initial blueprint collection of security compliance examples (#334)

blueprints/README.md

@@ -0,0 +1,44 @@
+# Blueprint examples for RHEL image builder
+
+This collection of blueprints serve as proof-of-concept examples for popular application workloads and use cases.  The intent is to help users get started quickly, reducing the amount of technical debt to research and create this on their own.
+
+Each blueprint can be used individually, or inspected and combined to assemble your own highly optimized blueprint for your needs.
+
+Please contribute!  Merge requests and your expertise are welcomed to provide new blueprint examples, or improve on the existing ones provided here.
+
+Current examples include:
+
+## Security compliance examples
+- RHEL (latest) Server CIS level 2
+- RHEL (latest) Server CIS level 1
+- RHEL (latest) Workstation CIS level 2
+- RHEL (latest) Workstation CIS level 1
+- RHEL (latest) Server PCI-DSS
+
+## Databases
+- Microsoft SQL Server 2022
+- Microsoft SQL Server 2022 Express
+- Microsoft SQL Server 2022 with RHEL High Availability
+- RHEL for SAP HANA
+- RHEL for SAP HANA with RHEL High Availability
+- RHEL for SAP (application nodes) with RHEL High Availability
+
+
+## Future wishlist
+- RHEL simple container host (podman & container examples)
+- RHEL simple virtual hypervisor host (with web console)
+- RHEL NFS v4 server (with client tools & VDO)
+- RHEL NFS v3 server (with client tools & VDO)
+- RHEL Identity Management appliance (primary & secondary replicas)
+- RHEL development environments (vscode, eclipse, .NET core, python, nginx)
+- Red Hat Satellite appliance (with VDO)
+- Mariadb
+- Mariadb with RHEL High Availability
+- PostgreSQL
+- PostgreSQL with RHEL High Availability
+- EnterpriseDB
+- EnterpriseDB with RHEL High Availability
+- Oracle Database 19c
+- Oracle Database 19c Express
+- Oracle Database 19c with RHEL High Availability
+

blueprints/rhel-9-latest-CIS-L1-Server.toml

@@ -0,0 +1,127 @@
+###############################################################################
+#
+# Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
+#
+# Profile Description:
+# This profile defines a baseline that aligns to the "Level 1 - Server"
+# configuration from the Center for Internet Security® Red Hat Enterprise
+# Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+# This profile includes Center for Internet Security®
+# Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
+#
+# Profile ID:  xccdf_org.ssgproject.content_profile_cis_server_l1
+# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_RHEL-9
+# Benchmark Version:  0.1.69
+# XCCDF Version:  1.2
+#
+# This file was generated by OpenSCAP 1.3.8 using:
+# oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --fix-type blueprint xccdf-file.xml
+#
+# This Blueprint is generated from an OpenSCAP profile without preliminary evaluation.
+# It attempts to fix every selected rule, even if the system is already compliant.
+#
+# How to apply this Blueprint:
+# composer-cli blueprints push blueprint.toml
+#
+# See RHEL documentation for additional customization options. 
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_a_customized_rhel_system_image/index#composer-blueprint-format_creating-system-images-with-composer-command-line-interface
+#
+# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap info --profile  xccdf_org.ssgproject.content_profile_cis_server_l1/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap xccdf generate fix --profile  xccdf_org.ssgproject.content_profile_cis_server_l1--fix-type blueprint /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+#
+# Note:  When importing into image builder, all comment lines will be removed.
+###############################################################################
+
+name = "RHEL-9-latest-CIS-L1-Server"
+description = "Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server from profile xccdf_org.ssgproject.content_profile_cis_server_l1 and auditable by Red Hat Insights."
+version = "0.0.1"
+modules = []
+groups = []
+distro = ""
+
+[customizations.openscap]
+datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"
+profile_id = "xccdf_org.ssgproject.content_profile_cis_server_l1"
+
+[[packages]]
+name = "aide"
+
+[[packages]]
+name = "firewalld"
+
+[[packages]]
+name = "rsyslog"
+
+[[packages]]
+name = "libselinux"
+
+[[packages]]
+name = "scap-security-guide"
+
+[[packages]]
+name = "sudo"
+
+[[packages]]
+name = "insights-client"
+
+[[packages]]
+name = "rhc"
+
+[[packages]]
+name = "rhc-worker-playbook"
+
+[[packages]]
+name = "glibc-langpack-en"
+
+[[packages]]
+name = "langpacks-en"
+
+[[packages]]
+name = "ansible-core"
+
+[[packages]]
+name = "rhel-system-roles"
+
+[customizations.firewall]
+[customizations.firewall.services]
+enabled = ["ssh"]
+
+[customizations.services]
+enabled = ["sshd", "crond", "firewalld", "systemd-journald", "rsyslog"]
+disabled = ["nfs-server", "rpcbind"]
+
+# The below add up to a 10 GB disk size.  Adjust according to deployment environment.
+[[customizations.filesystem]]
+mountpoint = "/"
+minsize = "4 GB"
+
+[[customizations.filesystem]]
+mountpoint = "/dev/shm"
+size =  "1 GB"  # typical default is tmpfs, half of RAM
+
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/home"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/log"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/log/audit"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/tmp"
+#size =  "1 GB"
+

blueprints/rhel-9-latest-CIS-L1-Workstation.toml

@@ -0,0 +1,131 @@
+###############################################################################
+#
+# Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
+#
+# Profile Description:
+# This profile defines a baseline that aligns to the "Level 1 - Workstation"
+# configuration from the Center for Internet Security® Red Hat Enterprise
+# Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+# This profile includes Center for Internet Security®
+# Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
+#
+# Profile ID:  xccdf_org.ssgproject.content_profile_cis_workstation_l1
+# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_RHEL-9
+# Benchmark Version:  0.1.69
+# XCCDF Version:  1.2
+#
+# This file was generated by OpenSCAP 1.3.8 using:
+# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 --fix-type blueprint xccdf-file.xml
+#
+# This Blueprint is generated from an OpenSCAP profile without preliminary evaluation.
+# It attempts to fix every selected rule, even if the system is already compliant.
+#
+# How to apply this Blueprint:
+# composer-cli blueprints push blueprint.toml
+#
+# See RHEL documentation for more customization options. 
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_a_customized_rhel_system_image/index#composer-blueprint-format_creating-system-images-with-composer-command-line-interface
+#
+# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap info --profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 --fix-type blueprint /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+# 
+# Note:  When importing into image builder, all comment lines will be removed.
+###############################################################################
+
+name = "RHEL-9-latest-CIS-L1-Workstation"
+description = "Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation from profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 and auditable by Red Hat Insights."
+version = "0.0.1"
+modules = []
+groups = []
+distro = ""
+
+[customizations.openscap]
+datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"
+profile_id = "xccdf_org.ssgproject.content_profile_cis_workstation_l1"
+
+[[groups]]
+name = "Workstation"
+
+[[packages]]
+name = "aide"
+
+[[packages]]
+name = "firewalld"
+
+[[packages]]
+name = "rsyslog"
+
+[[packages]]
+name = "libselinux"
+
+[[packages]]
+name = "scap-security-guide"
+
+[[packages]]
+name = "sudo"
+
+[[packages]]
+name = "insights-client"
+
+[[packages]]
+name = "rhc"
+
+[[packages]]
+name = "rhc-worker-playbook"
+
+[[packages]]
+name = "glibc-langpack-en"
+
+[[packages]]
+name = "langpacks-en"
+
+[[packages]]
+name = "ansible-core"
+
+[[packages]]
+name = "rhel-system-roles"
+
+[customizations.firewall]
+[customizations.firewall.services]
+enabled = ["ssh"]
+
+[customizations.services]
+enabled = ["sshd", "crond", "firewalld", "systemd-journald", "rsyslog"]
+disabled = ["nfs-server", "rpcbind"]
+#disabled = ["nfs-server", "rpcbind", "nftables"]
+
+# The below add up to a 10 GB disk size.  Adjust according to deployment environment.
+[[customizations.filesystem]]
+mountpoint = "/"
+minsize = "4 GB"
+
+[[customizations.filesystem]]
+mountpoint = "/dev/shm"
+size =  "1 GB"  # typical default is tmpfs, half of RAM
+
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/home"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/log"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/log/audit"
+#size =  "1 GB"
+
+#[[customizations.filesystem]]
+#mountpoint = "/var/tmp"
+#size =  "1 GB"
+