Add RHCOS4 product

CMakeLists.txt

@@ -73,6 +73,7 @@ option(SSG_PRODUCT_JRE "If enabled, the JRE SCAP content will be built" ${SSG_PR
 option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OCP3 "If enabled, the OCP3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -245,6 +246,7 @@ message(STATUS "JRE: ${SSG_PRODUCT_JRE}")
 message(STATUS "MacOS 1015: ${SSG_PRODUCT_MACOS1015}")
 message(STATUS "OCP3: ${SSG_PRODUCT_OCP3}")
 message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
+message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
 message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
 message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
@@ -332,6 +334,9 @@ endif()
 if (SSG_PRODUCT_OCP4)
     add_subdirectory("ocp4")
 endif()
+if (SSG_PRODUCT_RHCOS4)
+    add_subdirectory("rhcos4")
+endif()
 if (SSG_PRODUCT_OL7)
     add_subdirectory("ol7")
 endif()

Dockerfiles/ocp4_content

@@ -7,10 +7,11 @@ COPY . .
 
 RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils
 
-RUN ./build_product --debug ocp4 rhel7 rhel8
+RUN ./build_product --debug ocp4 rhel7 rhel8 rhcos4
 
 FROM registry.access.redhat.com/ubi8/ubi-minimal
 WORKDIR /
 COPY --from=builder /content/build/ssg-ocp4-ds.xml .
 COPY --from=builder /content/build/ssg-rhel7-ds.xml .
 COPY --from=builder /content/build/ssg-rhel8-ds.xml .
+COPY --from=builder /content/build/ssg-rhcos4-ds.xml .

Dockerfiles/quay_publish

@@ -3,8 +3,9 @@ FROM fedora:latest as builder
 RUN dnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils
 RUN git clone --depth 1 https://github.com/ComplianceAsCode/content
 WORKDIR /content
-RUN ./build_product --debug ocp4
+RUN ./build_product --debug ocp4 rhcos4
 
 FROM registry.access.redhat.com/ubi8/ubi-minimal
 WORKDIR /
 COPY --from=builder /content/build/ssg-ocp4-ds.xml .
+COPY --from=builder /content/build/ssg-rhcos4-ds.xml .

build_product

@@ -274,6 +274,7 @@ all_cmake_products=(
 	JRE
 	OCP3
 	OCP4
+	RHCOS4
 	OL7
 	OL8
 	OPENSUSE

linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: ocp4,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
 
 title: 'Uninstall bind Package'
 

linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Install fapolicyd Package'
 

linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol8,rhel8
+prodtype: ocp4,rhcos4,ol8,rhel8
 
 title: 'Enable the File Access Policy Service'
 

linux_os/guide/services/ldap/389_ds/package_389-ds-base_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,rhel6,rhel7,rhel8
+prodtype: ocp4,rhcos4,rhel6,rhel7,rhel8
 
 title: 'Uninstall 389-ds-base Package'
 

linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,sle15
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
 
 title: 'Ensure LDAP client is not installed'
 

linux_os/guide/services/ntp/chronyd_client_only/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Disable chrony daemon from acting as server'
 

linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Disable network management of chrony daemon'
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
 
 title: 'Configure Time Service Maxpoll Interval'
 

linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
 
 title: 'Specify Additional Remote NTP Servers'
 

linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
 
 title: 'Specify a Remote NTP Server'
 

linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
 
 title: 'Enable the NTP Daemon'
 

linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4,rhcos4
 
 title: 'Ensure rsyncd service is diabled'
 

linux_os/guide/services/rng/service_rngd_enabled/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Enable the Hardware RNG Entropy Gatherer Service'
 

linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,sle15
+prodtype: ocp4,rhcos4,rhel6,rhel7,rhel8,rhv4,sle15
 
 title: 'Install the Samba Common Package'
 

linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: debian10,debian9,fedora,ocp4,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019
 
 title: 'Uninstall net-snmp Package'
 

linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4
+prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4,rhcos4
 
 title: 'Verify Group Who Owns SSH Server config file'
 

linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4
+prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4,rhcos4
 
 title: 'Verify Owner on SSH Server config file'
 

linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4
+prodtype: rhel6,rhel7,rhel8,rhv4,sle15,ocp4,rhcos4
 
 title: 'Verify Permissions on SSH Server config file'
 

linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
+prodtype: debian10,debian8,debian9,fedora,ocp4,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
 
 title: 'Install the OpenSSH Server Package'
 

linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
+prodtype: debian10,debian8,debian9,fedora,ocp4,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
 
 title: 'Remove the OpenSSH Server Package'
 

linux_os/guide/services/ssh/ssh_server/disable_host_auth/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/ignition/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:

linux_os/guide/services/sssd/sssd_run_as_sssd_user/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Configure SSSD to run as user sssd'
 

linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Log USBGuard daemon audit events using Linux Audit'
 

linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
 
 title: 'Install usbguard Package'
 

linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Enable the USBGuard Service'
 

linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Authorize Human Interface Devices in USBGuard daemon'
 

linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Authorize Human Interface Devices and USB hubs in USBGuard daemon'
 

linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,rhcos4,ol8,rhel8
 
 title: 'Authorize USB hubs in USBGuard daemon'