
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile
@@ -0,0 +1,25 @@
+documentation_complete: false
+
+title: 'Protection Profile for General Purpose Operating Systems - MLS Mode'
+
+description: |-
+    Placeholder to put MLS specific rules
+
+extends: ospp
+
+selections:
+
+    ################################################
+    ## MUST INSTALL PACKAGES IN MLS MODE
+    #cups
+    #foomatic
+    #ghostscript
+    #ghostscript-fonts
+    #checkpolicy
+    #mcstrans
+    #policycoreutils-newrole
+    #selinux-policy-devel
+    ##xinetd
+    #iproute
+    #iputils
+    #netlabel_tools
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile
new file mode 100644
index 00000000..88cb0edd
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile
@@ -0,0 +1,443 @@
+documentation_complete: true
+
+metadata:
+    version: 4.2.1
+    SMEs:
+        - comps
+        - carlosmmatos
+        - stevegrubb
+
+reference: https://www.niap-ccevs.org/Profile/PP.cfm
+
+title: 'Protection Profile for General Purpose Operating Systems'
+
+description: |-
+    This profile reflects mandatory configuration controls identified in the
+    NIAP Configuration Annex to the Protection Profile for General Purpose
+    Operating Systems (Protection Profile Version 4.2.1).
+
+    This configuration profile is consistent with CNSSI-1253, which requires
+    U.S. National Security Systems to adhere to certain configuration
+    parameters. Accordingly, this configuration profile is suitable for
+    use in U.S. National Security Systems.
+
+selections:
+
+    #######################################################
+    ### GENERAL REQUIREMENTS
+    ### Things needed to meet OSPP functional requirements.
+    #######################################################
+
+    ### Partitioning
+    - mount_option_home_nodev
+    - mount_option_home_nosuid
+    - mount_option_tmp_nodev
+    - mount_option_tmp_noexec
+    - mount_option_tmp_nosuid
+    - mount_option_var_tmp_nodev
+    - mount_option_var_tmp_noexec
+    - mount_option_var_tmp_nosuid
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_noexec
+    - mount_option_dev_shm_nosuid
+    - mount_option_nodev_nonroot_local_partitions
+    - mount_option_boot_nodev
+    - mount_option_boot_nosuid
+    - partition_for_home
+    - partition_for_var
+    - mount_option_var_nodev
+    - partition_for_var_log
+    - mount_option_var_log_nodev
+    - mount_option_var_log_nosuid
+    - mount_option_var_log_noexec
+    - partition_for_var_log_audit
+    - mount_option_var_log_audit_nodev
+    - mount_option_var_log_audit_nosuid
+    - mount_option_var_log_audit_noexec
+
+    ### Services
+    # sshd
+    - sshd_disable_root_login
+    - sshd_enable_strictmodes
+    - disable_host_auth
+    - sshd_disable_empty_passwords
+    - sshd_disable_kerb_auth
+    - sshd_disable_gssapi_auth
+    - sshd_set_keepalive
+    - sshd_enable_warning_banner
+    - sshd_rekey_limit
+    - var_rekey_limit_size=1G
+    - var_rekey_limit_time=1hour
+    - sshd_use_strong_rng
+    - openssl_use_strong_entropy
+
+    # Time Server
+    - chronyd_client_only
+    - chronyd_no_chronyc_network
+
+    ### Network Settings
+    - sysctl_net_ipv6_conf_all_accept_ra
+    - sysctl_net_ipv6_conf_default_accept_ra
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv6_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_all_secure_redirects
+    - sysctl_net_ipv4_conf_default_secure_redirects
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_log_martians
+    - sysctl_net_ipv4_conf_default_log_martians
+    - sysctl_net_ipv4_conf_all_rp_filter
+    - sysctl_net_ipv4_conf_default_rp_filter
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_tcp_syncookies
+
+    ### systemd
+    - disable_ctrlaltdel_reboot
+    - disable_ctrlaltdel_burstaction
+    - service_debug-shell_disabled
+
+    ### umask
+    - var_accounts_user_umask=027
+    - accounts_umask_etc_profile
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_csh_cshrc
+
+    ### Software update
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_local_packages
+    - ensure_gpgcheck_never_disabled
+
+    ### Passwords
+    - var_password_pam_difok=4
+    - accounts_password_pam_difok
+    - var_password_pam_maxrepeat=3
+    - accounts_password_pam_maxrepeat
+    - var_password_pam_maxclassrepeat=4
+    - accounts_password_pam_maxclassrepeat
+
+    ### Kernel Config
+    ## Boot prompt
+    - grub2_audit_argument
+    - grub2_audit_backlog_limit_argument
+    - grub2_slub_debug_argument
+    - grub2_page_poison_argument
+    - grub2_vsyscall_argument
+    - grub2_vsyscall_argument.role=unscored
+    - grub2_vsyscall_argument.severity=info
+    - grub2_pti_argument
+    - grub2_kernel_trust_cpu_rng
+
+    ## Security Settings
+    - sysctl_kernel_kptr_restrict
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_kexec_load_disabled
+    - sysctl_kernel_yama_ptrace_scope
+    - sysctl_kernel_perf_event_paranoid
+    - sysctl_user_max_user_namespaces
+    - sysctl_user_max_user_namespaces.role=unscored
+    - sysctl_user_max_user_namespaces.severity=info
+    - sysctl_kernel_unprivileged_bpf_disabled
+    - sysctl_net_core_bpf_jit_harden
+    - service_kdump_disabled
+
+    ## File System Settings
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_protected_symlinks
+
+    ### Audit
+    - service_auditd_enabled
+    - var_auditd_flush=incremental_async
+    - auditd_data_retention_flush
+    - auditd_local_events
+    - auditd_write_logs
+    - auditd_log_format
+    - auditd_freq
+    - auditd_name_format
+
+    ### Module Blacklist
+    - kernel_module_cramfs_disabled
+    - kernel_module_bluetooth_disabled
+    - kernel_module_sctp_disabled
+    - kernel_module_firewire-core_disabled
+    - kernel_module_atm_disabled
+    - kernel_module_can_disabled
+    - kernel_module_tipc_disabled
+
+    ### rpcbind
+
+    ### Install Required Packages
+    - package_aide_installed
+    - package_dnf-automatic_installed
+    - package_subscription-manager_installed
+    - package_dnf-plugin-subscription-manager_installed
+    - package_firewalld_installed
+    - package_openscap-scanner_installed
+    - package_policycoreutils_installed
+    - package_sudo_installed
+    - package_usbguard_installed
+    - package_scap-security-guide_installed
+    - package_audit_installed
+    - package_crypto-policies_installed
+    - package_openssh-server_installed
+    - package_openssh-clients_installed
+    - package_policycoreutils-python-utils_installed
+    - package_rsyslog_installed
+    - package_rsyslog-gnutls_installed
+    - package_audispd-plugins_installed
+    - package_chrony_installed
+    - package_gnutls-utils_installed
+
+    ### Remove Prohibited Packages
+    - package_sendmail_removed
+    - package_iprutils_removed
+    - package_gssproxy_removed
+    - package_nfs-utils_removed
+    - package_krb5-workstation_removed
+    - package_abrt-addon-kerneloops_removed
+    - package_abrt-addon-python_removed
+    - package_abrt-addon-ccpp_removed
+    - package_abrt-plugin-rhtsupport_removed
+    - package_abrt-plugin-logger_removed
+    - package_abrt-plugin-sosreport_removed
+    - package_abrt-cli_removed
+    - package_abrt_removed
+
+    ### Login
+    - disable_users_coredumps
+    - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
+    - var_accounts_max_concurrent_login_sessions=10
+    - accounts_max_concurrent_login_sessions
+    - securetty_root_login_console_only
+    - var_password_pam_unix_remember=5
+    - accounts_password_pam_unix_remember
+    - use_pam_wheel_for_su
+
+    ### SELinux Configuration
+    - var_selinux_state=enforcing
+    - selinux_state
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+
+    ### Application Whitelisting (RHEL 8)
+    - package_fapolicyd_installed
+    - service_fapolicyd_enabled
+
+    ### Configure USBGuard
+    - service_usbguard_enabled
+    - configure_usbguard_auditbackend
+    - usbguard_allow_hid_and_hub
+
+
+    ### Enable / Configure FIPS
+    - enable_fips_mode
+    - var_system_crypto_policy=fips_ospp
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_kerberos_crypto_policy
+    - enable_dracut_fips_module
+
+    #######################################################
+    ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE
+    ### FOR GENERAL PURPOSE OPERATING SYSTEMS
+    ### ANNEX RELEASE 1
+    ### FOR PROTECTION PROFILE VERSIONS 4.2
+    ###
+    ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/
+    #######################################################
+
+    ## Configure Minimum Password Length to 12 Characters
+    ## IA-5 (1)(a) / FMT_MOF_EXT.1
+    - var_accounts_password_minlen_login_defs=12
+    - accounts_password_minlen_login_defs
+    - var_password_pam_minlen=12
+    - accounts_password_pam_minlen
+
+    ## Require at Least 1 Special Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_ocredit=1
+    - accounts_password_pam_ocredit
+
+    ## Require at Least 1 Numeric Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_dcredit=1
+    - accounts_password_pam_dcredit
+
+    ## Require at Least 1 Uppercase Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_ucredit=1
+    - accounts_password_pam_ucredit
+
+    ## Require at Least 1 Lowercase Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_lcredit=1
+    - accounts_password_pam_lcredit
+
+    ## Enable Screen Lock
+    ## FMT_MOF_EXT.1
+    - package_tmux_installed
+    - configure_bashrc_exec_tmux
+    - no_tmux_in_shells
+    - configure_tmux_lock_command
+    - configure_tmux_lock_after_time
+
+    ## Set Screen Lock Timeout Period to 30 Minutes or Less
+    ## AC-11(a) / FMT_MOF_EXT.1
+    ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
+    - sshd_idle_timeout_value=14_minutes
+    - sshd_set_idle_timeout
+
+    ## Disable Unauthenticated Login (such as Guest Accounts)
+    ## FIA_UAU.1
+    - require_singleuser_auth
+    - grub2_disable_interactive_boot
+    - grub2_uefi_password
+    - no_empty_passwords
+
+    ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes
+    ## AC-7 / FIA_AFL.1
+    - var_accounts_passwords_pam_faillock_deny=3
+    - accounts_passwords_pam_faillock_deny
+    - var_accounts_passwords_pam_faillock_fail_interval=900
+    - accounts_passwords_pam_faillock_interval
+    - var_accounts_passwords_pam_faillock_unlock_time=never
+    - accounts_passwords_pam_faillock_unlock_time
+
+    ## Enable Host-Based Firewall
+    ## SC-7(12) / FMT_MOF_EXT.1
+    - service_firewalld_enabled
+
+    ## Configure Name/Addres of Remote Management Server
+    ##  From Which to Receive Config Settings
+    ## CM-3(3) / FMT_MOF_EXT.1
+
+    ## Configure the System to Offload Audit Records to a Log
+    ##  Server
+    ## AU-4(1) / FAU_GEN.1.1.c
+    # temporarily dropped
+
+    ## Set Logon Warning Banner
+    ## AC-8(a) / FMT_MOF_EXT.1
+
+    ## Audit All Logons (Success/Failure) and Logoffs (Success)
+    ##  CNSSI 1253 Value or DoD-Specific Values:
+    ##      (1) Logons (Success/Failure)
+    ##      (2) Logoffs (Success)
+    ## AU-2(a) / FAU_GEN.1.1.c
+
+    ## Audit File and Object Events (Unsuccessful)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) Create (Success/Failure)
+    ##      (2) Access (Success/Failure)
+    ##      (3) Delete (Sucess/Failure)
+    ##      (4) Modify (Success/Failure)
+    ##      (5) Permission Modification (Sucess/Failure)
+    ##      (6) Ownership Modification (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ##
+    ## (1) Create (Success/Failure)
+    ##      (open with O_CREAT)
+    ## (2) Access (Success/Failure)
+    ## (3) Delete (Success/Failure)
+    ## (4) Modify (Success/Failure)
+    ## (5) Permission Modification (Success/Failure)
+    ## (6) Ownership Modification (Success/Failure)
+
+    ## Audit User and Group Management Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##      (2) Group/Role add, delete, modify (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ## Generic User and Group Management Events (Success/Failure)
+    ## Selection of setuid programs that relate to
+    ## user accounts.
+    ##
+    ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##
+    ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure)
+    ##
+    ## Audit Privilege or Role Escalation Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Privilege/Role escalation (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit All Audit and Log Data Accesses (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Audit and log data access (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Cryptographic Verification of Software (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Applications (e.g. Firefox, Internet Explorer, MS Office Suite,
+    ##        etc) initialization (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    - audit_basic_configuration
+    - audit_immutable_login_uids
+    - audit_create_failed
+    - audit_create_success
+    - audit_modify_failed
+    - audit_modify_success
+    - audit_access_failed
+    - audit_access_success
+    - audit_delete_failed
+    - audit_delete_success
+    - audit_perm_change_failed
+    - audit_perm_change_success
+    - audit_owner_change_failed
+    - audit_owner_change_success
+    - audit_ospp_general
+    - audit_module_load
+
+    ## Enable Automatic Software Updates
+    ## SI-2 / FMT_MOF_EXT.1
+    # Configure dnf-automatic to Install Only Security Updates
+    - dnf-automatic_security_updates_only
+
+    # Configure dnf-automatic to Install Available Updates Automatically
+    - dnf-automatic_apply_updates
+
+    # Enable dnf-automatic Timer
+    - timer_dnf-automatic_enabled
+
+    # Configure TLS for remote logging
+    - rsyslog_remote_tls
+    - rsyslog_remote_tls_cacert
+
+    # Prevent Kerberos use by system daemons
+    - kerberos_disable_no_keytab
+
+    # set ssh client rekey limit
+    - ssh_client_rekey_limit
+    - var_ssh_client_rekey_limit_size=1G
+    - var_ssh_client_rekey_limit_time=1hour
+
+# configure ssh client to use strong entropy
+    - ssh_client_use_strong_rng_sh
+    - ssh_client_use_strong_rng_csh
+
+    # zIPl specific rules
+    - zipl_bls_entries_only
+    - zipl_bootmap_is_up_to_date
+    - zipl_audit_argument
+    - zipl_audit_backlog_limit_argument
+    - zipl_slub_debug_argument
+    - zipl_page_poison_argument
+    - zipl_vsyscall_argument
+    - zipl_vsyscall_argument.role=unscored
+    - zipl_vsyscall_argument.severity=info
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile
new file mode 100644
index 00000000..d817de88
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile
@@ -0,0 +1,147 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - carlosmmatos
+
+reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+
+title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
+
+description: |-
+    Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+
+selections:
+    - var_password_pam_unix_remember=4
+    - var_account_disable_post_pw_expiration=90
+    - var_accounts_passwords_pam_faillock_deny=6
+    - var_accounts_passwords_pam_faillock_unlock_time=1800
+    - sshd_idle_timeout_value=15_minutes
+    - var_password_pam_minlen=7
+    - var_password_pam_minclass=2
+    - var_accounts_maximum_age_login_defs=90
+    - var_auditd_num_logs=5
+    - service_auditd_enabled
+    - grub2_audit_argument
+    - auditd_data_retention_num_logs
+    - auditd_data_retention_max_log_file
+    - auditd_data_retention_max_log_file_action
+    - auditd_data_retention_space_left_action
+    - auditd_data_retention_admin_space_left_action
+    - auditd_data_retention_action_mail_acct
+    - package_audispd-plugins_installed
+    - auditd_audispd_syslog_plugin_activated
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_opasswd
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_shadow
+    - audit_rules_networkconfig_modification
+    - file_permissions_var_log_audit
+    - file_ownership_var_log_audit
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_login_events
+    - audit_rules_session_events
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_renameat
+    - audit_rules_file_deletion_events_rmdir
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading_delete
+    - audit_rules_kernel_module_loading_finit
+    - audit_rules_kernel_module_loading_init
+    - audit_rules_immutable
+    - var_multiple_time_servers=rhel
+    - service_chronyd_or_ntpd_enabled
+    - chronyd_or_ntpd_specify_remote_server
+    - chronyd_or_ntpd_specify_multiple_servers
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - install_hids
+    - rsyslog_files_permissions
+    - rsyslog_files_ownership
+    - rsyslog_files_groupownership
+    - ensure_logrotate_activated
+    - package_aide_installed
+    - aide_build_database
+    - aide_periodic_cron_checking
+    - account_unique_name
+    - gid_passwd_group_same
+    - accounts_password_all_shadowed
+    - no_empty_passwords
+    - display_login_attempts
+    - account_disable_post_pw_expiration
+    - accounts_passwords_pam_faillock_deny
+    - accounts_passwords_pam_faillock_unlock_time
+    - dconf_db_up_to_date
+    - dconf_gnome_screensaver_idle_delay
+    - dconf_gnome_screensaver_idle_activation_enabled
+    - dconf_gnome_screensaver_lock_enabled
+    - dconf_gnome_screensaver_mode_blank
+    - sshd_set_idle_timeout
+    - sshd_set_keepalive
+    - accounts_password_pam_minlen
+    - accounts_password_pam_dcredit
+    - accounts_password_pam_ucredit
+    - accounts_password_pam_lcredit
+    - accounts_password_pam_unix_remember
+    - accounts_maximum_age_login_defs
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - security_patches_up_to_date
+    - package_opensc_installed
+    - var_smartcard_drivers=cac
+    - configure_opensc_card_drivers
+    - force_opensc_card_drivers
+    - package_pcsc-lite_installed
+    - service_pcscd_enabled
+    - sssd_enable_smartcards
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - package_libreswan_installed
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_kerberos_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile
new file mode 100644
index 00000000..1efca5f4
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
+
+description: |-
+    This *draft* profile contains configuration checks that align to the
+    DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).
+
+extends: stig
+
+selections:
+    - sudo_vdsm_nopasswd
+    - package_gdm_removed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile
new file mode 100644
index 00000000..2baee6d6
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
+
+description: |-
+    This compliance profile reflects the core set of security
+    related configuration settings for deployment of Red Hat Enterprise
+    Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies.
+    Development partners and sponsors include the U.S. National Institute
+    of Standards and Technology (NIST), U.S. Department of Defense,
+    the National Security Agency, and Red Hat.
+
+    This baseline implements configuration requirements from the following
+    sources:
+
+    - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
+    - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
+    - U.S. Government Configuration Baseline (USGCB)
+    - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)
+
+    For any differing configuration requirements, e.g. password lengths, the stricter
+    security setting was chosen. Security Requirement Traceability Guides (RTMs) and
+    sample System Security Configuration Guides are provided via the
+    scap-security-guide-docs package.
+
+    This profile reflects U.S. Government consensus content and is developed through
+    the ComplianceAsCode project, championed by the National
+    Security Agency. Except for differences in formatting to accommodate
+    publishing processes, this profile mirrors ComplianceAsCode
+    content as minor divergences, such as bugfixes, work through the
+    consensus and release processes.
+
+extends: ospp
+
+selections: []
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile
new file mode 100644
index 00000000..c8457959
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile
@@ -0,0 +1,100 @@
+documentation_complete: true
+
+title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
+
+description: |-
+    This profile contains the minimum security relevant
+    configuration settings recommended by Red Hat, Inc for
+    Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
+    Cloud Providers.
+
+selections:
+    - var_selinux_state=enforcing
+    - var_selinux_policy_name=targeted
+    - file_owner_logfiles_value=root
+    - file_groupowner_logfiles_value=root
+    - sshd_idle_timeout_value=5_minutes
+    - var_accounts_password_minlen_login_defs=6
+    - var_accounts_minimum_age_login_defs=7
+    - var_accounts_passwords_pam_faillock_deny=5
+    - var_accounts_password_warn_age_login_defs=7
+    - var_password_pam_retry=3
+    - var_password_pam_dcredit=1
+    - var_password_pam_ucredit=2
+    - var_password_pam_ocredit=2
+    - var_password_pam_lcredit=2
+    - var_password_pam_difok=3
+    - var_password_pam_unix_remember=5
+    - var_accounts_user_umask=077
+    - login_banner_text=usgcb_default
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - selinux_state
+    - selinux_policytype
+    - ensure_redhat_gpgkey_installed
+    - security_patches_up_to_date
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - package_aide_installed
+    - accounts_password_pam_unix_remember
+    - no_shelllogin_for_systemaccounts
+    - no_empty_passwords
+    - accounts_password_all_shadowed
+    - accounts_no_uid_except_zero
+    - accounts_password_minlen_login_defs
+    - accounts_minimum_age_login_defs
+    - accounts_password_warn_age_login_defs
+    - accounts_password_pam_retry
+    - accounts_password_pam_dcredit
+    - accounts_password_pam_ucredit
+    - accounts_password_pam_ocredit
+    - accounts_password_pam_lcredit
+    - accounts_password_pam_difok
+    - accounts_passwords_pam_faillock_deny
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - require_singleuser_auth
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_permissions_library_dirs
+    - file_ownership_library_dirs
+    - file_permissions_binary_dirs
+    - file_ownership_binary_dirs
+    - file_permissions_var_log_audit
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - file_permissions_grub2_cfg
+    - grub2_password
+    - kernel_module_dccp_disabled
+    - kernel_module_sctp_disabled
+    - service_firewalld_enabled
+    - set_firewalld_default_zone
+    - firewalld_sshd_port_enabled
+    - service_abrtd_disabled
+    - service_telnet_disabled
+    - package_telnet-server_removed
+    - package_telnet_removed
+    - sshd_allow_only_protocol2
+    - sshd_set_idle_timeout
+    - sshd_set_keepalive
+    - disable_host_auth
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_enable_warning_banner
+    - sshd_do_not_permit_user_env
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile
new file mode 100644
index 00000000..a63ae2cf
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - security_patches_up_to_date
+    - no_empty_passwords
+    - file_permissions_unauthorized_sgid
+    - file_permissions_unauthorized_suid
+    - file_permissions_unauthorized_world_writable
+    - accounts_root_path_dirs_no_write
+    - dir_perms_world_writable_sticky_bits
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_nosuid
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - package_rsyslog_installed
+    - service_rsyslog_enabled
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification
+    - audit_rules_networkconfig_modification
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_unsuccessful_file_modification
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading
+    - service_abrtd_disabled
+    - service_atd_disabled
+    - service_autofs_disabled
+    - service_ntpdate_disabled
+    - service_oddjobd_disabled
+    - service_qpidd_disabled
+    - service_rdisc_disabled
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_kerberos_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile
new file mode 100644
index 00000000..db1b7127
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+metadata:
+    version: V1R0.1-Draft
+    SMEs:
+        - carlosmmatos
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
+
+description: |-
+    This profile contains configuration checks that align to the
+    [DRAFT] DISA STIG for Red Hat Enterprise Linux 8.
+
+    In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+    configuration baseline as applicable to the operating system tier of
+    Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
+
+    - Red Hat Enterprise Linux Server
+    - Red Hat Enterprise Linux Workstation and Desktop
+    - Red Hat Enterprise Linux for HPC
+    - Red Hat Storage
+    - Red Hat Containers with a Red Hat Enterprise Linux 8 image
+
+extends: ospp
+
+selections:
+    - login_banner_text=dod_banners
+    - dconf_db_up_to_date
+    - dconf_gnome_banner_enabled
+    - dconf_gnome_login_banner_text
+    - banner_etc_issue
+    - accounts_password_set_min_life_existing
+    - accounts_password_set_max_life_existing
+    - account_disable_post_pw_expiration
+    - account_temp_expire_date
+    - audit_rules_usergroup_modification_passwd
+    - sssd_enable_smartcards
+    - sssd_offline_cred_expiration
+    - smartcard_configure_cert_checking
+    - encrypt_partitions
+    - sysctl_net_ipv4_tcp_syncookies
+    - clean_components_post_updating
+    - package_audispd-plugins_installed
+    - package_libcap-ng-utils_installed
+    - auditd_audispd_syslog_plugin_activated
+    - accounts_passwords_pam_faillock_enforce_local
+    - accounts_password_pam_enforce_local
+    - accounts_password_pam_enforce_root
+
+    # Configure TLS for remote logging
+    - package_rsyslog_installed
+    - package_rsyslog-gnutls_installed
+    - rsyslog_remote_tls
+    - rsyslog_remote_tls_cacert
+
+    # Unselect zIPL rules from OSPP
+    - "!zipl_bls_entries_only"
+    - "!zipl_bootmap_is_up_to_date"
+    - "!zipl_audit_argument"
+    - "!zipl_audit_backlog_limit_argument"
+    - "!zipl_page_poison_argument"
+    - "!zipl_slub_debug_argument"
+    - "!zipl_vsyscall_argument"
+    - "!zipl_vsyscall_argument.role=unscored"
+    - "!zipl_vsyscall_argument.severity=info"
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl
new file mode 100644
index 00000000..59d708ad
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_cci2html.xsl"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt
new file mode 100644
index 00000000..0df9c540
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt
@@ -0,0 +1,21 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Red Hat Enterprise Linux 8</xsl:variable>
+<xsl:variable name="product_short_name">RHEL 8</xsl:variable>
+<xsl:variable name="product_stig_id_name">RHEL_8_STIG</xsl:variable>
+<xsl:variable name="prod_type">rhel8</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
+<xsl:variable name="product_guide_id_name">RHEL-8</xsl:variable>
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
+<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt
similarity index 71%
rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt
rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt
index 4b191e90..e017cf6f 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt
@@ -1,6 +1,6 @@
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-<xsl:import href="../../../shared/transforms/shared_shorthand2xccdf.xslt"/>
+<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
 
 <xsl:include href="constants.xslt"/>
 <xsl:param name="ssg_version">unknown</xsl:param>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt
new file mode 100644
index 00000000..e741fb89
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_table-add-srgitems.xslt"/>
+<xsl:variable name="srgtable" select="document('../output/table-rhel8-srgmap-flat.xhtml')/html/body/table" />
+<xsl:variable name="cci_list" select="document('../../shared/references/disa-cci-list.xml')/cci:cci_list" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt
new file mode 100644
index 00000000..bd97ee1c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_table-sortbyref.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt
new file mode 100644
index 00000000..23c2f60a
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt
new file mode 100644
index 00000000..218d0f75
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000..38b354af
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt
new file mode 100644
index 00000000..5421604f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" exclude-result-prefixes="cdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf2stigformat.xslt"/>
+<xsl:include href="constants.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt
similarity index 82%
rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt
rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt
index 1cdb679c..88a53f50 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
 
-<xsl:import href="../../../shared/transforms/shared_xccdf2table-byref.xslt"/>
+<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
 
 <xsl:include href="constants.xslt"/>
 <xsl:include href="table-style.xslt"/>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000..1ffb2221
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt
similarity index 80%
rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt
rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt
index 6fff5e71..b790974c 100644
--- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
 
-<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileanssirefs.xslt"/>
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileanssirefs.xslt"/>
 <xsl:include href="constants.xslt"/>
 <xsl:include href="table-style.xslt"/>
 
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000..5a104d95
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt
new file mode 100644
index 00000000..92cbdf9b
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt
new file mode 100644
index 00000000..7596f8b4
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs-cui.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt
new file mode 100644
index 00000000..8e97c333
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt
new file mode 100644
index 00000000..2fb56fa7
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-stig.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp b/ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp
new file mode 100644
index 00000000..108f6d3f
Binary files /dev/null and b/ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp differ