For fixing issue#26, updating contents for supporting CaC 0.1.59.

ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8

@@ -1,114 +1,77 @@
 diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
---- content.org/CMakeLists.txt  2021-08-21 18:13:55.050097584 +0900
-+++ content/CMakeLists.txt      2021-08-21 18:21:16.258038611 +0900
-@@ -93,6 +93,7 @@
+--- content.org/CMakeLists.txt	2020-12-25 08:21:12.953946957 +0900
++++ content/CMakeLists.txt	2020-12-25 08:30:03.918555175 +0900
+@@ -87,6 +87,7 @@
  option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
  option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 +option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-
+ 
  option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
  option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-@@ -288,6 +289,7 @@
+@@ -267,6 +268,8 @@
  message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
  message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
  message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
 +message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}")
-
-
-
-@@ -410,6 +412,10 @@
++
+
+
+
+@@ -386,6 +389,10 @@
  if (SSG_PRODUCT_WRLINUX1019)
-     add_subdirectory("products/wrlinux1019" "wrlinux1019")
+     add_subdirectory("wrlinux1019")
  endif()
 +if (SSG_PRODUCT_ROCKY8)
-+    add_subdirectory("products/rl8" "rl8")
++    add_subdirectory("rocky8")
 +endif()
 +
-
+ 
  # ZIP only contains source datastreams and kickstarts, people who
  # want sources to build from should get the tarball instead.
-
 diff -Nru content.org/build_product content/build_product
---- content.org/build_product   2021-08-21 18:13:55.110097683 +0900
-+++ content/build_product       2021-08-21 18:22:19.417937147 +0900
-@@ -310,6 +310,7 @@
+--- content.org/build_product	2020-12-25 08:21:13.001947373 +0900
++++ content/build_product	2020-12-25 08:31:11.339141097 +0900
+@@ -294,6 +294,7 @@
+ 	VSEL
  	WRLINUX8
  	WRLINUX1019
- 	MACOS1015
 +	ROCKY8
  )
 
  DEFAULT_OVAL_MAJOR_VERSION=5
-diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/checks/oval/install_mcafee_hbss.xml
---- content.org/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:27:50.321760545 +0900
-+++ content/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:29:57.423884084 +0900
-@@ -14,6 +14,7 @@
- 	<platform>multi_platform_sle</platform>
- 	<platform>multi_platform_ubuntu</platform>
- 	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rl</platform>
-       </affected>
-       <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
-       should be installed.</description>
-diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
---- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml       2021-08-21 18:13:55.326098038 +0900
-+++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml   2021-08-21 18:21:37.030007098 +0900
-@@ -9,11 +9,12 @@
- 	<platform>multi_platform_opensuse</platform>
- 	<platform>multi_platform_ol</platform>
- 	<platform>multi_platform_rhcos</platform>
--	<platform>multi_platform_rhel</platform>
-+	<platform>multi_platform_rhel,multi_platform_rl</platform>
- 	<platform>multi_platform_rhv</platform>
- 	<platform>multi_platform_sle</platform>
- 	<platform>multi_platform_ubuntu</platform>
- 	<platform>multi_platform_wrlinux</platform>
-+	<platform>multi_platform_rl</platform>
-       </affected>
-       <description>Disables IPv6 for all network interfaces.</description>
-     </metadata>
 diff -Nru content.org/ssg/constants.py content/ssg/constants.py
---- content.org/ssg/constants.py        2021-08-21 18:13:55.362098097 +0900
-+++ content/ssg/constants.py    2021-08-21 18:21:16.258038611 +0900
-@@ -24,7 +24,8 @@
-     'sle12', 'sle15',
+--- content.org/ssg/constants.py	2020-12-25 08:21:13.281949799 +0900
++++ content/ssg/constants.py	2020-12-25 08:43:05.253350090 +0900
+@@ -24,6 +24,7 @@
      'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
      'vsel',
--    'wrlinux8', 'wrlinux1019'
-+    'wrlinux8', 'wrlinux1019',
-+    'rl8'
+     'wrlinux8', 'wrlinux1019'
++    'rocky8'
  ]
-
+ 
  JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
-@@ -182,6 +183,7 @@
+@@ -167,6 +168,7 @@
      "Ubuntu 20.04": "ubuntu2004",
      "WRLinux 8": "wrlinux8",
      "WRLinux 1019": "wrlinux1019",
-+    "Rocky Linux 8": "rl8",
++    "Rocky Linux 8": "rocky8",
  }
-
-
-@@ -196,7 +198,7 @@
- }
-
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
--                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
-+                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"]
-
- MULTI_PLATFORM_MAPPING = {
-     "multi_platform_debian": ["debian9", "debian10"],
-@@ -212,6 +214,7 @@
+
+
+@@ -197,6 +199,7 @@
      "multi_platform_sle": ["sle12", "sle15"],
      "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
      "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
-+    "multi_platform_rl": ["rl8"],
++    "multi_platform_rocky": ["rocky8"],
  }
-
+ 
  RHEL_CENTOS_CPE_MAPPING = {
-@@ -377,6 +380,7 @@
+@@ -362,6 +365,7 @@
      'ol': 'Oracle Linux',
      'ocp': 'Red Hat OpenShift Container Platform',
      'rhcos': 'Red Hat Enterprise Linux CoreOS',
-+    'rl': 'Rocky Linux',
++    'rocky': 'Rocky Linux',
  }
+
+

ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml

@@ -0,0 +1,59 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rocky8" version="1">
+    <metadata>
+      <title>Rocky Linux 8</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:rocky:rocky_linux:8"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Rocky Linux 8</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_rocky8_unix_family" />
+      <criteria operator="OR">
+        <criterion comment="Rocky Linux 8 is installed" test_ref="test_rocky8" />
+        <criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
+          <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
+          <criterion comment="Red Hat Enterprise Virtualization Host is based on Rocky Linux 8" test_ref="test_rhevh_rocky8_version" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_rocky8_unix_family" version="1">
+    <ind:object object_ref="obj_rocky8_unix_family" />
+    <ind:state state_ref="state_rocky8_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_rocky8_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_rocky8_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="test_rocky8" version="1">
+    <linux:object object_ref="obj_rocky8" />
+    <linux:state state_ref="state_rocky8" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_rocky8" version="1">
+    <linux:version operation="pattern match">^8.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_rocky8" version="1">
+    <linux:name>redhat-release</linux:name>
+  </linux:rpminfo_object>
+
+  <ind:textfilecontent54_test check="all" comment="RHEVH base Rocky Linux is version 8" id="test_rhevh_rocky8_version" version="1">
+    <ind:object object_ref="obj_rhevh_rocky8_version" />
+    <ind:state state_ref="state_rhevh_rocky8_version" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhevh_rocky8_version" version="1">
+    <ind:filepath>/etc/redhat-release</ind:filepath>
+    <ind:pattern operation="pattern match">^Rocky Linux release (\d)\.\d+$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhevh_rocky8_version" version="1">
+    <ind:subexpression operation="pattern match">8</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way.
+# Sometimes our users will try to do: "cd rl8; cmake ." That needs to error in a nice way.
 if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
     message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
 endif()
@@ -8,20 +8,16 @@ set(DISA_SRG_TYPE "os")
 
 ssg_build_product(${PRODUCT})
 
-ssg_build_html_table_by_ref(${PRODUCT} "nist")
-ssg_build_html_table_by_ref(${PRODUCT} "cui")
-ssg_build_html_table_by_ref(${PRODUCT} "cis")
-ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
-ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
 
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
-ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
-ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
 
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_enhanced" "${PRODUCT}" "anssi_bp28_enhanced" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_intermediary" "${PRODUCT}" "anssi_bp28_intermediary" "anssi")
+ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_high" "${PRODUCT}" "anssi_bp28_high" "anssi")
 
 ssg_build_html_cce_table(${PRODUCT})
 
@@ -32,7 +28,3 @@ ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig")
 ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig_gui")
 
 #ssg_build_html_stig_tables(${PRODUCT} "ospp")
-
-#if (SSG_CENTOS_DERIVATIVES_ENABLED)
-#    ssg_build_derivative_product(${PRODUCT} "centos" "centos8")
-#endif()

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg

@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg

@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml

@@ -2,6 +2,7 @@ product: rl8
 full_name: Rocky Linux 8
 type: platform
 
+benchmark_id: RL-8
 benchmark_root: "../../linux_os/guide"
 
 profiles_root: "./profiles"

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile

@@ -37,7 +37,7 @@ selections:
   - service_squid_disabled
 
   ### Software update
-#  - ensure_redhat_gpgkey_installed
+  - ensure_redhat_gpgkey_installed
   - ensure_gpgcheck_never_disabled
   - ensure_gpgcheck_local_packages
   - ensure_gpgcheck_globally_activated

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile

@@ -86,7 +86,7 @@ selections:
     - sysctl_kernel_randomize_va_space
     - rpm_verify_hashes
     - rpm_verify_permissions
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
     - ensure_gpgcheck_local_packages

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile

@@ -52,6 +52,7 @@ selections:
   ## Identifiers 1418
   - package_usbguard_installed
   - service_usbguard_enabled
+  - usbguard_allow_hid_and_hub
 
   ## Authentication hardening
   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile

@@ -113,7 +113,7 @@ selections:
     - accounts_umask_etc_csh_cshrc
 
     ### Software update
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_local_packages
     - ensure_gpgcheck_never_disabled
@@ -205,7 +205,7 @@ selections:
     - package_nfs-utils_removed
     - package_krb5-workstation_removed
     - package_abrt-addon-kerneloops_removed
-    - package_abrt-addon-python_removed
+    - package_python3-abrt-addon_removed
     - package_abrt-addon-ccpp_removed
     - package_abrt-plugin-rhtsupport_removed
     - package_abrt-plugin-logger_removed

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile

@@ -114,7 +114,7 @@ selections:
     - accounts_password_pam_lcredit
     - accounts_password_pam_unix_remember
     - accounts_maximum_age_login_defs
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
     - security_patches_up_to_date

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile

@@ -33,7 +33,7 @@ selections:
     - partition_for_var_log_audit
     - selinux_state
     - selinux_policytype
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - security_patches_up_to_date
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled

ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile

@@ -8,7 +8,7 @@ description: |-
     all of these checks should pass.
 
 selections:
-#    - ensure_redhat_gpgkey_installed
+    - ensure_redhat_gpgkey_installed
     - ensure_gpgcheck_globally_activated
     - rpm_verify_permissions
     - rpm_verify_hashes