diff --git a/ComplianceAsCode/README.md b/ComplianceAsCode/README.md
new file mode 100644
index 00000000..095d9822
--- /dev/null
+++ b/ComplianceAsCode/README.md
@@ -0,0 +1,38 @@
+# ComplianceAsCode content
+
+## What is this?
+
+This is a content directory for Rocky Linux 8, and several tools for adding rocky8 content as new product for CimplianceAsCode. 
+
+## What is ComplianceAsCode?
+
+ComplianceAsCode is upstream for OSS SCAP contents [https://github.com/ComplianceAsCode](https://github.com/ComplianceAsCode). 
+ComplianceAsCode content(old name "SCAP content") is including XML files, YAML, and so on for creating SCAP contents such as XCCDF or fixing scritp as BASH, Ansible.
+
+## How to develop ComplianceAsCode content?
+
+See [ComplianceAsCode Developer Guide](https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc) in upsteam.
+
+## Structure
+
+Directories as follows
+* content/rocky8 (it is including definition for rocky8 contents)
+* content/shared/checks/oval/installed_OS_is_rocky8.xml (this is working for building OS check contents in XCCDF)
+* tools/ (it is including tool for supporting Rocky8 in ComplianceAsCode content.
+
+## How to use
+
+1. Git clone ComplianceAsCode content from (Official GitHub)[https://github.com/ComplianceAsCode/content] to your working directory(ex. work).
+2. cd work/content
+3. copy content_for_supporting_rocky8 directory from this repo under work/content. (Such as work/content/content_for_supporting_rocky8)
+4. run ./content_for_supporting_rocky8/tools/add_product_rocky8.sh
+
+Then you'll be ready to compile Rocky8 contents.
+
+## How to build rocky8 contents
+
+1. cd to content/build (such as work/content/build)
+2. run "cmake .."
+3. run "make -j4 rocky8" 
+
+Then you'll see several xml contents under build directory.
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/README.md b/ComplianceAsCode/content_for_supporting_rocky8/README.md
new file mode 100644
index 00000000..19b99bfc
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/README.md
@@ -0,0 +1,25 @@
+# Rocky8 files and tools
+These are files for supporting Rocky8 for ComplianceAsCode content. 'Files' directory contain files for modifying ComplianceAsCode [content](https://github.com/ComplianceAsCode/content). 'Tools' directory contain script for modifying ComplianceAsCode content to support Rocky8.
+
+## Rocky8 product information.
+Just for now, we use following Name/Values as Rocky8 product informtation(content/rocky8/product.yml)
+
+1. fingerprints vaules. For Redhat, we can check it on [https://access.redhat.com/security/team/key](https://access.redhat.com/security/team/key)
+```pkg_release: "PKG_RELASE"
+ pkg_version: "PKG_VERSION"
+ aux_pkg_release: "AUX_PKG_RELEASE"
+ aux_pkg_version: "AUX_PKG_VERSION"
+ 
+ release_key_fingerprint: "RELEASE_KEY_FINGERPRINT"
+ auxiliary_key_fingerprint: "AUXILIARY_KEY_FINGERPRINT"
+```
+
+2. OVAL Feed URL. If we will use completely same as RHEL8 OVAL, we might not be need to change it.
+```
+oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+```
+
+3. CPE. CPE name is in /etc/os-release and /etc/system-release-cpe.
+```
+name: "cpe:/o:rocky:rocky_linux:8"
+```
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
new file mode 100644
index 00000000..4fc5b86f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
@@ -0,0 +1,109 @@
+diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
+--- content.org/CMakeLists.txt	2021-05-03 07:27:49.961754374 +0900
++++ content/CMakeLists.txt	2021-05-03 07:29:29.739430343 +0900
+@@ -88,6 +88,7 @@
+ option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ 
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+ option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
+@@ -277,6 +278,7 @@
+ message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
+ message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
+ message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
++message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}")
+ 
+ 
+ 
+@@ -399,6 +401,10 @@
+ if (SSG_PRODUCT_WRLINUX1019)
+     add_subdirectory("wrlinux1019")
+ endif()
++if (SSG_PRODUCT_ROCKY8)
++    add_subdirectory("rocky8")
++endif()
++
+ 
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff -Nru content.org/build_product content/build_product
+--- content.org/build_product	2021-05-03 07:27:50.029755540 +0900
++++ content/build_product	2021-05-03 07:29:29.739430343 +0900
+@@ -295,6 +295,7 @@
+ 	VSEL
+ 	WRLINUX8
+ 	WRLINUX1019
++	ROCKY8
+ )
+ 
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/checks/oval/install_mcafee_hbss.xml
+--- content.org/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:27:50.321760545 +0900
++++ content/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:29:57.423884084 +0900
+@@ -14,6 +14,7 @@
+ 	<platform>multi_platform_sle</platform>
+ 	<platform>multi_platform_ubuntu</platform>
+ 	<platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_rocky</platform>
+       </affected>
+       <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
+       should be installed.</description>
+diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+--- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:27:50.325760613 +0900
++++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:30:19.808247714 +0900
+@@ -14,6 +14,7 @@
+ 	<platform>multi_platform_sle</platform>
+ 	<platform>multi_platform_ubuntu</platform>
+ 	<platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_rocky</platform>
+       </affected>
+       <description>Disables IPv6 for all network interfaces.</description>
+     </metadata>
+diff -Nru content.org/ssg/constants.py content/ssg/constants.py
+--- content.org/ssg/constants.py	2021-05-03 07:27:50.369761368 +0900
++++ content/ssg/constants.py	2021-05-03 07:29:29.739430343 +0900
+@@ -24,7 +24,8 @@
+     'sle12', 'sle15',
+     'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
+     'vsel',
+-    'wrlinux8', 'wrlinux1019'
++    'wrlinux8', 'wrlinux1019',
++    'rocky8'
+ ]
+ 
+ JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
+@@ -177,6 +178,7 @@
+     "Ubuntu 20.04": "ubuntu2004",
+     "WRLinux 8": "wrlinux8",
+     "WRLinux 1019": "wrlinux1019",
++    "Rocky Linux 8": "rocky8",
+ }
+ 
+ 
+@@ -191,7 +193,7 @@
+ }
+ 
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
+-                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
++                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rocky", "example"]
+ 
+ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_debian": ["debian9", "debian10"],
+@@ -207,6 +209,7 @@
+     "multi_platform_sle": ["sle12", "sle15"],
+     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
+     "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
++    "multi_platform_wrlinux": ["rocky8"],
+ }
+ 
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -372,6 +375,7 @@
+     'ol': 'Oracle Linux',
+     'ocp': 'Red Hat OpenShift Container Platform',
+     'rhcos': 'Red Hat Enterprise Linux CoreOS',
++    'rocky': 'Rocky Linux',
+ }
+ 
+ 
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml
new file mode 100644
index 00000000..a0b9c6e3
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rocky8" version="1">
+    <metadata>
+      <title>Rocky Linux 8</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:rocky:rocky_linux:8"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Rocky Linux 8</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="OS is Rocky Linux" test_ref="test_rocky8_name" />
+      <criterion comment="OS version is 8" test_ref="test_rocky8_version" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_rocky8_name" version="1">
+    <ind:object object_ref="obj_name_rocky8" />
+    <ind:state state_ref="state_name_rocky8" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_name_rocky8" version="1" comment="Check os-release ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_name_rocky8" version="1">
+    <ind:subexpression>rocky</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_rocky8_version" version="1">
+    <ind:object object_ref="obj_version_rocky8" />
+    <ind:state state_ref="state_version_rocky8" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_version_rocky8" version="1" comment="Check os-release VERSION_ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_version_rocky8" version="1">
+    <ind:subexpression>8</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt
new file mode 100644
index 00000000..fe01a682
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt
@@ -0,0 +1,36 @@
+# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rocky8")
+set(DISA_SRG_TYPE "os")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_table_by_ref(${PRODUCT} "nist")
+ssg_build_html_table_by_ref(${PRODUCT} "cui")
+ssg_build_html_table_by_ref(${PRODUCT} "cis")
+ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
+ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+
+ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+
+ssg_build_html_stig_tables(${PRODUCT} "stig")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+#if (SSG_CENTOS_DERIVATIVES_ENABLED)
+#    ssg_build_derivative_product(${PRODUCT} "centos" "centos8")
+#endif()
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
new file mode 100644
index 00000000..6f66a377
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -0,0 +1,163 @@
+# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+# Ensure /usr Located On Separate Partition
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+# Ensure /opt Located On Separate Partition
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /srv Located On Separate Partition
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
new file mode 100644
index 00000000..b5c09253
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2020-12-10
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+# Ensure /usr Located On Separate Partition
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+# Ensure /opt Located On Separate Partition
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /srv Located On Separate Partition
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
new file mode 100644
index 00000000..fb785e0c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -0,0 +1,163 @@
+# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+# Ensure /usr Located On Separate Partition
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+# Ensure /opt Located On Separate Partition
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /srv Located On Separate Partition
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
new file mode 100644
index 00000000..1d62b55d
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
@@ -0,0 +1,127 @@
+# SCAP Security Guide ANSSI BP-028 (minimal) profile kickstart for Red Hat Enterprise Linux 8
+# Version: 0.0.1
+# Date: 2021-01-28
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg
new file mode 100644
index 00000000..ee3a20bc
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg
@@ -0,0 +1,146 @@
+# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-03-30
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg
new file mode 100644
index 00000000..8e4b9258
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_cui
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg
new file mode 100644
index 00000000..591d3026
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2019-11-13
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_e8
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 00000000..dc4a44c8
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg
new file mode 100644
index 00000000..ec490c38
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide OSPP profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_ospp
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg
new file mode 100644
index 00000000..386cbcc1
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg
@@ -0,0 +1,157 @@
+# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url	        the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+network --onboot yes --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+#
+# PASSWORD TEMPORARILY DISABLED
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
+# CCE-26557-9: Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# CCE-26435-8: Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# CCE-26639-5: Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# CCE-26215-4: Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_pci-dss
+%end
+
+# Packages selection (%packages section is required)
+%packages
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg
new file mode 100644
index 00000000..0ec942bb
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -0,0 +1,168 @@
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow	enable shadowed passwords by default
+# --passalgo		hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g.
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#  
+#  Important
+#   Applying a security policy is not necessary on all systems. This screen should only be used
+#   when a specific policy is mandated by your organization rules or government regulations.
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
+#   
+#  The following keys are recognized by the add-on:
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+#    xccdf-id - ID of the benchmark you want to use.
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+#  The following is an example %addon org_fedora_oscap section which uses content from the
+#  scap-security-guide on the installation media: 
+%addon org_fedora_oscap
+	content-type = scap-security-guide
+	profile = xccdf_org.ssgproject.content_profile_stig
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml
new file mode 100644
index 00000000..7c89f520
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL8 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels.  The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+     - satisfied (through design and implementation)
+     - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+     - satisfied (by Rules in the guidance, which include the reference)
+     - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL8 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - selected in a DoD baseline
+     - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+     it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates.  If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/stig_overlay.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/stig_overlay.xml
new file mode 100644
index 00000000..6cf1c1d2
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/stig_overlay.xml
@@ -0,0 +1,1367 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
+  <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-08-010000" disa="366" severity="high">
+    <VMSinfo VKey="230221" SVKey="230221r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must be a vendor-supported release."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010010" disa="366" severity="medium">
+    <VMSinfo VKey="230222" SVKey="230222r5997" VRelease="r599732"/>
+    <title text="RHEL 8 vendor packaged system security patches and updates must be installed and up to date."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010020" disa="68" severity="high">
+    <VMSinfo VKey="230223" SVKey="230223r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010030" disa="1199" severity="medium">
+    <VMSinfo VKey="230224" SVKey="230224r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010040" disa="48" severity="medium">
+    <VMSinfo VKey="230225" SVKey="230225r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010050" disa="48" severity="medium">
+    <VMSinfo VKey="230226" SVKey="230226r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010060" disa="48" severity="medium">
+    <VMSinfo VKey="230227" SVKey="230227r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010070" disa="67" severity="medium">
+    <VMSinfo VKey="230228" SVKey="230228r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 remote access methods must be monitored."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010090" disa="185" severity="medium">
+    <VMSinfo VKey="230229" SVKey="230229r5997" VRelease="r599732"/>
+    <title text="RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010100" disa="186" severity="medium">
+    <VMSinfo VKey="230230" SVKey="230230r5997" VRelease="r599732"/>
+    <title text="RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010110" disa="196" severity="medium">
+    <VMSinfo VKey="230231" SVKey="230231r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010120" disa="196" severity="medium">
+    <VMSinfo VKey="230232" SVKey="230232r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010130" disa="196" severity="medium">
+    <VMSinfo VKey="230233" SVKey="230233r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010140" disa="213" severity="high">
+    <VMSinfo VKey="230234" SVKey="230234r5997" VRelease="r599732"/>
+    <title text="RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010150" disa="213" severity="high">
+    <VMSinfo VKey="230235" SVKey="230235r5997" VRelease="r599732"/>
+    <title text="RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010151" disa="213" severity="medium">
+    <VMSinfo VKey="230236" SVKey="230236r5997" VRelease="r599732"/>
+    <title text="RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010160" disa="803" severity="medium">
+    <VMSinfo VKey="230237" SVKey="230237r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010161" disa="803" severity="medium">
+    <VMSinfo VKey="230238" SVKey="230238r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent system daemons from using Kerberos for authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010162" disa="803" severity="medium">
+    <VMSinfo VKey="230239" SVKey="230239r5997" VRelease="r599732"/>
+    <title text="The krb5-workstation package must not be installed on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010170" disa="1084" severity="medium">
+    <VMSinfo VKey="230240" SVKey="230240r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use a Linux Security Module configured to enforce limits on system services."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010171" disa="1084" severity="low">
+    <VMSinfo VKey="230241" SVKey="230241r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must have policycoreutils package installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010180" disa="1090" severity="medium">
+    <VMSinfo VKey="230242" SVKey="230242r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010190" disa="1090" severity="medium">
+    <VMSinfo VKey="230243" SVKey="230243r5997" VRelease="r599732"/>
+    <title text="A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010200" disa="1133" severity="medium">
+    <VMSinfo VKey="230244" SVKey="230244r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010210" disa="1314" severity="medium">
+    <VMSinfo VKey="230245" SVKey="230245r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log/messages file must have mode 0640 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010220" disa="1314" severity="medium">
+    <VMSinfo VKey="230246" SVKey="230246r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log/messages file must be owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010230" disa="1314" severity="medium">
+    <VMSinfo VKey="230247" SVKey="230247r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log/messages file must be group-owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010240" disa="1314" severity="medium">
+    <VMSinfo VKey="230248" SVKey="230248r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log directory must have mode 0755 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010250" disa="1314" severity="medium">
+    <VMSinfo VKey="230249" SVKey="230249r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log directory must be owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010260" disa="1314" severity="medium">
+    <VMSinfo VKey="230250" SVKey="230250r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 /var/log directory must be group-owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010290" disa="1453" severity="medium">
+    <VMSinfo VKey="230251" SVKey="230251r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010291" disa="1453" severity="medium">
+    <VMSinfo VKey="230252" SVKey="230252r5997" VRelease="r599778"/>
+    <title text="The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010292" disa="366" severity="low">
+    <VMSinfo VKey="230253" SVKey="230253r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must ensure the SSH server uses strong entropy."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010293" disa="1453" severity="medium">
+    <VMSinfo VKey="230254" SVKey="230254r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010294" disa="1453" severity="medium">
+    <VMSinfo VKey="230255" SVKey="230255r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010295" disa="1453" severity="medium">
+    <VMSinfo VKey="230256" SVKey="230256r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010300" disa="1499" severity="medium">
+    <VMSinfo VKey="230257" SVKey="230257r5997" VRelease="r599732"/>
+    <title text="RHEL 8 system commands must have mode 0755 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010310" disa="1499" severity="medium">
+    <VMSinfo VKey="230258" SVKey="230258r5997" VRelease="r599732"/>
+    <title text="RHEL 8 system commands must be owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010320" disa="1499" severity="medium">
+    <VMSinfo VKey="230259" SVKey="230259r5997" VRelease="r599732"/>
+    <title text="RHEL 8 system commands must be group-owned by root or a system account."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010330" disa="1499" severity="medium">
+    <VMSinfo VKey="230260" SVKey="230260r5997" VRelease="r599732"/>
+    <title text="RHEL 8 library files must have mode 0755 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010340" disa="1499" severity="medium">
+    <VMSinfo VKey="230261" SVKey="230261r5997" VRelease="r599732"/>
+    <title text="RHEL 8 library files must be owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010350" disa="1499" severity="medium">
+    <VMSinfo VKey="230262" SVKey="230262r5997" VRelease="r599732"/>
+    <title text="RHEL 8 library files must be group-owned by root or a system account."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010360" disa="1744" severity="medium">
+    <VMSinfo VKey="230263" SVKey="230263r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010370" disa="1749" severity="high">
+    <VMSinfo VKey="230264" SVKey="230264r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010371" disa="1749" severity="high">
+    <VMSinfo VKey="230265" SVKey="230265r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010372" disa="1749" severity="medium">
+    <VMSinfo VKey="230266" SVKey="230266r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent the loading of a new kernel for later execution."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010373" disa="2165" severity="medium">
+    <VMSinfo VKey="230267" SVKey="230267r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010374" disa="2165" severity="medium">
+    <VMSinfo VKey="230268" SVKey="230268r5998" VRelease="r599818"/>
+    <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010375" disa="1090" severity="low">
+    <VMSinfo VKey="230269" SVKey="230269r5998" VRelease="r599820"/>
+    <title text="RHEL 8 must restrict access to the kernel message buffer."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010376" disa="1090" severity="low">
+    <VMSinfo VKey="230270" SVKey="230270r5998" VRelease="r599823"/>
+    <title text="RHEL 8 must prevent kernel profiling by unprivileged users."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010380" disa="2038" severity="medium">
+    <VMSinfo VKey="230271" SVKey="230271r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require users to provide a password for privilege escalation."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010381" disa="2038" severity="medium">
+    <VMSinfo VKey="230272" SVKey="230272r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require users to reauthenticate for privilege escalation."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010390" disa="1948" severity="medium">
+    <VMSinfo VKey="230273" SVKey="230273r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must have the packages required for multifactor authentication installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010400" disa="1948" severity="medium">
+    <VMSinfo VKey="230274" SVKey="230274r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must implement certificate status checking for multifactor authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010410" disa="1953" severity="medium">
+    <VMSinfo VKey="230275" SVKey="230275r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must accept Personal Identity Verification (PIV) credentials."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010420" disa="2824" severity="medium">
+    <VMSinfo VKey="230276" SVKey="230276r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010421" disa="1084" severity="medium">
+    <VMSinfo VKey="230277" SVKey="230277r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must clear the page allocator to prevent use-after-free attacks."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010422" disa="1084" severity="medium">
+    <VMSinfo VKey="230278" SVKey="230278r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable virtual syscalls."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010423" disa="1084" severity="medium">
+    <VMSinfo VKey="230279" SVKey="230279r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010430" disa="2824" severity="medium">
+    <VMSinfo VKey="230280" SVKey="230280r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010440" disa="2617" severity="low">
+    <VMSinfo VKey="230281" SVKey="230281r5997" VRelease="r599732"/>
+    <title text="YUM must remove all software components after updated versions have been installed on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010450" disa="2696" severity="medium">
+    <VMSinfo VKey="230282" SVKey="230282r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable the SELinux targeted policy."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010460" disa="366" severity="high">
+    <VMSinfo VKey="230283" SVKey="230283r5997" VRelease="r599732"/>
+    <title text="There must be no shosts.equiv files on the RHEL 8 operating system."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010470" disa="366" severity="high">
+    <VMSinfo VKey="230284" SVKey="230284r5997" VRelease="r599732"/>
+    <title text="There must be no .shosts files on the RHEL 8 operating system."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010471" disa="366" severity="low">
+    <VMSinfo VKey="230285" SVKey="230285r5997" VRelease="r599779"/>
+    <title text="RHEL 8 must enable the hardware random number generator entropy gatherer service."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010480" disa="366" severity="medium">
+    <VMSinfo VKey="230286" SVKey="230286r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH public host key files must have mode 0644 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010490" disa="366" severity="medium">
+    <VMSinfo VKey="230287" SVKey="230287r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH private host key files must have mode 0640 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010500" disa="366" severity="medium">
+    <VMSinfo VKey="230288" SVKey="230288r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010510" disa="366" severity="medium">
+    <VMSinfo VKey="230289" SVKey="230289r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010520" disa="366" severity="medium">
+    <VMSinfo VKey="230290" SVKey="230290r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must not allow authentication using known host’s authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010521" disa="366" severity="medium">
+    <VMSinfo VKey="230291" SVKey="230291r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must not allow unused methods of authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010540" disa="366" severity="low">
+    <VMSinfo VKey="230292" SVKey="230292r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use a separate file system for /var."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010541" disa="366" severity="low">
+    <VMSinfo VKey="230293" SVKey="230293r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use a separate file system for /var/log."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010542" disa="366" severity="low">
+    <VMSinfo VKey="230294" SVKey="230294r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use a separate file system for the system audit data path."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010543" disa="366" severity="medium">
+    <VMSinfo VKey="230295" SVKey="230295r5997" VRelease="r599732"/>
+    <title text="A separate RHEL 8 filesystem must be used for the /tmp directory."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010550" disa="770" severity="medium">
+    <VMSinfo VKey="230296" SVKey="230296r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not permit direct logons to the root account using remote access via SSH."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010560" disa="366" severity="medium">
+    <VMSinfo VKey="230297" SVKey="230297r5997" VRelease="r599732"/>
+    <title text="The auditd service must be running in RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010561" disa="366" severity="medium">
+    <VMSinfo VKey="230298" SVKey="230298r5997" VRelease="r599732"/>
+    <title text="The rsyslog service must be running in RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010570" disa="366" severity="medium">
+    <VMSinfo VKey="230299" SVKey="230299r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010571" disa="366" severity="medium">
+    <VMSinfo VKey="230300" SVKey="230300r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010580" disa="366" severity="medium">
+    <VMSinfo VKey="230301" SVKey="230301r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent special devices on non-root local partitions."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010590" disa="366" severity="medium">
+    <VMSinfo VKey="230302" SVKey="230302r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent code from being executed on file systems that contain user home directories."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010600" disa="366" severity="medium">
+    <VMSinfo VKey="230303" SVKey="230303r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent special devices on file systems that are used with removable media."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010610" disa="366" severity="medium">
+    <VMSinfo VKey="230304" SVKey="230304r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent code from being executed on file systems that are used with removable media."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010620" disa="366" severity="medium">
+    <VMSinfo VKey="230305" SVKey="230305r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010630" disa="366" severity="medium">
+    <VMSinfo VKey="230306" SVKey="230306r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010640" disa="366" severity="medium">
+    <VMSinfo VKey="230307" SVKey="230307r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010650" disa="366" severity="medium">
+    <VMSinfo VKey="230308" SVKey="230308r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010660" disa="366" severity="medium">
+    <VMSinfo VKey="230309" SVKey="230309r5997" VRelease="r599732"/>
+    <title text="Local RHEL 8 initialization files must not execute world-writable programs."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010670" disa="366" severity="medium">
+    <VMSinfo VKey="230310" SVKey="230310r5997" VRelease="r599780"/>
+    <title text="RHEL 8 must disable kernel dumps unless needed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010671" disa="366" severity="medium">
+    <VMSinfo VKey="230311" SVKey="230311r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the kernel.core_pattern."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010672" disa="366" severity="medium">
+    <VMSinfo VKey="230312" SVKey="230312r5997" VRelease="r599782"/>
+    <title text="RHEL 8 must disable acquiring, saving, and processing core dumps."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010673" disa="366" severity="medium">
+    <VMSinfo VKey="230313" SVKey="230313r5997" VRelease="r599784"/>
+    <title text="RHEL 8 must disable core dumps for all users."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010674" disa="366" severity="medium">
+    <VMSinfo VKey="230314" SVKey="230314r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable storing core dumps."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010675" disa="366" severity="medium">
+    <VMSinfo VKey="230315" SVKey="230315r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable core dump backtraces."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010680" disa="366" severity="medium">
+    <VMSinfo VKey="230316" SVKey="230316r5997" VRelease="r599732"/>
+    <title text="For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010690" disa="366" severity="medium">
+    <VMSinfo VKey="230317" SVKey="230317r5997" VRelease="r599732"/>
+    <title text="Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010700" disa="366" severity="medium">
+    <VMSinfo VKey="230318" SVKey="230318r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010710" disa="366" severity="medium">
+    <VMSinfo VKey="230319" SVKey="230319r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010720" disa="366" severity="medium">
+    <VMSinfo VKey="230320" SVKey="230320r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010730" disa="366" severity="medium">
+    <VMSinfo VKey="230321" SVKey="230321r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local interactive user home directories must have mode 0750 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010740" disa="366" severity="medium">
+    <VMSinfo VKey="230322" SVKey="230322r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010750" disa="366" severity="medium">
+    <VMSinfo VKey="230323" SVKey="230323r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010760" disa="366" severity="medium">
+    <VMSinfo VKey="230324" SVKey="230324r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010770" disa="366" severity="medium">
+    <VMSinfo VKey="230325" SVKey="230325r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local initialization files must have mode 0740 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010780" disa="366" severity="medium">
+    <VMSinfo VKey="230326" SVKey="230326r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local files and directories must have a valid owner."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010790" disa="366" severity="medium">
+    <VMSinfo VKey="230327" SVKey="230327r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 local files and directories must have a valid group owner."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010800" disa="366" severity="medium">
+    <VMSinfo VKey="230328" SVKey="230328r5997" VRelease="r599732"/>
+    <title text="A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010820" disa="366" severity="high">
+    <VMSinfo VKey="230329" SVKey="230329r5997" VRelease="r599732"/>
+    <title text="Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010830" disa="366" severity="medium">
+    <VMSinfo VKey="230330" SVKey="230330r5997" VRelease="r599732"/>
+    <title text="Unattended or automatic logon to RHEL 8 via ssh must not be allowed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020000" disa="16" severity="medium">
+    <VMSinfo VKey="230331" SVKey="230331r5998" VRelease="r599824"/>
+    <title text="RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020010" disa="44" severity="medium">
+    <VMSinfo VKey="230332" SVKey="230332r5998" VRelease="r599827"/>
+    <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020011" disa="44" severity="medium">
+    <VMSinfo VKey="230333" SVKey="230333r5998" VRelease="r599828"/>
+    <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020012" disa="44" severity="medium">
+    <VMSinfo VKey="230334" SVKey="230334r5998" VRelease="r599829"/>
+    <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020013" disa="44" severity="medium">
+    <VMSinfo VKey="230335" SVKey="230335r5998" VRelease="r599830"/>
+    <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020014" disa="44" severity="medium">
+    <VMSinfo VKey="230336" SVKey="230336r5998" VRelease="r599831"/>
+    <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020015" disa="44" severity="medium">
+    <VMSinfo VKey="230337" SVKey="230337r5998" VRelease="r599832"/>
+    <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020016" disa="44" severity="medium">
+    <VMSinfo VKey="230338" SVKey="230338r5998" VRelease="r599833"/>
+    <title text="RHEL 8 must ensure account lockouts persist."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020017" disa="44" severity="medium">
+    <VMSinfo VKey="230339" SVKey="230339r5998" VRelease="r599834"/>
+    <title text="RHEL 8 must ensure account lockouts persist."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020018" disa="44" severity="medium">
+    <VMSinfo VKey="230340" SVKey="230340r5998" VRelease="r599835"/>
+    <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020019" disa="44" severity="medium">
+    <VMSinfo VKey="230341" SVKey="230341r5998" VRelease="r599836"/>
+    <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020020" disa="44" severity="medium">
+    <VMSinfo VKey="230342" SVKey="230342r5998" VRelease="r599837"/>
+    <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020021" disa="44" severity="medium">
+    <VMSinfo VKey="230343" SVKey="230343r5998" VRelease="r599838"/>
+    <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020022" disa="44" severity="medium">
+    <VMSinfo VKey="230344" SVKey="230344r5998" VRelease="r599839"/>
+    <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020023" disa="44" severity="medium">
+    <VMSinfo VKey="230345" SVKey="230345r5998" VRelease="r599840"/>
+    <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020024" disa="54" severity="low">
+    <VMSinfo VKey="230346" SVKey="230346r5997" VRelease="r599786"/>
+    <title text="RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020030" disa="56" severity="medium">
+    <VMSinfo VKey="230347" SVKey="230347r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020040" disa="56" severity="medium">
+    <VMSinfo VKey="230348" SVKey="230348r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020041" disa="56" severity="medium">
+    <VMSinfo VKey="230349" SVKey="230349r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must ensure session control is automatically started at shell initialization."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020042" disa="56" severity="low">
+    <VMSinfo VKey="230350" SVKey="230350r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent users from disabling session control mechanisms."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020050" disa="56" severity="medium">
+    <VMSinfo VKey="230351" SVKey="230351r5997" VRelease="r599792"/>
+    <title text="RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020060" disa="57" severity="medium">
+    <VMSinfo VKey="230352" SVKey="230352r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020070" disa="57" severity="medium">
+    <VMSinfo VKey="230353" SVKey="230353r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020080" disa="57" severity="medium">
+    <VMSinfo VKey="230354" SVKey="230354r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent a user from overriding graphical user interface settings."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020090" disa="187" severity="medium">
+    <VMSinfo VKey="230355" SVKey="230355r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020100" disa="192" severity="medium">
+    <VMSinfo VKey="230356" SVKey="230356r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must ensure a password complexity module is enabled."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020110" disa="192" severity="medium">
+    <VMSinfo VKey="230357" SVKey="230357r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020120" disa="193" severity="medium">
+    <VMSinfo VKey="230358" SVKey="230358r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020130" disa="194" severity="medium">
+    <VMSinfo VKey="230359" SVKey="230359r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enforce password complexity by requiring that at least one numeric character be used."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020140" disa="195" severity="medium">
+    <VMSinfo VKey="230360" SVKey="230360r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020150" disa="195" severity="medium">
+    <VMSinfo VKey="230361" SVKey="230361r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020160" disa="195" severity="medium">
+    <VMSinfo VKey="230362" SVKey="230362r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require the change of at least four character classes when passwords are changed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020170" disa="195" severity="medium">
+    <VMSinfo VKey="230363" SVKey="230363r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must require the change of at least 8 characters when passwords are changed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020180" disa="198" severity="medium">
+    <VMSinfo VKey="230364" SVKey="230364r5997" VRelease="r599732"/>
+    <title text="RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020190" disa="198" severity="medium">
+    <VMSinfo VKey="230365" SVKey="230365r5997" VRelease="r599732"/>
+    <title text="RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020200" disa="199" severity="medium">
+    <VMSinfo VKey="230366" SVKey="230366r5997" VRelease="r599732"/>
+    <title text="RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020210" disa="199" severity="medium">
+    <VMSinfo VKey="230367" SVKey="230367r5997" VRelease="r599732"/>
+    <title text="RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020220" disa="200" severity="medium">
+    <VMSinfo VKey="230368" SVKey="230368r5997" VRelease="r599732"/>
+    <title text="RHEL 8 passwords must be prohibited from reuse for a minimum of five generations."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020230" disa="205" severity="medium">
+    <VMSinfo VKey="230369" SVKey="230369r5997" VRelease="r599732"/>
+    <title text="RHEL 8 passwords must have a minimum of 15 characters."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020231" disa="205" severity="medium">
+    <VMSinfo VKey="230370" SVKey="230370r5997" VRelease="r599732"/>
+    <title text="RHEL 8 passwords for new users must have a minimum of 15 characters."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020240" disa="764" severity="medium">
+    <VMSinfo VKey="230371" SVKey="230371r5997" VRelease="r599732"/>
+    <title text="RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020250" disa="765" severity="medium">
+    <VMSinfo VKey="230372" SVKey="230372r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020260" disa="795" severity="medium">
+    <VMSinfo VKey="230373" SVKey="230373r5997" VRelease="r599732"/>
+    <title text="RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020270" disa="1682" severity="medium">
+    <VMSinfo VKey="230374" SVKey="230374r5997" VRelease="r599732"/>
+    <title text="RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020280" disa="1619" severity="medium">
+    <VMSinfo VKey="230375" SVKey="230375r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 passwords must contain at least one special character."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020290" disa="2007" severity="medium">
+    <VMSinfo VKey="230376" SVKey="230376r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prohibit the use of cached authentications after one day."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020300" disa="366" severity="medium">
+    <VMSinfo VKey="230377" SVKey="230377r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent the use of dictionary words for passwords."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020310" disa="366" severity="medium">
+    <VMSinfo VKey="230378" SVKey="230378r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020320" disa="366" severity="medium">
+    <VMSinfo VKey="230379" SVKey="230379r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have unnecessary accounts."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020330" disa="366" severity="high">
+    <VMSinfo VKey="230380" SVKey="230380r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have accounts configured with blank or null passwords."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020340" disa="366" severity="low">
+    <VMSinfo VKey="230381" SVKey="230381r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must display the date and time of the last successful account logon upon logon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020350" disa="366" severity="medium">
+    <VMSinfo VKey="230382" SVKey="230382r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must display the date and time of the last successful account logon upon an SSH logon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020351" disa="366" severity="medium">
+    <VMSinfo VKey="230383" SVKey="230383r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020352" disa="366" severity="medium">
+    <VMSinfo VKey="230384" SVKey="230384r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must set the umask value to 077 for all local interactive user accounts."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020353" disa="366" severity="medium">
+    <VMSinfo VKey="230385" SVKey="230385r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must define default permissions for logon and non-logon shells."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030000" disa="2233" severity="medium">
+    <VMSinfo VKey="230386" SVKey="230386r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030010" disa="366" severity="medium">
+    <VMSinfo VKey="230387" SVKey="230387r5997" VRelease="r599732"/>
+    <title text="Cron logging must be implemented in RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030020" disa="139" severity="medium">
+    <VMSinfo VKey="230388" SVKey="230388r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030030" disa="139" severity="medium">
+    <VMSinfo VKey="230389" SVKey="230389r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030040" disa="140" severity="medium">
+    <VMSinfo VKey="230390" SVKey="230390r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 System must take appropriate action when an audit processing failure occurs."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030050" disa="140" severity="medium">
+    <VMSinfo VKey="230391" SVKey="230391r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030060" disa="140" severity="medium">
+    <VMSinfo VKey="230392" SVKey="230392r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must take appropriate action when the audit storage volume is full."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030061" disa="366" severity="medium">
+    <VMSinfo VKey="230393" SVKey="230393r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must audit local events."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030062" disa="1851" severity="medium">
+    <VMSinfo VKey="230394" SVKey="230394r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must label all off-loaded audit logs before sending them to the central log server."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030063" disa="366" severity="low">
+    <VMSinfo VKey="230395" SVKey="230395r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must resolve audit information before writing to disk."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030070" disa="162" severity="medium">
+    <VMSinfo VKey="230396" SVKey="230396r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030080" disa="162" severity="medium">
+    <VMSinfo VKey="230397" SVKey="230397r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit logs must be owned by root to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030090" disa="162" severity="medium">
+    <VMSinfo VKey="230398" SVKey="230398r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030100" disa="162" severity="medium">
+    <VMSinfo VKey="230399" SVKey="230399r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit log directory must be owned by root to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030110" disa="162" severity="medium">
+    <VMSinfo VKey="230400" SVKey="230400r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030120" disa="162" severity="medium">
+    <VMSinfo VKey="230401" SVKey="230401r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030121" disa="162" severity="medium">
+    <VMSinfo VKey="230402" SVKey="230402r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit system must protect auditing rules from unauthorized change."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030122" disa="162" severity="medium">
+    <VMSinfo VKey="230403" SVKey="230403r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit system must protect logon UIDs from unauthorized change."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030130" disa="169" severity="medium">
+    <VMSinfo VKey="230404" SVKey="230404r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030140" disa="169" severity="medium">
+    <VMSinfo VKey="230405" SVKey="230405r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030150" disa="169" severity="medium">
+    <VMSinfo VKey="230406" SVKey="230406r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030160" disa="169" severity="medium">
+    <VMSinfo VKey="230407" SVKey="230407r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030170" disa="169" severity="medium">
+    <VMSinfo VKey="230408" SVKey="230408r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030171" disa="169" severity="medium">
+    <VMSinfo VKey="230409" SVKey="230409r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030172" disa="169" severity="medium">
+    <VMSinfo VKey="230410" SVKey="230410r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030180" disa="169" severity="medium">
+    <VMSinfo VKey="230411" SVKey="230411r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030190" disa="169" severity="medium">
+    <VMSinfo VKey="230412" SVKey="230412r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030200" disa="169" severity="medium">
+    <VMSinfo VKey="230413" SVKey="230413r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030210" disa="169" severity="medium">
+    <VMSinfo VKey="230414" SVKey="230414r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the removexattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030220" disa="169" severity="medium">
+    <VMSinfo VKey="230415" SVKey="230415r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030230" disa="169" severity="medium">
+    <VMSinfo VKey="230416" SVKey="230416r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030240" disa="169" severity="medium">
+    <VMSinfo VKey="230417" SVKey="230417r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030250" disa="169" severity="medium">
+    <VMSinfo VKey="230418" SVKey="230418r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030260" disa="169" severity="medium">
+    <VMSinfo VKey="230419" SVKey="230419r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030270" disa="169" severity="medium">
+    <VMSinfo VKey="230420" SVKey="230420r5997" VRelease="r599794"/>
+    <title text="The RHEL 8 audit system must be configured to audit any usage of the setxattr system call."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030280" disa="169" severity="medium">
+    <VMSinfo VKey="230421" SVKey="230421r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030290" disa="169" severity="medium">
+    <VMSinfo VKey="230422" SVKey="230422r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030300" disa="169" severity="medium">
+    <VMSinfo VKey="230423" SVKey="230423r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030301" disa="169" severity="medium">
+    <VMSinfo VKey="230424" SVKey="230424r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030302" disa="169" severity="medium">
+    <VMSinfo VKey="230425" SVKey="230425r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030310" disa="169" severity="medium">
+    <VMSinfo VKey="230426" SVKey="230426r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030311" disa="169" severity="medium">
+    <VMSinfo VKey="230427" SVKey="230427r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030312" disa="169" severity="medium">
+    <VMSinfo VKey="230428" SVKey="230428r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030313" disa="169" severity="medium">
+    <VMSinfo VKey="230429" SVKey="230429r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030314" disa="169" severity="medium">
+    <VMSinfo VKey="230430" SVKey="230430r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030315" disa="169" severity="medium">
+    <VMSinfo VKey="230431" SVKey="230431r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030316" disa="169" severity="medium">
+    <VMSinfo VKey="230432" SVKey="230432r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030317" disa="169" severity="medium">
+    <VMSinfo VKey="230433" SVKey="230433r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030320" disa="169" severity="medium">
+    <VMSinfo VKey="230434" SVKey="230434r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030330" disa="169" severity="medium">
+    <VMSinfo VKey="230435" SVKey="230435r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030340" disa="169" severity="medium">
+    <VMSinfo VKey="230436" SVKey="230436r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030350" disa="169" severity="medium">
+    <VMSinfo VKey="230437" SVKey="230437r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030360" disa="169" severity="medium">
+    <VMSinfo VKey="230438" SVKey="230438r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030361" disa="169" severity="medium">
+    <VMSinfo VKey="230439" SVKey="230439r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030362" disa="169" severity="medium">
+    <VMSinfo VKey="230440" SVKey="230440r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030363" disa="169" severity="medium">
+    <VMSinfo VKey="230441" SVKey="230441r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030364" disa="169" severity="medium">
+    <VMSinfo VKey="230442" SVKey="230442r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030365" disa="169" severity="medium">
+    <VMSinfo VKey="230443" SVKey="230443r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030370" disa="169" severity="medium">
+    <VMSinfo VKey="230444" SVKey="230444r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030380" disa="169" severity="medium">
+    <VMSinfo VKey="230445" SVKey="230445r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030390" disa="169" severity="medium">
+    <VMSinfo VKey="230446" SVKey="230446r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030400" disa="169" severity="medium">
+    <VMSinfo VKey="230447" SVKey="230447r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030410" disa="169" severity="medium">
+    <VMSinfo VKey="230448" SVKey="230448r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030420" disa="169" severity="medium">
+    <VMSinfo VKey="230449" SVKey="230449r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030430" disa="169" severity="medium">
+    <VMSinfo VKey="230450" SVKey="230450r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030440" disa="169" severity="medium">
+    <VMSinfo VKey="230451" SVKey="230451r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030450" disa="169" severity="medium">
+    <VMSinfo VKey="230452" SVKey="230452r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030460" disa="169" severity="medium">
+    <VMSinfo VKey="230453" SVKey="230453r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030470" disa="169" severity="medium">
+    <VMSinfo VKey="230454" SVKey="230454r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030480" disa="169" severity="medium">
+    <VMSinfo VKey="230455" SVKey="230455r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030490" disa="169" severity="medium">
+    <VMSinfo VKey="230456" SVKey="230456r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030500" disa="169" severity="medium">
+    <VMSinfo VKey="230457" SVKey="230457r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030510" disa="169" severity="medium">
+    <VMSinfo VKey="230458" SVKey="230458r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030520" disa="169" severity="medium">
+    <VMSinfo VKey="230459" SVKey="230459r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030530" disa="169" severity="medium">
+    <VMSinfo VKey="230460" SVKey="230460r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030540" disa="169" severity="medium">
+    <VMSinfo VKey="230461" SVKey="230461r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030550" disa="169" severity="medium">
+    <VMSinfo VKey="230462" SVKey="230462r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030560" disa="169" severity="medium">
+    <VMSinfo VKey="230463" SVKey="230463r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030570" disa="169" severity="medium">
+    <VMSinfo VKey="230464" SVKey="230464r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030580" disa="169" severity="medium">
+    <VMSinfo VKey="230465" SVKey="230465r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030590" disa="169" severity="medium">
+    <VMSinfo VKey="230466" SVKey="230466r5998" VRelease="r599841"/>
+    <title text="Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030600" disa="169" severity="medium">
+    <VMSinfo VKey="230467" SVKey="230467r5997" VRelease="r599732"/>
+    <title text="Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030601" disa="169" severity="low">
+    <VMSinfo VKey="230468" SVKey="230468r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable auditing of processes that start prior to the audit daemon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030602" disa="1849" severity="low">
+    <VMSinfo VKey="230469" SVKey="230469r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030603" disa="169" severity="low">
+    <VMSinfo VKey="230470" SVKey="230470r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable Linux audit logging for the USBGuard daemon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030610" disa="171" severity="medium">
+    <VMSinfo VKey="230471" SVKey="230471r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030620" disa="1493" severity="medium">
+    <VMSinfo VKey="230472" SVKey="230472r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit tools must have a mode of 0755 or less permissive."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030630" disa="1493" severity="medium">
+    <VMSinfo VKey="230473" SVKey="230473r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit tools must be owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030640" disa="1493" severity="medium">
+    <VMSinfo VKey="230474" SVKey="230474r5997" VRelease="r599732"/>
+    <title text="RHEL 8 audit tools must be group-owned by root."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030650" disa="1496" severity="medium">
+    <VMSinfo VKey="230475" SVKey="230475r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030660" disa="1849" severity="medium">
+    <VMSinfo VKey="230476" SVKey="230476r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030670" disa="366" severity="medium">
+    <VMSinfo VKey="230477" SVKey="230477r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must have the packages required for offloading audit logs installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030680" disa="366" severity="medium">
+    <VMSinfo VKey="230478" SVKey="230478r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must have the packages required for encrypting offloaded audit logs installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030690" disa="1851" severity="medium">
+    <VMSinfo VKey="230479" SVKey="230479r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030700" disa="1851" severity="medium">
+    <VMSinfo VKey="230480" SVKey="230480r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must take appropriate action when the internal event queue is full."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030710" disa="1851" severity="medium">
+    <VMSinfo VKey="230481" SVKey="230481r5997" VRelease="r599796"/>
+    <title text="RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030720" disa="1851" severity="medium">
+    <VMSinfo VKey="230482" SVKey="230482r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must authenticate the remote logging server for off-loading audit logs."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030730" disa="1855" severity="medium">
+    <VMSinfo VKey="230483" SVKey="230483r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030740" disa="1891" severity="medium">
+    <VMSinfo VKey="230484" SVKey="230484r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030741" disa="381" severity="low">
+    <VMSinfo VKey="230485" SVKey="230485r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the chrony daemon from acting as a server."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030742" disa="381" severity="low">
+    <VMSinfo VKey="230486" SVKey="230486r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable network management of the chrony daemon."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040000" disa="381" severity="high">
+    <VMSinfo VKey="230487" SVKey="230487r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have the telnet-server package installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040001" disa="381" severity="medium">
+    <VMSinfo VKey="230488" SVKey="230488r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have any automated bug reporting tools installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040002" disa="381" severity="medium">
+    <VMSinfo VKey="230489" SVKey="230489r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have the sendmail package installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040003" disa="381" severity="medium">
+    <VMSinfo VKey="230490" SVKey="230490r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have the gssproxy package installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040004" disa="381" severity="low">
+    <VMSinfo VKey="230491" SVKey="230491r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enable mitigations against processor-based vulnerabilities."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040010" disa="381" severity="high">
+    <VMSinfo VKey="230492" SVKey="230492r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not have the rsh-server package installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040020" disa="381" severity="medium">
+    <VMSinfo VKey="230493" SVKey="230493r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must cover or disable the built-in or attached camera when not in use."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040021" disa="381" severity="low">
+    <VMSinfo VKey="230494" SVKey="230494r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the asynchronous transfer mode (ATM) protocol."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040022" disa="381" severity="low">
+    <VMSinfo VKey="230495" SVKey="230495r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the controller area network (CAN) protocol."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040023" disa="381" severity="low">
+    <VMSinfo VKey="230496" SVKey="230496r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the stream control transmission (SCTP) protocol."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040024" disa="381" severity="low">
+    <VMSinfo VKey="230497" SVKey="230497r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the transparent inter-process communication (TIPC) protocol."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040025" disa="381" severity="low">
+    <VMSinfo VKey="230498" SVKey="230498r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable mounting of cramfs."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040026" disa="381" severity="low">
+    <VMSinfo VKey="230499" SVKey="230499r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable IEEE 1394 (FireWire) Support."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040030" disa="382" severity="medium">
+    <VMSinfo VKey="230500" SVKey="230500r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040060" disa="1941" severity="high">
+    <VMSinfo VKey="230501" SVKey="230501r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must enforce SSHv2 for network access to all accounts."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040070" disa="778" severity="medium">
+    <VMSinfo VKey="230502" SVKey="230502r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 file system automounter must be disabled unless required."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040080" disa="778" severity="medium">
+    <VMSinfo VKey="230503" SVKey="230503r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must be configured to disable USB mass storage."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040090" disa="2314" severity="medium">
+    <VMSinfo VKey="230504" SVKey="230504r5997" VRelease="r599732"/>
+    <title text="A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040100" disa="2314" severity="medium">
+    <VMSinfo VKey="230505" SVKey="230505r5997" VRelease="r599732"/>
+    <title text="A firewall must be installed on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040110" disa="1444" severity="medium">
+    <VMSinfo VKey="230506" SVKey="230506r5997" VRelease="r599732"/>
+    <title text="RHEL 8 wireless network adapters must be disabled."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040111" disa="1443" severity="medium">
+    <VMSinfo VKey="230507" SVKey="230507r5997" VRelease="r599732"/>
+    <title text="RHEL 8 Bluetooth must be disabled."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040120" disa="1764" severity="medium">
+    <VMSinfo VKey="230508" SVKey="230508r5997" VRelease="r599797"/>
+    <title text="RHEL 8 must mount /dev/shm with the nodev option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040121" disa="1764" severity="medium">
+    <VMSinfo VKey="230509" SVKey="230509r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must mount /dev/shm with the nosuid option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040122" disa="1764" severity="medium">
+    <VMSinfo VKey="230510" SVKey="230510r5997" VRelease="r599798"/>
+    <title text="RHEL 8 must mount /dev/shm with the noexec option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040123" disa="1764" severity="medium">
+    <VMSinfo VKey="230511" SVKey="230511r5997" VRelease="r599799"/>
+    <title text="RHEL 8 must mount /tmp with the nodev option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040124" disa="1764" severity="medium">
+    <VMSinfo VKey="230512" SVKey="230512r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must mount /tmp with the nosuid option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040125" disa="1764" severity="medium">
+    <VMSinfo VKey="230513" SVKey="230513r5998" VRelease="r599800"/>
+    <title text="RHEL 8 must mount /tmp with the noexec option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040126" disa="1764" severity="medium">
+    <VMSinfo VKey="230514" SVKey="230514r5998" VRelease="r599801"/>
+    <title text="RHEL 8 must mount /var/log with the nodev option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040127" disa="1764" severity="medium">
+    <VMSinfo VKey="230515" SVKey="230515r5998" VRelease="r599802"/>
+    <title text="RHEL 8 must mount /var/log with the nosuid option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040128" disa="1764" severity="medium">
+    <VMSinfo VKey="230516" SVKey="230516r5998" VRelease="r599803"/>
+    <title text="RHEL 8 must mount /var/log with the noexec option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040129" disa="1764" severity="medium">
+    <VMSinfo VKey="230517" SVKey="230517r5998" VRelease="r599804"/>
+    <title text="RHEL 8 must mount /var/log/audit with the nodev option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040130" disa="1764" severity="medium">
+    <VMSinfo VKey="230518" SVKey="230518r5998" VRelease="r599805"/>
+    <title text="RHEL 8 must mount /var/log/audit with the nosuid option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040131" disa="1764" severity="medium">
+    <VMSinfo VKey="230519" SVKey="230519r5998" VRelease="r599806"/>
+    <title text="RHEL 8 must mount /var/log/audit with the noexec option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040132" disa="1764" severity="medium">
+    <VMSinfo VKey="230520" SVKey="230520r5998" VRelease="r599807"/>
+    <title text="RHEL 8 must mount /var/tmp with the nodev option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040133" disa="1764" severity="medium">
+    <VMSinfo VKey="230521" SVKey="230521r5998" VRelease="r599808"/>
+    <title text="RHEL 8 must mount /var/tmp with the nosuid option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040134" disa="1764" severity="medium">
+    <VMSinfo VKey="230522" SVKey="230522r5998" VRelease="r599809"/>
+    <title text="RHEL 8 must mount /var/tmp with the noexec option."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040135" disa="1764" severity="medium">
+    <VMSinfo VKey="230523" SVKey="230523r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040140" disa="1958" severity="medium">
+    <VMSinfo VKey="230524" SVKey="230524r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must block unauthorized peripherals before establishing a connection."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040150" disa="2385" severity="medium">
+    <VMSinfo VKey="230525" SVKey="230525r5997" VRelease="r599732"/>
+    <title text="A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040160" disa="2418" severity="medium">
+    <VMSinfo VKey="230526" SVKey="230526r5997" VRelease="r599732"/>
+    <title text="All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040161" disa="68" severity="medium">
+    <VMSinfo VKey="230527" SVKey="230527r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections to the server."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040162" disa="68" severity="medium">
+    <VMSinfo VKey="230528" SVKey="230528r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections by the client."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040170" disa="366" severity="high">
+    <VMSinfo VKey="230529" SVKey="230529r5998" VRelease="r599811"/>
+    <title text="The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040171" disa="366" severity="high">
+    <VMSinfo VKey="230530" SVKey="230530r5997" VRelease="r599732"/>
+    <title text="The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040172" disa="366" severity="high">
+    <VMSinfo VKey="230531" SVKey="230531r5998" VRelease="r599813"/>
+    <title text="The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040180" disa="366" severity="medium">
+    <VMSinfo VKey="230532" SVKey="230532r5998" VRelease="r599815"/>
+    <title text="The debug-shell systemd service must be disabled on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040190" disa="366" severity="high">
+    <VMSinfo VKey="230533" SVKey="230533r5997" VRelease="r599732"/>
+    <title text="The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040200" disa="366" severity="high">
+    <VMSinfo VKey="230534" SVKey="230534r5997" VRelease="r599732"/>
+    <title text="The root account must be the only account having unrestricted access to the RHEL 8 system."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040210" disa="366" severity="medium">
+    <VMSinfo VKey="230535" SVKey="230535r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040220" disa="366" severity="medium">
+    <VMSinfo VKey="230536" SVKey="230536r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040230" disa="366" severity="medium">
+    <VMSinfo VKey="230537" SVKey="230537r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040240" disa="366" severity="medium">
+    <VMSinfo VKey="230538" SVKey="230538r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not forward source-routed packets."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040250" disa="366" severity="medium">
+    <VMSinfo VKey="230539" SVKey="230539r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not forward source-routed packets by default."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040260" disa="366" severity="medium">
+    <VMSinfo VKey="230540" SVKey="230540r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not be performing packet forwarding unless the system is a router."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040261" disa="366" severity="medium">
+    <VMSinfo VKey="230541" SVKey="230541r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040262" disa="366" severity="medium">
+    <VMSinfo VKey="230542" SVKey="230542r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces by default."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040270" disa="366" severity="medium">
+    <VMSinfo VKey="230543" SVKey="230543r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040280" disa="366" severity="medium">
+    <VMSinfo VKey="230544" SVKey="230544r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040281" disa="366" severity="medium">
+    <VMSinfo VKey="230545" SVKey="230545r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable access to network bpf syscall from unprivileged processes."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040282" disa="366" severity="medium">
+    <VMSinfo VKey="230546" SVKey="230546r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must restrict usage of ptrace to descendant  processes."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040283" disa="366" severity="medium">
+    <VMSinfo VKey="230547" SVKey="230547r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must restrict exposed kernel pointer addresses access."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040284" disa="366" severity="medium">
+    <VMSinfo VKey="230548" SVKey="230548r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must disable the use of user namespaces."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040285" disa="366" severity="medium">
+    <VMSinfo VKey="230549" SVKey="230549r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must use reverse path filtering on all IPv4 interfaces."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040290" disa="366" severity="medium">
+    <VMSinfo VKey="230550" SVKey="230550r5997" VRelease="r599732"/>
+    <title text="RHEL 8 must be configured to prevent unrestricted mail relaying."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040300" disa="366" severity="low">
+    <VMSinfo VKey="230551" SVKey="230551r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 file integrity tool must be configured to verify extended attributes."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040310" disa="366" severity="low">
+    <VMSinfo VKey="230552" SVKey="230552r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040320" disa="366" severity="medium">
+    <VMSinfo VKey="230553" SVKey="230553r5997" VRelease="r599732"/>
+    <title text="The graphical display manager must not be installed on RHEL 8 unless approved."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040330" disa="366" severity="medium">
+    <VMSinfo VKey="230554" SVKey="230554r5997" VRelease="r599732"/>
+    <title text="RHEL 8 network interfaces must not be in promiscuous mode."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040340" disa="366" severity="medium">
+    <VMSinfo VKey="230555" SVKey="230555r5998" VRelease="r599816"/>
+    <title text="RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040341" disa="366" severity="medium">
+    <VMSinfo VKey="230556" SVKey="230556r5997" VRelease="r599732"/>
+    <title text="The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040350" disa="366" severity="medium">
+    <VMSinfo VKey="230557" SVKey="230557r5997" VRelease="r599732"/>
+    <title text="If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040360" disa="366" severity="high">
+    <VMSinfo VKey="230558" SVKey="230558r5997" VRelease="r599732"/>
+    <title text="A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040370" disa="366" severity="medium">
+    <VMSinfo VKey="230559" SVKey="230559r5997" VRelease="r599732"/>
+    <title text="The gssproxy package must not be installed unless mission essential on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040380" disa="366" severity="medium">
+    <VMSinfo VKey="230560" SVKey="230560r5997" VRelease="r599732"/>
+    <title text="The iprutils package must not be installed unless mission essential on RHEL 8."/>
+  </overlay>
+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040390" disa="366" severity="medium">
+    <VMSinfo VKey="230561" SVKey="230561r5997" VRelease="r599732"/>
+    <title text="The tuned package must not be installed unless mission essential on RHEL 8."/>
+  </overlay>
+</overlays>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml
new file mode 100644
index 00000000..ad3b6138
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml
@@ -0,0 +1,31 @@
+product: rocky8
+full_name: Rocky Linux 8
+type: platform
+
+benchmark_root: "../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "yum"
+
+init_system: "systemd"
+
+pkg_release: "60287f36"
+pkg_version: "6d745a60"
+#aux_pkg_release: "AUX_PKG_RELEASE"
+#aux_pkg_version: "AUX_PKG_VERSION"
+
+#release_key_fingerprint: "RELEASE_KEY_FINGERPRINT"
+#auxiliary_key_fingerprint: "AUXILIARY_KEY_FINGERPRINT"
+oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+
+cpes_root: "../shared/applicability"
+cpes:
+  - rhel8:
+      name: "cpe:/o:rocky:rocky:8"
+      title: "Rocky Linux 8"
+      check_id: installed_OS_is_rocky8
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile
new file mode 100644
index 00000000..bbc11353
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+    - anssi:all:enhanced
+    - '!selinux_state'
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile
new file mode 100644
index 00000000..22efad9c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'DRAFT - ANSSI-BP-028 (high)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+    - anssi:all:high
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile
new file mode 100644
index 00000000..a5920316
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+  - anssi:all:intermediary
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile
new file mode 100644
index 00000000..cef83941
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+  - anssi:all:minimal
+
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile
new file mode 100644
index 00000000..ec9cbfa0
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile
@@ -0,0 +1,1089 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+
+description: |-
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+    # Necessary for dconf rules
+    - dconf_db_up_to_date
+
+    ### Partitioning
+    - mount_option_home_nodev
+
+    ## 1.1 Filesystem Configuration
+
+    ### 1.1.1 Disable unused filesystems
+
+    #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
+    - kernel_module_cramfs_disabled
+
+    #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
+
+
+    #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
+    - kernel_module_squashfs_disabled
+
+    #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
+    - kernel_module_udf_disabled
+
+    ### 1.1.2 Ensure /tmp is configured (Scored)
+    - partition_for_tmp
+
+    ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
+    - mount_option_tmp_nodev
+
+    ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
+    - mount_option_tmp_nosuid
+
+    ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
+    - mount_option_tmp_noexec
+
+    ### 1.1.6 Ensure separate partition exists for /var (Scored)
+    - partition_for_var
+
+    ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
+    - partition_for_var_tmp
+
+    ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_nodev
+
+    ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_nosuid
+
+    ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
+    - mount_option_var_tmp_noexec
+
+    ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
+    - partition_for_var_log
+
+    ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
+    - partition_for_var_log_audit
+
+    ### 1.1.13 Ensure separate partition exists for /home (Scored)
+    - partition_for_home
+
+    ### 1.1.14 Ensure nodev option set on /home partition (Scored)
+    - mount_option_home_nodev
+
+    ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_nodev
+
+    ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_nosuid
+
+    ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
+    - mount_option_dev_shm_noexec
+
+    ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
+    - mount_option_nodev_removable_partitions
+
+    ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
+    - mount_option_nosuid_removable_partitions
+
+    ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
+    - mount_option_noexec_removable_partitions
+
+    ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
+    - dir_perms_world_writable_sticky_bits
+
+    ### 1.1.22 Disable Automounting (Scored)
+    - service_autofs_disabled
+
+    ### 1.1.23 Disable USB Storage (Scored)
+    - kernel_module_usb-storage_disabled
+
+    ## 1.2 Configure Software Updates
+
+    ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
+
+    ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
+    - service_rhnsd_disabled
+
+    ### 1.2.3 Ensure GPG keys are configured (Not Scored)
+    - ensure_redhat_gpgkey_installed
+
+    ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
+    - ensure_gpgcheck_globally_activated
+
+    ### 1.2.5 Ensure package manager repositories are configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
+
+    ## 1.3 Configure sudo
+
+    ### 1.3.1 Ensure sudo is installed (Scored)
+    - package_sudo_installed
+
+    ### 1.3.2 Ensure sudo commands use pty (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
+
+    ### 1.3.3 Ensure sudo log file exists (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
+
+    ## 1.4 Filesystem Integrity Checking
+
+    ### 1.4.1 Ensure AIDE is installed (Scored)
+    - package_aide_installed
+
+    ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
+    - aide_periodic_cron_checking
+
+    ## Secure Boot Settings
+
+    ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+    #### chown root:root /boot/grub2/grub.cfg
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+
+    #### chmod og-rwx /boot/grub2/grub.cfg
+    - file_permissions_grub2_cfg
+
+    #### chown root:root /boot/grub2/grubenv
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+    #### chmod og-rwx /boot/grub2/grubenv
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+    ### 1.5.2 Ensure bootloader password is set (Scored)
+    - grub2_password
+
+    ### 1.5.3 Ensure authentication required for single user mode (Scored)
+    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+    - require_singleuser_auth
+
+    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+    - require_emergency_target_auth
+
+    ## 1.6 Additional Process Hardening
+
+    ### 1.6.1 Ensure core dumps are restricted (Scored)
+    #### * hard core 0
+    - disable_users_coredumps
+
+    #### fs.suid_dumpable = 0
+    - sysctl_fs_suid_dumpable
+
+    #### ProcessSizeMax=0
+    - coredump_disable_backtraces
+
+    #### Storage=none
+    - coredump_disable_storage
+
+    ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
+    - sysctl_kernel_randomize_va_space
+
+    ## 1.7 Mandatory Access Control
+
+    ### 1.7.1 Configure SELinux
+
+    #### 1.7.1.1 Ensure SELinux is installed (Scored)
+    - package_libselinux_installed
+
+    #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
+    - grub2_enable_selinux
+
+    #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+ 
+    #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
+    - var_selinux_state=enforcing
+    - selinux_state
+
+    #### 1.7.1.5 Ensure no unconfied services exist (Scored)
+    - selinux_confinement_of_daemons
+
+    #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
+    - package_setroubleshoot_removed
+
+    #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
+    - package_mcstrans_removed
+
+    ## Warning Banners
+
+    ### 1.8.1 Command Line Warning Baners
+
+    #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
+    - banner_etc_motd
+
+    #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
+    - banner_etc_issue
+
+    #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
+
+    #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
+    # chmod u-x,go-wx /etc/motd
+    - file_permissions_etc_motd
+
+    #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
+    # chmod u-x,go-wx /etc/issue
+    - file_permissions_etc_issue
+
+    #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+    # Previously addressed via 'rpm_verify_permissions' rule
+
+    ### 1.8.2 Ensure GDM login banner is configured (Scored)
+    #### banner-message-enable=true
+    - dconf_gnome_banner_enabled
+
+    #### banner-message-text='<banner message>'
+    - dconf_gnome_login_banner_text
+
+    ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
+    - security_patches_up_to_date
+
+    ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
+    - var_system_crypto_policy=future
+    - configure_crypto_policy
+
+    ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
+    # Previously addressed via 'configure_crypto_policy' rule
+
+    # Services
+
+    ## 2.1 inetd Services
+
+    ### 2.1.1 Ensure xinetd is not installed (Scored)
+    - package_xinetd_removed
+
+    ## 2.2 Special Purpose Services
+
+    ### 2.2.1 Time Synchronization
+
+    #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+    - package_chrony_installed
+
+    #### 2.2.1.2 Ensure chrony is configured (Scored)
+    - service_chronyd_enabled
+    - chronyd_specify_remote_server
+    - chronyd_run_as_chrony_user
+
+    ### 2.2.2 Ensure X Window System is not installed (Scored)
+    - package_xorg-x11-server-common_removed
+    - xwindows_runlevel_target
+
+    ### 2.2.3 Ensure rsync service is not enabled (Scored)
+    - service_rsyncd_disabled
+
+    ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
+    - service_avahi-daemon_disabled
+
+    ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
+    - service_snmpd_disabled
+
+    ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
+    - package_squid_removed
+
+    ### 2.2.7 Ensure Samba is not enabled (Scored)
+    - service_smb_disabled
+
+    ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
+    - service_dovecot_disabled
+
+    ### 2.2.9 Ensure HTTP server is not enabled (Scored)
+    - service_httpd_disabled
+
+    ### 2.2.10 Ensure FTP Server is not enabled (Scored)
+    - service_vsftpd_disabled
+
+    ### 2.2.11 Ensure DNS Server is not enabled (Scored)
+    - service_named_disabled
+
+    ### 2.2.12 Ensure NFS is not enabled (Scored)
+    - service_nfs_disabled
+
+    ### 2.2.13 Ensure RPC is not enabled (Scored)
+    - service_rpcbind_disabled
+
+    ### 2.2.14 Ensure LDAP service is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
+
+    ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
+    - service_dhcpd_disabled
+
+    ### 2.2.16 Ensure CUPS is not enabled (Scored)
+    - service_cups_disabled
+
+    ### 2.2.17 Ensure NIS Server is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
+
+    ### 2.2.18 Ensure mail transfer agent is configured for
+    ###        local-only mode (Scored)
+    - postfix_network_listening_disabled
+
+    ## 2.3 Service Clients
+
+    ### 2.3.1 Ensure NIS Client is not installed (Scored)
+    - package_ypbind_removed
+
+    ### 2.3.2 Ensure telnet client is not installed (Scored)
+    - package_telnet_removed
+
+    ### Ensure LDAP client is not installed
+    - package_openldap-clients_removed
+
+    # 3 Network Configuration
+
+    ## 3.1 Network Parameters (Host Only)
+
+    ### 3.1.1 Ensure IP forwarding is disabled (Scored)
+    #### net.ipv4.ip_forward = 0
+    - sysctl_net_ipv4_ip_forward
+
+    #### net.ipv6.conf.all.forwarding = 0
+    - sysctl_net_ipv6_conf_all_forwarding
+
+    ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
+    #### net.ipv4.conf.all.send_redirects = 0
+    - sysctl_net_ipv4_conf_all_send_redirects
+
+    #### net.ipv4.conf.default.send_redirects = 0
+    - sysctl_net_ipv4_conf_default_send_redirects
+
+    ## 3.2 Network Parameters (Host and Router)
+
+    ### 3.2.1 Ensure source routed packets are not accepted (Scored)
+    #### net.ipv4.conf.all.accept_source_route = 0
+    - sysctl_net_ipv4_conf_all_accept_source_route
+
+    #### net.ipv4.conf.default.accept_source_route = 0
+    - sysctl_net_ipv4_conf_default_accept_source_route
+
+    #### net.ipv6.conf.all.accept_source_route = 0
+    - sysctl_net_ipv6_conf_all_accept_source_route
+
+    #### net.ipv6.conf.default.accept_source_route = 0
+    - sysctl_net_ipv6_conf_default_accept_source_route
+
+    ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+    #### net.ipv4.conf.all.accept_redirects = 0
+    - sysctl_net_ipv4_conf_all_accept_redirects
+
+    #### net.ipv4.conf.default.accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+
+    #### net.ipv6.conf.all.accept_redirects = 0
+    - sysctl_net_ipv6_conf_all_accept_redirects
+
+    #### net.ipv6.conf.defaults.accept_redirects = 0
+    - sysctl_net_ipv6_conf_default_accept_redirects
+
+    ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+    #### net.ipv4.conf.all.secure_redirects = 0
+    - sysctl_net_ipv4_conf_all_secure_redirects
+
+    #### net.ipv4.cof.default.secure_redirects = 0
+    - sysctl_net_ipv4_conf_default_secure_redirects
+
+    ### 3.2.4 Ensure suspicious packets are logged (Scored)
+    #### net.ipv4.conf.all.log_martians = 1
+    - sysctl_net_ipv4_conf_all_log_martians
+
+    #### net.ipv4.conf.default.log_martians = 1
+    - sysctl_net_ipv4_conf_default_log_martians
+
+    ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+    ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+
+    ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+    #### net.ipv4.conf.all.rp_filter = 1
+    - sysctl_net_ipv4_conf_all_rp_filter
+    
+    #### net.ipv4.conf.default.rp_filter = 1
+    - sysctl_net_ipv4_conf_default_rp_filter
+
+    ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+    - sysctl_net_ipv4_tcp_syncookies
+
+    ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+    #### net.ipv6.conf.all.accept_ra = 0
+    - sysctl_net_ipv6_conf_all_accept_ra
+
+    #### net.ipv6.conf.default.accept_ra = 0
+    - sysctl_net_ipv6_conf_default_accept_ra
+
+    ## 3.3 Uncommon Network Protocols
+
+    ### 3.3.1 Ensure DCCP is disabled (Scored)
+    - kernel_module_dccp_disabled
+
+    ### Ensure SCTP is disabled (Scored)
+    - kernel_module_sctp_disabled
+
+    ### 3.3.3 Ensure RDS is disabled (Scored)
+    - kernel_module_rds_disabled
+
+    ### 3.3.4 Ensure TIPC is disabled (Scored)
+    - kernel_module_tipc_disabled
+
+    ## 3.4 Firewall Configuration
+
+    ### 3.4.1 Ensure Firewall software is installed
+
+    #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
+    ##### firewalld
+    - package_firewalld_installed
+
+    ##### nftables
+    #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
+
+    ##### iptables
+    #- package_iptables_installed
+
+    ### 3.4.2 Configure firewalld
+
+    #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
+    - service_firewalld_enabled
+
+    #### 3.4.2.2 Ensure iptables is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
+
+    #### 3.4.2.3 Ensure nftables is not enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
+
+    #### 3.4.2.4 Ensure default zone is set (Scored)
+    - set_firewalld_default_zone
+
+    #### 3.4.2.5 Ensure network interfaces are assigned to
+    ####         appropriate zone (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
+
+    #### 3.4.2.6 Ensure unnecessary services and ports are not
+    ####         accepted (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
+
+    ### 3.4.3 Configure nftables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
+
+    #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
+
+    #### 3.4.3.2 Ensure a table exists (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
+
+    #### 3.4.3.3 Ensure base chains exist (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
+
+    #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
+
+    #### 3.4.3.5 Ensure outbound and established connections are
+    ####         configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
+
+    #### 3.4.3.6 Ensure default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
+
+    #### 3.4.3.7 Ensure nftables service is enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
+
+    #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
+
+    ### 3.4.4 Configure iptables
+
+    #### 3.4.4.1 Configure IPv4 iptables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
+
+    ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
+
+    ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
+
+    ##### 3.4.4.1.3 Ensure outbound and established connections are
+    #####           configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
+
+    ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
+
+    #### 3.4.4.2 Configure IPv6 ip6tables
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
+
+    ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
+
+    ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
+
+    ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
+    #####           configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
+
+    ## 3.5 Ensure wireless interfaces are disabled (Scored)
+    - wireless_disable_interfaces
+
+    ## 3.6 Disable IPv6 (Not Scored)
+    - kernel_module_ipv6_option_disabled
+
+    # Logging and Auditing
+
+    ## 4.1 Configure System Accounting (auditd)
+
+    ### 4.1.1 Ensure auditing is enabled
+
+    #### 4.1.1.1 Ensure auditd is installed (Scored)
+    - package_audit_installed
+
+    #### 4.1.1.2 Ensure auditd service is enabled (Scored)
+    - service_auditd_enabled
+
+    #### 4.1.1.3 Ensure auditing for processes that start prior to audit
+    ####         is enabled (Scored)
+    - grub2_audit_argument
+
+    #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+    - grub2_audit_backlog_limit_argument
+
+    ### 4.1.2 Configure Data Retention
+
+    #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
+    - auditd_data_retention_max_log_file
+
+    #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
+    - auditd_data_retention_max_log_file_action
+
+    #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
+    - var_auditd_space_left_action=email
+    - auditd_data_retention_space_left_action
+
+    ##### action_mail_acct = root
+    - var_auditd_action_mail_acct=root
+    - auditd_data_retention_action_mail_acct
+
+    ##### admin_space_left_action = halt
+    - var_auditd_admin_space_left_action=halt
+    - auditd_data_retention_admin_space_left_action 
+
+    ### 4.1.3 Ensure changes to system administration scope
+    ###       (sudoers) is collected (Scored)
+    - audit_rules_sysadmin_actions
+
+    ### 4.1.4 Ensure login and logout events are collected (Scored)
+    - audit_rules_login_events_faillock
+    - audit_rules_login_events_lastlog
+
+    ### 4.1.5 Ensure session initiation information is collected (Scored)
+    - audit_rules_session_events
+
+    ### 4.1.6 Ensure events that modify date and time information
+    ###       are collected (Scored)
+    #### adjtimex
+    - audit_rules_time_adjtimex
+
+    #### settimeofday
+    - audit_rules_time_settimeofday
+
+    #### stime
+    - audit_rules_time_stime
+
+    #### clock_settime
+    - audit_rules_time_clock_settime
+
+    #### -w /etc/localtime -p wa
+    - audit_rules_time_watch_localtime
+
+    ### 4.1.7 Ensure events that modify the system's Mandatory
+    ###       Access Control are collected (Scored)
+    #### -w /etc/selinux/ -p wa
+    - audit_rules_mac_modification
+
+    #### -w /usr/share/selinux/ -p wa
+    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
+
+    ### 4.1.8 Ensure events that modify the system's network
+    ###       enironment are collected (Scored)
+    - audit_rules_networkconfig_modification
+
+    ### 4.1.9 Ensure discretionary access control permission modification
+    ###       events are collected (Scored)
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_fremovexattr
+    
+    ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+    ###        collected (Scored)
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    # Opinionated selection
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+    ### 4.1.11 Ensure events that modify user/group information are
+    ###        collected (Scored)
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_shadow
+    - audit_rules_usergroup_modification_opasswd
+
+    ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+    - audit_rules_media_export
+
+    ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+    - audit_rules_privileged_commands
+
+    ### 4.1.14 Ensure file deletion events by users are collected
+    ###        (Scored)
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_renameat
+    # Opinionated selection
+    - audit_rules_file_deletion_events_rmdir
+
+    ### 4.1.15 Ensure kernel module loading and unloading is collected
+    ###        (Scored)
+    - audit_rules_kernel_module_loading
+
+    ### 4.1.16 Ensure system administrator actions (sudolog) are
+    ###        collected (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
+
+    ### 4.1.17 Ensure the audit configuration is immutable (Scored)
+    - audit_rules_immutable
+
+    ## 4.2 Configure Logging
+
+    ### 4.2.1 Configure rsyslog
+
+    #### 4.2.1.1 Ensure rsyslog is installed (Scored)
+    - package_rsyslog_installed
+
+    #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
+    - service_rsyslog_enabled
+
+    #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+    - rsyslog_files_permissions
+
+    #### 4.2.1.4 Ensure logging is configured (Not Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
+
+    #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
+    ####         log host (Scored)   
+    - rsyslog_remote_loghost
+
+    #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
+    ####         designated log hosts (Not Scored)
+    - rsyslog_nolisten
+
+    ### 4.2.2 Configure journald
+
+    #### 4.2.2.1 Ensure journald is configured to send logs to
+    ####         rsyslog (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
+
+    #### 4.2.2.2 Ensure journald is configured to compress large
+    ####         log files (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
+
+
+    #### 4.2.2.3 Ensure journald is configured to write logfiles to
+    ####         persistent disk (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
+
+    ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
+
+    ## 4.3 Ensure logrotate is configured (Not Scored)
+
+    # 5 Access, Authentication and Authorization
+
+    ## 5.1 Configure cron
+
+    ### 5.1.1 Ensure cron daemon is enabled (Scored)
+    - service_crond_enabled
+
+
+    ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+    # chown root:root /etc/crontab
+    - file_owner_crontab
+    - file_groupowner_crontab
+    # chmod og-rwx /etc/crontab
+    - file_permissions_crontab
+
+    ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+    # chown root:root /etc/cron.hourly
+    - file_owner_cron_hourly
+    - file_groupowner_cron_hourly
+    # chmod og-rwx /etc/cron.hourly
+    - file_permissions_cron_hourly
+
+    ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+    # chown root:root /etc/cron.daily
+    - file_owner_cron_daily
+    - file_groupowner_cron_daily
+    # chmod og-rwx /etc/cron.daily
+    - file_permissions_cron_daily
+
+    ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+    # chown root:root /etc/cron.weekly
+    - file_owner_cron_weekly
+    - file_groupowner_cron_weekly
+    # chmod og-rwx /etc/cron.weekly
+    - file_permissions_cron_weekly
+
+    ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+    # chown root:root /etc/cron.monthly
+    - file_owner_cron_monthly
+    - file_groupowner_cron_monthly
+    # chmod og-rwx /etc/cron.monthly
+    - file_permissions_cron_monthly
+
+    ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+    # chown root:root /etc/cron.d
+    - file_owner_cron_d
+    - file_groupowner_cron_d
+    # chmod og-rwx /etc/cron.d
+    - file_permissions_cron_d
+
+    ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+
+
+    ## 5.2 SSH Server Configuration
+
+    ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+    # chown root:root /etc/ssh/sshd_config
+    - file_owner_sshd_config
+    - file_groupowner_sshd_config
+
+    # chmod og-rwx /etc/ssh/sshd_config
+    - file_permissions_sshd_config
+
+    ### 5.2.2 Ensure SSH access is limited (Scored) 
+
+
+    ### 5.2.3 Ensure permissions on SSH private host key files are
+    ###       configured (Scored)
+    # TO DO: The rule sets to 640, but benchmark wants 600
+    - file_permissions_sshd_private_key
+    # TO DO: check owner of private keys in /etc/ssh is root:root
+
+    ### 5.2.4 Ensure permissions on SSH public host key files are configured
+    ###      (Scored)
+    - file_permissions_sshd_pub_key
+    # TO DO: check owner of pub keys in /etc/ssh is root:root
+
+    ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+    - sshd_set_loglevel_info
+
+    ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
+    - sshd_disable_x11_forwarding
+
+    ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+    - sshd_max_auth_tries_value=4
+    - sshd_set_max_auth_tries
+
+    ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
+    - sshd_disable_rhosts
+
+    ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+    - disable_host_auth
+
+    ### 5.2.10 Ensure SSH root login is disabled (Scored)
+    - sshd_disable_root_login
+
+    ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+    - sshd_disable_empty_passwords
+
+    ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+    - sshd_do_not_permit_user_env
+
+    ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
+    # ClientAliveInterval 300
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+
+    # ClientAliveCountMax 0
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+
+    ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
+    ###        or less (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
+
+    ### 5.2.15 Ensure SSH warning banner is configured (Scored)
+    - sshd_enable_warning_banner
+
+    ### 5.2.16 Ensure SSH PAM is enabled (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
+
+    ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
+    - sshd_disable_tcp_forwarding
+
+    ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
+
+    ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
+    - sshd_set_max_sessions
+    - var_sshd_max_sessions=4
+
+    ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
+    - configure_ssh_crypto_policy
+
+    ## 5.3 Configure authselect
+
+
+    ### 5.3.1 Create custom authselectet profile (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
+
+    ### 5.3.2 Select authselect profile (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
+
+    ### 5.3.3 Ensure authselect includes with-faillock (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
+
+    ## 5.4 Configure PAM
+
+    ### 5.4.1 Ensure password creation requirements are configured (Scored)
+    # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
+    - accounts_password_pam_retry
+    - var_password_pam_minlen=14
+    - accounts_password_pam_minlen
+    - var_password_pam_minclass=4
+    - accounts_password_pam_minclass
+
+    ### 5.4.2 Ensure lockout for failed password attempts is
+    ###       configured (Scored)
+    - var_accounts_passwords_pam_faillock_unlock_time=900
+    - var_accounts_passwords_pam_faillock_deny=5
+    - accounts_passwords_pam_faillock_unlock_time
+    - accounts_passwords_pam_faillock_deny
+
+    ### 5.4.3 Ensure password reuse is limited (Scored)
+    - var_password_pam_unix_remember=5
+    - accounts_password_pam_unix_remember
+
+    ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
+    - set_password_hashing_algorithm_systemauth
+
+    ## 5.5 User Accounts and Environment
+
+    ### 5.5.1 Set Shadow Password Suite Parameters
+
+    #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
+    - var_accounts_maximum_age_login_defs=365
+    - accounts_maximum_age_login_defs
+
+    #### 5.5.1.2 Ensure minimum days between password changes is 7
+    ####         or more (Scored)
+    - var_accounts_minimum_age_login_defs=7
+    - accounts_minimum_age_login_defs
+
+    #### 5.5.1.3 Ensure password expiration warning days is
+    ####         7 or more (Scored)
+    - var_accounts_password_warn_age_login_defs=7
+    - accounts_password_warn_age_login_defs
+
+    #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
+    # TODO: Rule doesn't check list of users
+    # https://github.com/ComplianceAsCode/content/issues/5536
+    - var_account_disable_post_pw_expiration=30
+    - account_disable_post_pw_expiration
+
+    #### 5.5.1.5 Ensure all users last password change date is
+    ####         in the past (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
+
+    ### 5.5.2 Ensure system accounts are secured (Scored)
+    - no_shelllogin_for_systemaccounts
+
+    ### 5.5.3 Ensure default user shell timeout is 900 seconds
+    ###       or less (Scored)
+    - var_accounts_tmout=15_min
+    - accounts_tmout
+
+    ### 5.5.4 Ensure default group for the root account is
+    ###       GID 0 (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
+
+    ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
+    - var_accounts_user_umask=027
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_profile
+
+    ## 5.6 Ensure root login is restricted to system console (Not Scored)
+    - securetty_root_login_console_only
+    - no_direct_root_logins
+
+    ## 5.7 Ensure access to the su command is restricted (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
+
+    # System Maintenance
+
+    ## 6.1 System File Permissions
+
+    ### 6.1.1 Audit system file permissions (Not Scored)
+    - rpm_verify_permissions
+    - rpm_verify_ownership
+    
+    ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+    # chown root:root /etc/passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+
+    # chmod 644 /etc/passwd
+    - file_permissions_etc_passwd
+
+    ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
+    # chown root:root /etc/shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+
+    # chmod o-rwx,g-wx /etc/shadow
+    - file_permissions_etc_shadow
+
+    ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
+    # chown root:root /etc/group
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+
+    # chmod 644 /etc/group
+    - file_permissions_etc_group
+
+    ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
+    # chown root:root /etc/gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+
+    # chmod o-rwx,g-rw /etc/gshadow
+    - file_permissions_etc_gshadow
+
+    ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+    # chown root:root /etc/passwd-
+    - file_owner_backup_etc_passwd
+    - file_groupowner_backup_etc_passwd
+
+    # chmod 644 /etc/passwd-
+    - file_permissions_backup_etc_passwd
+
+    ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+    # chown root:root /etc/shadow-
+    - file_owner_backup_etc_shadow
+    - file_groupowner_backup_etc_shadow
+
+    # chmod 0000 /etc/shadow-
+    - file_permissions_backup_etc_shadow
+
+    ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+    # chown root:root /etc/group-
+    - file_owner_backup_etc_group
+    - file_groupowner_backup_etc_group
+
+    # chmod 644 /etc/group-
+    - file_permissions_backup_etc_group
+    
+    ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+    # chown root:root /etc/gshadow-
+    - file_owner_backup_etc_gshadow
+    - file_groupowner_backup_etc_gshadow
+
+    # chmod 0000 /etc/gshadow-
+    - file_permissions_backup_etc_gshadow
+
+    ### 6.1.10 Ensure no world writable files exist (Scored)
+    - file_permissions_unauthorized_world_writable
+
+    ### 6.1.11 Ensure no unowned files or directories exist (Scored)
+    - no_files_unowned_by_user
+
+    ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
+    - file_permissions_ungroupowned
+
+    ### 6.1.13 Audit SUID executables (Not Scored)
+    - file_permissions_unauthorized_suid
+
+    ### 6.1.14 Audit SGID executables (Not Scored)
+    - file_permissions_unauthorized_sgid
+
+    ## 6.2 User and Group Settings
+
+    ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+    - no_legacy_plus_entries_etc_passwd
+
+    ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+    - no_legacy_plus_entries_etc_shadow
+
+    ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+    - no_legacy_plus_entries_etc_group
+
+    ### 6.2.6 Ensure root is the only UID 0 account (Scored)
+    - accounts_no_uid_except_zero
+
+    ### 6.2.7 Ensure users' home directories permissions are 750
+    ###       or more restrictive (Scored)
+    - file_permissions_home_dirs
+
+    ### 6.2.8 Ensure users own their home directories (Scored)
+    # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
+    - file_groupownership_home_directories
+
+    ### 6.2.9 Ensure users' dot files are not group or world
+    ###       writable (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
+
+    ### 6.2.10 Ensure no users have .forward files (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
+
+    ### 6.2.11 Ensure no users have .netrc files (Scored)
+    - no_netrc_files
+
+    ### 6.2.12 Ensure users' .netrc Files are not group or
+    ###        world accessible (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
+
+    ### 6.2.13 Ensure no users have .rhosts files (Scored)
+    - no_rsh_trust_files
+
+    ### 6.2.14 Ensure all groups in /etc/passwd exist in
+    ###        /etc/group (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
+
+    ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5502
+
+    ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5501
+
+    ### 6.2.17 Ensure no duplicate user names exist (Scored)
+    - account_unique_name
+
+    ### 6.2.18 Ensure no duplicate group names exist (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
+
+    ### 6.2.19 Ensure shadow group is empty (Scored)
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
+
+    ### 6.2.20 Ensure all users' home directories exist (Scored)
+    - accounts_user_interactive_home_directory_exists
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile
new file mode 100644
index 00000000..1bd6df6b
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile
@@ -0,0 +1,140 @@
+documentation_complete: true
+
+metadata:
+    version: 5.4
+    SMEs:
+        - carlosmmatos
+
+reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+title: 'Criminal Justice Information Services (CJIS) Security Policy'
+
+description: |-
+    This profile is derived from FBI's CJIS v5.4
+    Security Policy. A copy of this policy can be found at the CJIS Security
+    Policy Resource Center:
+
+    https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+selections:
+    - service_auditd_enabled
+    - grub2_audit_argument
+    - auditd_data_retention_num_logs
+    - auditd_data_retention_max_log_file
+    - auditd_data_retention_max_log_file_action
+    - auditd_data_retention_space_left_action
+    - auditd_data_retention_admin_space_left_action
+    - auditd_data_retention_action_mail_acct
+    - auditd_audispd_syslog_plugin_activated
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification
+    - audit_rules_networkconfig_modification
+    - file_permissions_var_log_audit
+    - file_ownership_var_log_audit
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_login_events
+    - audit_rules_session_events
+    - audit_rules_unsuccessful_file_modification
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading
+    - audit_rules_immutable
+    - account_unique_name
+    - gid_passwd_group_same
+    - accounts_password_all_shadowed
+    - no_empty_passwords
+    - display_login_attempts
+    - var_accounts_password_minlen_login_defs=12
+    - var_accounts_maximum_age_login_defs=90
+    - var_password_pam_unix_remember=10
+    - var_account_disable_post_pw_expiration=0
+    - var_password_pam_minlen=12
+    - var_accounts_minimum_age_login_defs=1
+    - var_password_pam_difok=6
+    - var_accounts_max_concurrent_login_sessions=3
+    - account_disable_post_pw_expiration
+    - accounts_password_pam_minlen
+    - accounts_minimum_age_login_defs
+    - accounts_password_pam_difok
+    - accounts_max_concurrent_login_sessions
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - var_password_pam_retry=5
+    - var_accounts_passwords_pam_faillock_deny=5
+    - var_accounts_passwords_pam_faillock_unlock_time=600
+    - dconf_db_up_to_date
+    - dconf_gnome_screensaver_idle_delay
+    - dconf_gnome_screensaver_idle_activation_enabled
+    - dconf_gnome_screensaver_lock_enabled
+    - dconf_gnome_screensaver_mode_blank
+    - sshd_allow_only_protocol2
+    - sshd_set_idle_timeout
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - disable_host_auth
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_enable_warning_banner
+    - sshd_do_not_permit_user_env
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - kernel_module_dccp_disabled
+    - kernel_module_sctp_disabled
+    - service_firewalld_enabled
+    - set_firewalld_default_zone
+    - firewalld_sshd_port_enabled
+    - sshd_idle_timeout_value=30_minutes
+    - inactivity_timeout_value=30_minutes
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv4_tcp_syncookies
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - var_password_pam_ocredit=1
+    - var_password_pam_dcredit=1
+    - var_password_pam_ucredit=1
+    - var_password_pam_lcredit=1
+    - package_aide_installed
+    - aide_build_database
+    - aide_periodic_cron_checking
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - security_patches_up_to_date
+    - kernel_module_bluetooth_disabled
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile
new file mode 100644
index 00000000..bf6d9511
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+metadata:
+    version: TBD
+    SMEs:
+        - carlosmmatos
+
+title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
+
+description: |-
+    From NIST 800-171, Section 2.2:
+    Security requirements for protecting the confidentiality of CUI in nonfederal
+    information systems and organizations have a well-defined structure that
+    consists of:
+
+    (i) a basic security requirements section;
+    (ii) a derived security requirements section.
+
+    The basic security requirements are obtained from FIPS Publication 200, which
+    provides the high-level and fundamental security requirements for federal
+    information and information systems. The derived security requirements, which
+    supplement the basic security requirements, are taken from the security controls
+    in NIST Special Publication 800-53.
+
+    This profile configures Red Hat Enterprise Linux 8 to the NIST Special
+    Publication 800-53 controls identified for securing Controlled Unclassified
+    Information (CUI)."
+
+extends: ospp
+
+selections:
+    - inactivity_timeout_value=10_minutes
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile
new file mode 100644
index 00000000..30eb9c59
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile
@@ -0,0 +1,149 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - shaneboulden
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers 
+
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+  This profile contains configuration checks for Red Hat Enterprise Linux 8
+  that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+  A copy of the Essential Eight in Linux Environments guide can be found at the
+  ACSC website:
+
+  https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+selections:
+
+  ### Remove obsolete packages
+  - package_talk_removed
+  - package_talk-server_removed
+  - package_xinetd_removed
+  - service_xinetd_disabled
+  - package_ypbind_removed
+  - package_telnet_removed
+  - service_telnet_disabled
+  - package_telnet-server_removed
+  - package_rsh_removed
+  - package_rsh-server_removed
+  - service_zebra_disabled
+  - package_quagga_removed
+  - service_avahi-daemon_disabled
+  - package_squid_removed
+  - service_squid_disabled
+
+  ### Software update
+  - ensure_redhat_gpgkey_installed
+  - ensure_gpgcheck_never_disabled
+  - ensure_gpgcheck_local_packages
+  - ensure_gpgcheck_globally_activated
+  - security_patches_up_to_date
+  - dnf-automatic_security_updates_only
+
+  ### System security settings
+  - sysctl_kernel_randomize_va_space
+  - sysctl_kernel_exec_shield
+  - sysctl_kernel_kptr_restrict
+  - sysctl_kernel_dmesg_restrict
+  - sysctl_kernel_kexec_load_disabled
+  - sysctl_kernel_yama_ptrace_scope
+  - sysctl_kernel_unprivileged_bpf_disabled
+  - sysctl_net_core_bpf_jit_harden
+
+  ### SELinux
+  - var_selinux_state=enforcing
+  - selinux_state
+  - var_selinux_policy_name=targeted
+  - selinux_policytype
+
+  ### Filesystem integrity
+  - rpm_verify_hashes
+  - rpm_verify_permissions
+  - rpm_verify_ownership
+  - file_permissions_unauthorized_sgid
+  - file_permissions_unauthorized_suid
+  - file_permissions_unauthorized_world_writable
+  - dir_perms_world_writable_sticky_bits
+  - file_permissions_library_dirs
+  - file_ownership_binary_dirs
+  - file_permissions_binary_dirs
+  - file_ownership_library_dirs
+
+  ### Passwords
+  - no_empty_passwords
+
+  ### Partitioning
+  - mount_option_dev_shm_nodev
+  - mount_option_dev_shm_nosuid
+  - mount_option_dev_shm_noexec
+
+  ### Network
+  - package_firewalld_installed
+  - service_firewalld_enabled
+  - network_sniffer_disabled
+
+  ### Admin privileges
+  - accounts_no_uid_except_zero
+  - sudo_remove_nopasswd
+  - sudo_remove_no_authenticate
+  - sudo_require_authentication
+
+  ### Audit
+  - package_rsyslog_installed
+  - service_rsyslog_enabled
+  - service_auditd_enabled
+  - var_auditd_flush=incremental_async
+  - auditd_data_retention_flush
+  - auditd_local_events
+  - auditd_write_logs
+  - auditd_log_format
+  - auditd_freq
+  - auditd_name_format
+  - audit_rules_login_events_tallylog
+  - audit_rules_login_events_faillock
+  - audit_rules_login_events_lastlog
+  - audit_rules_login_events
+  - audit_rules_time_adjtimex
+  - audit_rules_time_clock_settime
+  - audit_rules_time_watch_localtime
+  - audit_rules_time_settimeofday
+  - audit_rules_time_stime
+  - audit_rules_execution_restorecon
+  - audit_rules_execution_chcon
+  - audit_rules_execution_semanage
+  - audit_rules_execution_setsebool
+  - audit_rules_execution_setfiles
+  - audit_rules_execution_seunshare
+  - audit_rules_sysadmin_actions
+  - audit_rules_networkconfig_modification
+  - audit_rules_usergroup_modification
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_kernel_module_loading
+
+  ### Secure access
+  - sshd_disable_root_login
+  - sshd_disable_gssapi_auth
+  - sshd_print_last_log
+  - sshd_do_not_permit_user_env
+  - sshd_disable_rhosts
+  - sshd_set_loglevel_info
+  - sshd_disable_empty_passwords
+  - sshd_disable_user_known_hosts
+  - sshd_enable_strictmodes
+
+  # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms
+  - var_system_crypto_policy=default_nosha1
+  - configure_crypto_policy
+  - configure_ssh_crypto_policy
+
+  ### Application whitelisting
+  - package_fapolicyd_installed
+  - service_fapolicyd_enabled
+
+  ### Backup
+  - package_rear_installed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile
new file mode 100644
index 00000000..edfba53e
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile
@@ -0,0 +1,165 @@
+documentation_complete: True
+
+metadata:
+    SMEs:
+        - jjaswanson4
+        - carlosmmatos
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+    The HIPAA Security Rule establishes U.S. national standards to protect individuals’
+    electronic personal health information that is created, received, used, or
+    maintained by a covered entity. The Security Rule requires appropriate
+    administrative, physical and technical safeguards to ensure the
+    confidentiality, integrity, and security of electronic protected health
+    information.
+
+    This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
+    Rule identified for securing of electronic protected health information.
+    Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).   
+
+selections:
+    - grub2_password
+    - grub2_uefi_password
+    - file_groupowner_grub2_cfg
+    - file_permissions_grub2_cfg
+    - file_owner_grub2_cfg
+    - grub2_disable_interactive_boot
+    - no_direct_root_logins
+    - no_empty_passwords
+    - require_singleuser_auth
+    - restrict_serial_port_logins
+    - securetty_root_login_console_only
+    - service_debug-shell_disabled
+    - disable_ctrlaltdel_reboot
+    - disable_ctrlaltdel_burstaction
+    - dconf_db_up_to_date
+    - dconf_gnome_remote_access_credential_prompt
+    - dconf_gnome_remote_access_encryption
+    - sshd_disable_empty_passwords
+    - sshd_disable_root_login
+    - libreswan_approved_tunnels
+    - no_rsh_trust_files
+    - package_rsh-server_removed
+    - package_talk_removed
+    - package_talk-server_removed
+    - package_telnet_removed
+    - package_telnet-server_removed
+    - package_xinetd_removed
+    - service_crond_enabled
+    - service_rexec_disabled
+    - service_rlogin_disabled
+    - service_telnet_disabled
+    - service_xinetd_disabled
+    - service_zebra_disabled
+    - use_kerberos_security_all_exports
+    - disable_host_auth
+    - sshd_allow_only_protocol2
+    - sshd_disable_compression
+    - sshd_disable_gssapi_auth
+    - sshd_disable_kerb_auth
+    - sshd_do_not_permit_user_env
+    - sshd_enable_strictmodes
+    - sshd_enable_warning_banner
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - encrypt_partitions
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - var_selinux_policy_name=targeted
+    - var_selinux_state=enforcing
+    - grub2_enable_selinux
+    - sebool_selinuxuser_execheap
+    - sebool_selinuxuser_execmod
+    - sebool_selinuxuser_execstack
+    - selinux_confinement_of_daemons
+    - selinux_policytype
+    - selinux_state
+    - service_kdump_disabled
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_exec_shield
+    - sysctl_kernel_randomize_va_space
+    - rpm_verify_hashes
+    - rpm_verify_permissions
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - ensure_gpgcheck_local_packages
+    - grub2_audit_argument
+    - service_auditd_enabled
+    - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_su
+    - audit_rules_immutable
+    - kernel_module_usb-storage_disabled
+    - service_autofs_disabled
+    - auditd_audispd_syslog_plugin_activated
+    - rsyslog_remote_loghost
+    - auditd_data_retention_flush
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_execution_chcon
+    - audit_rules_execution_restorecon
+    - audit_rules_execution_semanage
+    - audit_rules_execution_setsebool
+    - audit_rules_file_deletion_events_renameat
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_rmdir
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_kernel_module_loading_delete
+    - audit_rules_kernel_module_loading_init
+    - audit_rules_login_events_faillock
+    - audit_rules_login_events_lastlog
+    - audit_rules_login_events_tallylog
+    - audit_rules_mac_modification
+    - audit_rules_media_export
+    - audit_rules_networkconfig_modification
+    - audit_rules_privileged_commands_chage
+    - audit_rules_privileged_commands_chsh
+    - audit_rules_privileged_commands_crontab
+    - audit_rules_privileged_commands_gpasswd
+    - audit_rules_privileged_commands_newgrp
+    - audit_rules_privileged_commands_pam_timestamp_check
+    - audit_rules_privileged_commands_passwd
+    - audit_rules_privileged_commands_postdrop
+    - audit_rules_privileged_commands_postqueue
+    - audit_rules_privileged_commands_ssh_keysign
+    - audit_rules_privileged_commands_sudoedit
+    - audit_rules_privileged_commands_umount
+    - audit_rules_privileged_commands_unix_chkpwd
+    - audit_rules_privileged_commands_userhelper
+    - audit_rules_session_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_system_shutdown
+    - audit_rules_time_adjtimex
+    - audit_rules_time_clock_settime
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_watch_localtime
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_opasswd
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_shadow
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile
new file mode 100644
index 00000000..95cdfc4e
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile
@@ -0,0 +1,134 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - shaneboulden
+        - wcushen
+        - ahamilto156
+
+reference: https://www.cyber.gov.au/ism
+
+title: 'Australian Cyber Security Centre (ACSC) ISM Official'
+
+description: |-
+  This profile contains configuration checks for Red Hat Enterprise Linux 8
+  that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
+  with the applicability marking of OFFICIAL.
+
+  The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning 
+  Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls 
+  specific to an organisation's security posture and risk profile.
+
+  A copy of the ISM can be found at the ACSC website:
+
+  https://www.cyber.gov.au/ism
+
+extends: e8
+
+selections:
+
+  ## Operating system configuration
+  ## Identifiers 1491
+  - no_shelllogin_for_systemaccounts
+
+  ## Local administrator accounts
+  ## Identifiers 1382 / 1410
+  - accounts_password_all_shadowed
+  - package_sudo_installed
+
+  ## Content filtering & Anti virus
+  ## Identifiers  0576 / 1341 / 1034 / 1417 / 1288
+  - package_aide_installed
+
+  ## Software firewall
+  ## Identifiers 1416
+  - configure_firewalld_ports
+  ## Removing due to build error
+  ## - configure_firewalld_rate_limiting
+  - firewalld_sshd_port_enabled
+  - set_firewalld_default_zone
+
+  ## Endpoint device control software
+  ## Identifiers 1418
+  - package_usbguard_installed
+  - service_usbguard_enabled
+
+  ## Authentication hardening
+  ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
+  ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+  - sshd_max_auth_tries_value=5
+  - disable_host_auth
+  - require_emergency_target_auth
+  - require_singleuser_auth
+  - sshd_disable_kerb_auth
+  - sshd_set_max_auth_tries
+
+  ## Password authentication & Protecting credentials
+  ## Identifiers 0421 / 0431 / 0418 / 1402
+  - var_password_pam_minlen=14
+  - var_accounts_password_warn_age_login_defs=7
+  - var_accounts_minimum_age_login_defs=1
+  - var_accounts_maximum_age_login_defs=60
+  - accounts_password_warn_age_login_defs
+  - accounts_maximum_age_login_defs
+  - accounts_minimum_age_login_defs
+  - accounts_passwords_pam_faillock_interval
+  - accounts_passwords_pam_faillock_unlock_time
+  - accounts_passwords_pam_faillock_deny
+  - accounts_passwords_pam_faillock_deny_root
+  - accounts_password_pam_minlen
+
+  ## Centralised logging facility
+  ## Identifiers 1405 / 0988 
+  - rsyslog_cron_logging
+  - rsyslog_files_groupownership
+  - rsyslog_files_ownership
+  - rsyslog_files_permissions
+  - rsyslog_nolisten
+  - rsyslog_remote_loghost
+  - rsyslog_remote_tls
+  - rsyslog_remote_tls_cacert
+  - package_chrony_installed
+  - service_chronyd_enabled
+  - chronyd_or_ntpd_specify_multiple_servers
+  - chronyd_specify_remote_server
+  - service_chronyd_or_ntpd_enabled
+
+  ## Events to be logged
+  ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957
+  - display_login_attempts
+  - sebool_auditadm_exec_content
+  - audit_rules_privileged_commands
+  - audit_rules_session_events
+  - audit_rules_unsuccessful_file_modification
+  - audit_access_failed
+  - audit_access_success
+
+  ## Web application & Database servers
+  ## Identifiers 1552 / 1277
+  - openssl_use_strong_entropy
+
+  ## Network design and configuration
+  ## Identifiers 1055 / 1311 
+  - network_nmcli_permissions
+  - service_snmpd_disabled
+  - snmpd_use_newer_protocol
+
+  ## Wireless networks
+  ## Identifiers 1315
+  - wireless_disable_interfaces
+
+  ## ASD Approved Cryptographic Algorithms
+  ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / 
+  ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 /  1139 / 
+  ## 1372 / 1373 / 1374 / 1375
+  - enable_fips_mode
+  - var_system_crypto_policy=fips
+  - configure_crypto_policy
+
+  ## Secure Shell access
+  ## Identifiers 0484 / 1506 / 1449 / 0487
+  - sshd_allow_only_protocol2
+  - sshd_enable_warning_banner
+  - sshd_disable_x11_forwarding
+  - file_permissions_sshd_private_key
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile
new file mode 100644
index 00000000..d1d1b8af
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile
@@ -0,0 +1,25 @@
+documentation_complete: false
+
+title: 'Protection Profile for General Purpose Operating Systems - MLS Mode'
+
+description: |-
+    Placeholder to put MLS specific rules
+
+extends: ospp
+
+selections:
+
+    ################################################
+    ## MUST INSTALL PACKAGES IN MLS MODE
+    #cups
+    #foomatic
+    #ghostscript
+    #ghostscript-fonts
+    #checkpolicy
+    #mcstrans
+    #policycoreutils-newrole
+    #selinux-policy-devel
+    ##xinetd
+    #iproute
+    #iputils
+    #netlabel_tools
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile
new file mode 100644
index 00000000..37d3c99c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile
@@ -0,0 +1,445 @@
+documentation_complete: true
+
+metadata:
+    version: 4.2.1
+    SMEs:
+        - comps
+        - carlosmmatos
+        - stevegrubb
+
+reference: https://www.niap-ccevs.org/Profile/PP.cfm
+
+title: 'Protection Profile for General Purpose Operating Systems'
+
+description: |-
+    This profile reflects mandatory configuration controls identified in the
+    NIAP Configuration Annex to the Protection Profile for General Purpose
+    Operating Systems (Protection Profile Version 4.2.1).
+
+    This configuration profile is consistent with CNSSI-1253, which requires
+    U.S. National Security Systems to adhere to certain configuration
+    parameters. Accordingly, this configuration profile is suitable for
+    use in U.S. National Security Systems.
+
+selections:
+
+    #######################################################
+    ### GENERAL REQUIREMENTS
+    ### Things needed to meet OSPP functional requirements.
+    #######################################################
+
+    ### Partitioning
+    - mount_option_home_nodev
+    - mount_option_home_nosuid
+    - mount_option_tmp_nodev
+    - mount_option_tmp_noexec
+    - mount_option_tmp_nosuid
+    - partition_for_var_tmp
+    - mount_option_var_tmp_nodev
+    - mount_option_var_tmp_noexec
+    - mount_option_var_tmp_nosuid
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_noexec
+    - mount_option_dev_shm_nosuid
+    - mount_option_nodev_nonroot_local_partitions
+    - mount_option_boot_nodev
+    - mount_option_boot_nosuid
+    - partition_for_home
+    - partition_for_var
+    - mount_option_var_nodev
+    - partition_for_var_log
+    - mount_option_var_log_nodev
+    - mount_option_var_log_nosuid
+    - mount_option_var_log_noexec
+    - partition_for_var_log_audit
+    - mount_option_var_log_audit_nodev
+    - mount_option_var_log_audit_nosuid
+    - mount_option_var_log_audit_noexec
+
+    ### Services
+    # sshd
+    - sshd_disable_root_login
+    - sshd_enable_strictmodes
+    - disable_host_auth
+    - sshd_disable_empty_passwords
+    - sshd_disable_kerb_auth
+    - sshd_disable_gssapi_auth
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - sshd_enable_warning_banner
+    - sshd_rekey_limit
+    - var_rekey_limit_size=1G
+    - var_rekey_limit_time=1hour
+    - sshd_use_strong_rng
+    - openssl_use_strong_entropy
+
+    # Time Server
+    - chronyd_client_only
+    - chronyd_no_chronyc_network
+
+    ### Network Settings
+    - sysctl_net_ipv6_conf_all_accept_ra
+    - sysctl_net_ipv6_conf_default_accept_ra
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv6_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_all_secure_redirects
+    - sysctl_net_ipv4_conf_default_secure_redirects
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_log_martians
+    - sysctl_net_ipv4_conf_default_log_martians
+    - sysctl_net_ipv4_conf_all_rp_filter
+    - sysctl_net_ipv4_conf_default_rp_filter
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_tcp_syncookies
+
+    ### systemd
+    - disable_ctrlaltdel_reboot
+    - disable_ctrlaltdel_burstaction
+    - service_debug-shell_disabled
+
+    ### umask
+    - var_accounts_user_umask=027
+    - accounts_umask_etc_profile
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_csh_cshrc
+
+    ### Software update
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_local_packages
+    - ensure_gpgcheck_never_disabled
+
+    ### Passwords
+    - var_password_pam_difok=4
+    - accounts_password_pam_difok
+    - var_password_pam_maxrepeat=3
+    - accounts_password_pam_maxrepeat
+    - var_password_pam_maxclassrepeat=4
+    - accounts_password_pam_maxclassrepeat
+
+    ### Kernel Config
+    ## Boot prompt
+    - grub2_audit_argument
+    - grub2_audit_backlog_limit_argument
+    - grub2_slub_debug_argument
+    - grub2_page_poison_argument
+    - grub2_vsyscall_argument
+    - grub2_vsyscall_argument.role=unscored
+    - grub2_vsyscall_argument.severity=info
+    - grub2_pti_argument
+    - grub2_kernel_trust_cpu_rng
+
+    ## Security Settings
+    - sysctl_kernel_kptr_restrict
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_kexec_load_disabled
+    - sysctl_kernel_yama_ptrace_scope
+    - sysctl_kernel_perf_event_paranoid
+    - sysctl_user_max_user_namespaces
+    - sysctl_user_max_user_namespaces.role=unscored
+    - sysctl_user_max_user_namespaces.severity=info
+    - sysctl_kernel_unprivileged_bpf_disabled
+    - sysctl_net_core_bpf_jit_harden
+    - service_kdump_disabled
+
+    ## File System Settings
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_protected_symlinks
+
+    ### Audit
+    - service_auditd_enabled
+    - var_auditd_flush=incremental_async
+    - auditd_data_retention_flush
+    - auditd_local_events
+    - auditd_write_logs
+    - auditd_log_format
+    - auditd_freq
+    - auditd_name_format
+
+    ### Module Blacklist
+    - kernel_module_cramfs_disabled
+    - kernel_module_bluetooth_disabled
+    - kernel_module_sctp_disabled
+    - kernel_module_firewire-core_disabled
+    - kernel_module_atm_disabled
+    - kernel_module_can_disabled
+    - kernel_module_tipc_disabled
+
+    ### rpcbind
+
+    ### Install Required Packages
+    - package_aide_installed
+    - package_dnf-automatic_installed
+    - package_subscription-manager_installed
+    - package_dnf-plugin-subscription-manager_installed
+    - package_firewalld_installed
+    - package_openscap-scanner_installed
+    - package_policycoreutils_installed
+    - package_sudo_installed
+    - package_usbguard_installed
+    - package_scap-security-guide_installed
+    - package_audit_installed
+    - package_crypto-policies_installed
+    - package_openssh-server_installed
+    - package_openssh-clients_installed
+    - package_policycoreutils-python-utils_installed
+    - package_rsyslog_installed
+    - package_rsyslog-gnutls_installed
+    - package_audispd-plugins_installed
+    - package_chrony_installed
+    - package_gnutls-utils_installed
+
+    ### Remove Prohibited Packages
+    - package_sendmail_removed
+    - package_iprutils_removed
+    - package_gssproxy_removed
+    - package_nfs-utils_removed
+    - package_krb5-workstation_removed
+    - package_abrt-addon-kerneloops_removed
+    - package_abrt-addon-python_removed
+    - package_abrt-addon-ccpp_removed
+    - package_abrt-plugin-rhtsupport_removed
+    - package_abrt-plugin-logger_removed
+    - package_abrt-plugin-sosreport_removed
+    - package_abrt-cli_removed
+    - package_abrt_removed
+
+    ### Login
+    - disable_users_coredumps
+    - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
+    - var_accounts_max_concurrent_login_sessions=10
+    - accounts_max_concurrent_login_sessions
+    - securetty_root_login_console_only
+    - var_password_pam_unix_remember=5
+    - accounts_password_pam_unix_remember
+    - use_pam_wheel_for_su
+
+    ### SELinux Configuration
+    - var_selinux_state=enforcing
+    - selinux_state
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+
+    ### Application Whitelisting (RHEL 8)
+    - package_fapolicyd_installed
+    - service_fapolicyd_enabled
+
+    ### Configure USBGuard
+    - service_usbguard_enabled
+    - configure_usbguard_auditbackend
+    - usbguard_allow_hid_and_hub
+
+
+    ### Enable / Configure FIPS
+    - enable_fips_mode
+    - var_system_crypto_policy=fips_ospp
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_kerberos_crypto_policy
+    - enable_dracut_fips_module
+
+    #######################################################
+    ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE
+    ### FOR GENERAL PURPOSE OPERATING SYSTEMS
+    ### ANNEX RELEASE 1
+    ### FOR PROTECTION PROFILE VERSIONS 4.2
+    ###
+    ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/
+    #######################################################
+
+    ## Configure Minimum Password Length to 12 Characters
+    ## IA-5 (1)(a) / FMT_MOF_EXT.1
+    - var_accounts_password_minlen_login_defs=12
+    - accounts_password_minlen_login_defs
+    - var_password_pam_minlen=12
+    - accounts_password_pam_minlen
+
+    ## Require at Least 1 Special Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_ocredit=1
+    - accounts_password_pam_ocredit
+
+    ## Require at Least 1 Numeric Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_dcredit=1
+    - accounts_password_pam_dcredit
+
+    ## Require at Least 1 Uppercase Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_ucredit=1
+    - accounts_password_pam_ucredit
+
+    ## Require at Least 1 Lowercase Character in Password
+    ## IA-5(1)(a) / FMT_MOF_EXT.1
+    - var_password_pam_lcredit=1
+    - accounts_password_pam_lcredit
+
+    ## Enable Screen Lock
+    ## FMT_MOF_EXT.1
+    - package_tmux_installed
+    - configure_bashrc_exec_tmux
+    - no_tmux_in_shells
+    - configure_tmux_lock_command
+    - configure_tmux_lock_after_time
+
+    ## Set Screen Lock Timeout Period to 30 Minutes or Less
+    ## AC-11(a) / FMT_MOF_EXT.1
+    ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
+    - sshd_idle_timeout_value=14_minutes
+    - sshd_set_idle_timeout
+
+    ## Disable Unauthenticated Login (such as Guest Accounts)
+    ## FIA_UAU.1
+    - require_singleuser_auth
+    - grub2_disable_interactive_boot
+    - grub2_uefi_password
+    - no_empty_passwords
+
+    ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes
+    ## AC-7 / FIA_AFL.1
+    - var_accounts_passwords_pam_faillock_deny=3
+    - accounts_passwords_pam_faillock_deny
+    - var_accounts_passwords_pam_faillock_fail_interval=900
+    - accounts_passwords_pam_faillock_interval
+    - var_accounts_passwords_pam_faillock_unlock_time=never
+    - accounts_passwords_pam_faillock_unlock_time
+
+    ## Enable Host-Based Firewall
+    ## SC-7(12) / FMT_MOF_EXT.1
+    - service_firewalld_enabled
+
+    ## Configure Name/Addres of Remote Management Server
+    ##  From Which to Receive Config Settings
+    ## CM-3(3) / FMT_MOF_EXT.1
+
+    ## Configure the System to Offload Audit Records to a Log
+    ##  Server
+    ## AU-4(1) / FAU_GEN.1.1.c
+    # temporarily dropped
+
+    ## Set Logon Warning Banner
+    ## AC-8(a) / FMT_MOF_EXT.1
+
+    ## Audit All Logons (Success/Failure) and Logoffs (Success)
+    ##  CNSSI 1253 Value or DoD-Specific Values:
+    ##      (1) Logons (Success/Failure)
+    ##      (2) Logoffs (Success)
+    ## AU-2(a) / FAU_GEN.1.1.c
+
+    ## Audit File and Object Events (Unsuccessful)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) Create (Success/Failure)
+    ##      (2) Access (Success/Failure)
+    ##      (3) Delete (Sucess/Failure)
+    ##      (4) Modify (Success/Failure)
+    ##      (5) Permission Modification (Sucess/Failure)
+    ##      (6) Ownership Modification (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ##
+    ## (1) Create (Success/Failure)
+    ##      (open with O_CREAT)
+    ## (2) Access (Success/Failure)
+    ## (3) Delete (Success/Failure)
+    ## (4) Modify (Success/Failure)
+    ## (5) Permission Modification (Success/Failure)
+    ## (6) Ownership Modification (Success/Failure)
+
+    ## Audit User and Group Management Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##      (2) Group/Role add, delete, modify (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ## Generic User and Group Management Events (Success/Failure)
+    ## Selection of setuid programs that relate to
+    ## user accounts.
+    ##
+    ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##
+    ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure)
+    ##
+    ## Audit Privilege or Role Escalation Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Privilege/Role escalation (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit All Audit and Log Data Accesses (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Audit and log data access (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Cryptographic Verification of Software (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Applications (e.g. Firefox, Internet Explorer, MS Office Suite,
+    ##        etc) initialization (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    - audit_basic_configuration
+    - audit_immutable_login_uids
+    - audit_create_failed
+    - audit_create_success
+    - audit_modify_failed
+    - audit_modify_success
+    - audit_access_failed
+    - audit_access_success
+    - audit_delete_failed
+    - audit_delete_success
+    - audit_perm_change_failed
+    - audit_perm_change_success
+    - audit_owner_change_failed
+    - audit_owner_change_success
+    - audit_ospp_general
+    - audit_module_load
+
+    ## Enable Automatic Software Updates
+    ## SI-2 / FMT_MOF_EXT.1
+    # Configure dnf-automatic to Install Only Security Updates
+    - dnf-automatic_security_updates_only
+
+    # Configure dnf-automatic to Install Available Updates Automatically
+    - dnf-automatic_apply_updates
+
+    # Enable dnf-automatic Timer
+    - timer_dnf-automatic_enabled
+
+    # Configure TLS for remote logging
+    - rsyslog_remote_tls
+    - rsyslog_remote_tls_cacert
+
+    # Prevent Kerberos use by system daemons
+    - kerberos_disable_no_keytab
+
+    # set ssh client rekey limit
+    - ssh_client_rekey_limit
+    - var_ssh_client_rekey_limit_size=1G
+    - var_ssh_client_rekey_limit_time=1hour
+
+# configure ssh client to use strong entropy
+    - ssh_client_use_strong_rng_sh
+    - ssh_client_use_strong_rng_csh
+
+    # zIPl specific rules
+    - zipl_bls_entries_only
+    - zipl_bootmap_is_up_to_date
+    - zipl_audit_argument
+    - zipl_audit_backlog_limit_argument
+    - zipl_slub_debug_argument
+    - zipl_page_poison_argument
+    - zipl_vsyscall_argument
+    - zipl_vsyscall_argument.role=unscored
+    - zipl_vsyscall_argument.severity=info
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile
new file mode 100644
index 00000000..fed33640
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile
@@ -0,0 +1,148 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - carlosmmatos
+
+reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+
+title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
+
+description: |-
+    Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+
+selections:
+    - var_password_pam_unix_remember=4
+    - var_account_disable_post_pw_expiration=90
+    - var_accounts_passwords_pam_faillock_deny=6
+    - var_accounts_passwords_pam_faillock_unlock_time=1800
+    - sshd_idle_timeout_value=15_minutes
+    - var_password_pam_minlen=7
+    - var_password_pam_minclass=2
+    - var_accounts_maximum_age_login_defs=90
+    - var_auditd_num_logs=5
+    - service_auditd_enabled
+    - grub2_audit_argument
+    - auditd_data_retention_num_logs
+    - auditd_data_retention_max_log_file
+    - auditd_data_retention_max_log_file_action
+    - auditd_data_retention_space_left_action
+    - auditd_data_retention_admin_space_left_action
+    - auditd_data_retention_action_mail_acct
+    - package_audispd-plugins_installed
+    - auditd_audispd_syslog_plugin_activated
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_opasswd
+    - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_shadow
+    - audit_rules_networkconfig_modification
+    - file_permissions_var_log_audit
+    - file_ownership_var_log_audit
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_login_events
+    - audit_rules_session_events
+    - audit_rules_unsuccessful_file_modification_creat
+    - audit_rules_unsuccessful_file_modification_ftruncate
+    - audit_rules_unsuccessful_file_modification_open
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
+    - audit_rules_unsuccessful_file_modification_openat
+    - audit_rules_unsuccessful_file_modification_truncate
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events_rename
+    - audit_rules_file_deletion_events_renameat
+    - audit_rules_file_deletion_events_rmdir
+    - audit_rules_file_deletion_events_unlink
+    - audit_rules_file_deletion_events_unlinkat
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading_delete
+    - audit_rules_kernel_module_loading_finit
+    - audit_rules_kernel_module_loading_init
+    - audit_rules_immutable
+    - var_multiple_time_servers=rhel
+    - service_chronyd_or_ntpd_enabled
+    - chronyd_or_ntpd_specify_remote_server
+    - chronyd_or_ntpd_specify_multiple_servers
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - install_hids
+    - rsyslog_files_permissions
+    - rsyslog_files_ownership
+    - rsyslog_files_groupownership
+    - ensure_logrotate_activated
+    - package_aide_installed
+    - aide_build_database
+    - aide_periodic_cron_checking
+    - account_unique_name
+    - gid_passwd_group_same
+    - accounts_password_all_shadowed
+    - no_empty_passwords
+    - display_login_attempts
+    - account_disable_post_pw_expiration
+    - accounts_passwords_pam_faillock_deny
+    - accounts_passwords_pam_faillock_unlock_time
+    - dconf_db_up_to_date
+    - dconf_gnome_screensaver_idle_delay
+    - dconf_gnome_screensaver_idle_activation_enabled
+    - dconf_gnome_screensaver_lock_enabled
+    - dconf_gnome_screensaver_mode_blank
+    - sshd_set_idle_timeout
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - accounts_password_pam_minlen
+    - accounts_password_pam_dcredit
+    - accounts_password_pam_ucredit
+    - accounts_password_pam_lcredit
+    - accounts_password_pam_unix_remember
+    - accounts_maximum_age_login_defs
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - security_patches_up_to_date
+    - package_opensc_installed
+    - var_smartcard_drivers=cac
+    - configure_opensc_card_drivers
+    - force_opensc_card_drivers
+    - package_pcsc-lite_installed
+    - service_pcscd_enabled
+    - sssd_enable_smartcards
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - package_libreswan_installed
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_kerberos_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile
new file mode 100644
index 00000000..1efca5f4
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
+
+description: |-
+    This *draft* profile contains configuration checks that align to the
+    DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).
+
+extends: stig
+
+selections:
+    - sudo_vdsm_nopasswd
+    - package_gdm_removed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile
new file mode 100644
index 00000000..2baee6d6
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
+
+description: |-
+    This compliance profile reflects the core set of security
+    related configuration settings for deployment of Red Hat Enterprise
+    Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies.
+    Development partners and sponsors include the U.S. National Institute
+    of Standards and Technology (NIST), U.S. Department of Defense,
+    the National Security Agency, and Red Hat.
+
+    This baseline implements configuration requirements from the following
+    sources:
+
+    - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
+    - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
+    - U.S. Government Configuration Baseline (USGCB)
+    - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)
+
+    For any differing configuration requirements, e.g. password lengths, the stricter
+    security setting was chosen. Security Requirement Traceability Guides (RTMs) and
+    sample System Security Configuration Guides are provided via the
+    scap-security-guide-docs package.
+
+    This profile reflects U.S. Government consensus content and is developed through
+    the ComplianceAsCode project, championed by the National
+    Security Agency. Except for differences in formatting to accommodate
+    publishing processes, this profile mirrors ComplianceAsCode
+    content as minor divergences, such as bugfixes, work through the
+    consensus and release processes.
+
+extends: ospp
+
+selections: []
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile
new file mode 100644
index 00000000..15abd98a
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile
@@ -0,0 +1,101 @@
+documentation_complete: true
+
+title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
+
+description: |-
+    This profile contains the minimum security relevant
+    configuration settings recommended by Red Hat, Inc for
+    Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
+    Cloud Providers.
+
+selections:
+    - var_selinux_state=enforcing
+    - var_selinux_policy_name=targeted
+    - file_owner_logfiles_value=root
+    - file_groupowner_logfiles_value=root
+    - sshd_idle_timeout_value=5_minutes
+    - var_accounts_password_minlen_login_defs=6
+    - var_accounts_minimum_age_login_defs=7
+    - var_accounts_passwords_pam_faillock_deny=5
+    - var_accounts_password_warn_age_login_defs=7
+    - var_password_pam_retry=3
+    - var_password_pam_dcredit=1
+    - var_password_pam_ucredit=2
+    - var_password_pam_ocredit=2
+    - var_password_pam_lcredit=2
+    - var_password_pam_difok=3
+    - var_password_pam_unix_remember=5
+    - var_accounts_user_umask=077
+    - login_banner_text=usgcb_default
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - selinux_state
+    - selinux_policytype
+    - ensure_redhat_gpgkey_installed
+    - security_patches_up_to_date
+    - ensure_gpgcheck_globally_activated
+    - ensure_gpgcheck_never_disabled
+    - package_aide_installed
+    - accounts_password_pam_unix_remember
+    - no_shelllogin_for_systemaccounts
+    - no_empty_passwords
+    - accounts_password_all_shadowed
+    - accounts_no_uid_except_zero
+    - accounts_password_minlen_login_defs
+    - accounts_minimum_age_login_defs
+    - accounts_password_warn_age_login_defs
+    - accounts_password_pam_retry
+    - accounts_password_pam_dcredit
+    - accounts_password_pam_ucredit
+    - accounts_password_pam_ocredit
+    - accounts_password_pam_lcredit
+    - accounts_password_pam_difok
+    - accounts_passwords_pam_faillock_deny
+    - set_password_hashing_algorithm_systemauth
+    - set_password_hashing_algorithm_logindefs
+    - set_password_hashing_algorithm_libuserconf
+    - require_singleuser_auth
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_passwd
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - file_permissions_etc_group
+    - file_permissions_library_dirs
+    - file_ownership_library_dirs
+    - file_permissions_binary_dirs
+    - file_ownership_binary_dirs
+    - file_permissions_var_log_audit
+    - file_owner_grub2_cfg
+    - file_groupowner_grub2_cfg
+    - file_permissions_grub2_cfg
+    - grub2_password
+    - kernel_module_dccp_disabled
+    - kernel_module_sctp_disabled
+    - service_firewalld_enabled
+    - set_firewalld_default_zone
+    - firewalld_sshd_port_enabled
+    - service_abrtd_disabled
+    - service_telnet_disabled
+    - package_telnet-server_removed
+    - package_telnet_removed
+    - sshd_allow_only_protocol2
+    - sshd_set_idle_timeout
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - disable_host_auth
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_enable_warning_banner
+    - sshd_do_not_permit_user_env
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile
new file mode 100644
index 00000000..a63ae2cf
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - ensure_redhat_gpgkey_installed
+    - ensure_gpgcheck_globally_activated
+    - rpm_verify_permissions
+    - rpm_verify_hashes
+    - security_patches_up_to_date
+    - no_empty_passwords
+    - file_permissions_unauthorized_sgid
+    - file_permissions_unauthorized_suid
+    - file_permissions_unauthorized_world_writable
+    - accounts_root_path_dirs_no_write
+    - dir_perms_world_writable_sticky_bits
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_nosuid
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - package_rsyslog_installed
+    - service_rsyslog_enabled
+    - audit_rules_time_adjtimex
+    - audit_rules_time_settimeofday
+    - audit_rules_time_stime
+    - audit_rules_time_clock_settime
+    - audit_rules_time_watch_localtime
+    - audit_rules_usergroup_modification
+    - audit_rules_networkconfig_modification
+    - audit_rules_mac_modification
+    - audit_rules_dac_modification_chmod
+    - audit_rules_dac_modification_chown
+    - audit_rules_dac_modification_fchmod
+    - audit_rules_dac_modification_fchmodat
+    - audit_rules_dac_modification_fchown
+    - audit_rules_dac_modification_fchownat
+    - audit_rules_dac_modification_fremovexattr
+    - audit_rules_dac_modification_fsetxattr
+    - audit_rules_dac_modification_lchown
+    - audit_rules_dac_modification_lremovexattr
+    - audit_rules_dac_modification_lsetxattr
+    - audit_rules_dac_modification_removexattr
+    - audit_rules_dac_modification_setxattr
+    - audit_rules_unsuccessful_file_modification
+    - audit_rules_privileged_commands
+    - audit_rules_media_export
+    - audit_rules_file_deletion_events
+    - audit_rules_sysadmin_actions
+    - audit_rules_kernel_module_loading
+    - service_abrtd_disabled
+    - service_atd_disabled
+    - service_autofs_disabled
+    - service_ntpdate_disabled
+    - service_oddjobd_disabled
+    - service_qpidd_disabled
+    - service_rdisc_disabled
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_kerberos_crypto_policy
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile
new file mode 100644
index 00000000..13be1192
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile
@@ -0,0 +1,1064 @@
+documentation_complete: true
+
+metadata:
+    version: V1R1
+    SMEs:
+        - carlosmmatos
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG for Red Hat Enterprise Linux 8'
+
+description: |-
+    This profile contains configuration checks that align to the
+    DISA STIG for Red Hat Enterprise Linux 8 V1R1.
+
+    In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+    configuration baseline as applicable to the operating system tier of
+    Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
+
+    - Red Hat Enterprise Linux Server
+    - Red Hat Enterprise Linux Workstation and Desktop
+    - Red Hat Enterprise Linux for HPC
+    - Red Hat Storage
+    - Red Hat Containers with a Red Hat Enterprise Linux 8 image
+
+selections:
+    ### Variables
+    - var_rekey_limit_size=1G
+    - var_rekey_limit_time=1hour
+    - var_accounts_user_umask=077
+    - var_password_pam_difok=8
+    - var_password_pam_maxrepeat=3
+    - var_sshd_disable_compression=no
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_maxclassrepeat=4
+    - var_password_pam_minclass=4
+    - var_accounts_minimum_age_login_defs=1
+    - var_accounts_max_concurrent_login_sessions=10
+    - var_password_pam_unix_remember=5
+    - var_selinux_state=enforcing
+    - var_selinux_policy_name=targeted
+    - var_accounts_password_minlen_login_defs=15
+    - var_password_pam_unix_rounds=5000
+    - var_password_pam_minlen=15
+    - var_password_pam_ocredit=1
+    - var_password_pam_dcredit=1
+    - var_password_pam_ucredit=1
+    - var_password_pam_lcredit=1
+    - var_password_pam_retry=3
+    - var_password_pam_minlen=15
+    - var_sshd_set_keepalive=0
+    - sshd_idle_timeout_value=10_minutes
+    - var_accounts_passwords_pam_faillock_deny=3
+    - var_accounts_passwords_pam_faillock_fail_interval=900
+    - var_accounts_passwords_pam_faillock_unlock_time=never
+    - var_ssh_client_rekey_limit_size=1G
+    - var_ssh_client_rekey_limit_time=1hour
+    - var_accounts_fail_delay=4
+    - var_account_disable_post_pw_expiration=35
+    - var_auditd_action_mail_acct=root
+    - var_time_service_set_maxpoll=18_hours
+    - var_accounts_maximum_age_login_defs=60
+    - var_auditd_space_left=250MB
+    - var_auditd_space_left_action=email
+    - var_auditd_disk_error_action=halt
+    - var_auditd_max_log_file_action=syslog
+    - var_auditd_disk_full_action=halt
+
+    ### Enable / Configure FIPS
+    - enable_fips_mode
+    - var_system_crypto_policy=fips
+    - configure_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_kerberos_crypto_policy
+    - enable_dracut_fips_module
+
+    ### Rules:
+    # RHEL-08-010070
+    - installed_OS_is_vendor_supported
+
+    # RHEL-08-010010
+    - security_patches_up_to_date
+
+    # RHEL-08-010020
+    - sysctl_crypto_fips_enabled
+
+    # RHEL-08-010030
+    - encrypt_partitions
+
+    # RHEL-08-010040
+    - sshd_enable_warning_banner
+
+    # RHEL-08-010050
+    - dconf_gnome_banner_enabled
+    - dconf_gnome_login_banner_text
+
+    # RHEL-08-010060
+    - banner_etc_issue
+
+    # RHEL-08-010070
+
+    # RHEL-08-010090
+
+    # RHEL-08-010100
+
+    # RHEL-08-010110
+    - set_password_hashing_algorithm_logindefs
+
+    # RHEL-08-010120
+
+    # RHEL-08-010130
+    - accounts_password_pam_unix_rounds_system_auth
+    - accounts_password_pam_unix_rounds_password_auth
+
+    # RHEL-08-010140
+    - grub2_uefi_password
+    - grub2_uefi_admin_username
+
+    # RHEL-08-010150
+    - grub2_password
+    - grub2_admin_username
+
+    # RHEL-08-010151
+    - require_singleuser_auth
+    - require_emergency_target_auth
+
+    # RHEL-08-010152
+    # To be released in V1R3
+    # - require_emergency_target_auth
+
+    # RHEL-08-010160
+    - set_password_hashing_algorithm_systemauth
+
+    # RHEL-08-010161
+    - kerberos_disable_no_keytab
+
+    # RHEL-08-010162
+    - package_krb5-workstation_removed
+
+    # RHEL-08-010170
+    - selinux_state
+
+    # RHEL-08-010171
+    - package_policycoreutils_installed
+
+    # RHEL-08-010180
+
+    # RHEL-08-010190
+    - dir_perms_world_writable_sticky_bits
+
+    # RHEL-08-010200
+    - sshd_set_idle_timeout
+    - sshd_set_keepalive_0
+
+    # RHEL-08-010210
+    - file_permissions_var_log_messages
+
+    # RHEL-08-010220
+    - file_owner_var_log_messages
+
+    # RHEL-08-010230
+    - file_groupowner_var_log_messages
+
+    # RHEL-08-010240
+    - file_permissions_var_log
+
+    # RHEL-08-010250
+    - file_owner_var_log
+
+    # RHEL-08-010260
+    - file_groupowner_var_log
+
+    # RHEL-08-010290 && RHEL-08-010291
+    ### NOTE: This will get split out in future STIG releases, as well as we will break
+    ### these rules up to be more flexible in meeting the requirements.
+    - configure_ssh_crypto_policy
+
+    # RHEL-08-010292
+    - sshd_use_strong_rng
+
+    # RHEL-08-010293
+    - configure_openssl_crypto_policy
+
+    # RHEL-08-010294
+
+    # RHEL-08-010295
+
+    # RHEL-08-010300
+    - file_permissions_binary_dirs
+
+    # RHEL-08-010310
+    - file_ownership_binary_dirs
+
+    # RHEL-08-010320
+
+    # RHEL-08-010330
+    - file_permissions_library_dirs
+
+    # RHEL-08-010340
+    - file_ownership_library_dirs
+
+    # RHEL-08-010350
+
+    # RHEL-08-010360
+    - package_aide_installed
+    - aide_scan_notification
+
+    # RHEL-08-010370
+    - ensure_gpgcheck_globally_activated
+
+    # RHEL-08-010371
+    - ensure_gpgcheck_local_packages
+
+    # RHEL-08-010372
+    - sysctl_kernel_kexec_load_disabled
+
+    # RHEL-08-010373
+    - sysctl_fs_protected_symlinks
+
+    # RHEL-08-010374
+    - sysctl_fs_protected_hardlinks
+
+    # RHEL-08-010375
+    - sysctl_kernel_dmesg_restrict
+
+    # RHEL-08-010376
+    - sysctl_kernel_perf_event_paranoid
+
+    # RHEL-08-010380
+    - sudo_remove_nopasswd
+
+    # RHEL-08-010381
+    - sudo_remove_no_authenticate
+
+    # RHEL-08-010383
+    - sudoers_validate_passwd
+
+    # RHEL-08-010390
+    - install_smartcard_packages
+
+    # RHEL-08-010400
+
+    # RHEL-08-010410
+    - package_opensc_installed
+
+    # RHEL-08-010420
+
+    # RHEL-08-010421
+    - grub2_page_poison_argument
+
+    # RHEL-08-010422
+    - grub2_vsyscall_argument
+
+    # RHEL-08-010423
+    - grub2_slub_debug_argument
+
+    # RHEL-08-010430
+    - sysctl_kernel_randomize_va_space
+
+    # RHEL-08-010440
+    - clean_components_post_updating
+
+    # RHEL-08-010450
+    - selinux_policytype
+
+    # RHEL-08-010460
+    - no_host_based_files
+
+    # RHEL-08-010470
+    - no_user_host_based_files
+
+    # RHEL-08-010471
+    - service_rngd_enabled
+    - package_rng-tools_installed
+
+    # RHEL-08-010480
+    - file_permissions_sshd_pub_key
+
+    # RHEL-08-010490
+    - file_permissions_sshd_private_key
+
+    # RHEL-08-010500
+    - sshd_enable_strictmodes
+
+    # RHEL-08-010510
+    - sshd_disable_compression
+
+    # RHEL-08-010520
+    - sshd_disable_user_known_hosts
+
+    # RHEL-08-010521
+    - sshd_disable_kerb_auth
+    - sshd_disable_gssapi_auth
+
+    # RHEL-08-010540
+    - partition_for_var
+
+    # RHEL-08-010541
+    - partition_for_var_log
+
+    # RHEL-08-010542
+    - partition_for_var_log_audit
+
+    # RHEL-08-010543
+    - partition_for_tmp
+
+    # RHEL-08-010544
+    ### NOTE: Will probably show up in V1R3 - Q3 of 21'
+    - partition_for_var_tmp
+
+    # RHEL-08-010550
+    - sshd_disable_root_login
+
+    # RHEL-08-010560
+    - service_auditd_enabled
+
+    # RHEL-08-010561
+    - service_rsyslog_enabled
+
+    # RHEL-08-010570
+    - mount_option_home_nosuid
+
+    # RHEL-08-010571
+    - mount_option_boot_nosuid
+
+    # RHEL-08-010580
+    - mount_option_nodev_nonroot_local_partitions
+
+    # RHEL-08-010590
+
+    # RHEL-08-010600
+    - mount_option_nodev_removable_partitions
+
+    # RHEL-08-010610
+    - mount_option_noexec_removable_partitions
+
+    # RHEL-08-010620
+    - mount_option_nosuid_removable_partitions
+
+    # RHEL-08-010630
+    - mount_option_noexec_remote_filesystems
+
+    # RHEL-08-010640
+    - mount_option_nodev_remote_filesystems
+
+    # RHEL-08-010650
+    - mount_option_nosuid_remote_filesystems
+
+    # RHEL-08-010660
+    - accounts_user_dot_no_world_writable_programs
+
+    # RHEL-08-010670
+    - service_kdump_disabled
+
+    # RHEL-08-010671
+    - sysctl_kernel_core_pattern
+
+    # RHEL-08-010672
+    - service_systemd-coredump_disabled
+
+    # RHEL-08-010673
+    - disable_users_coredumps
+
+    # RHEL-08-010674
+    - coredump_disable_storage
+
+    # RHEL-08-010675
+    - coredump_disable_backtraces
+
+    # RHEL-08-010680
+    - network_configure_name_resolution
+
+    # RHEL-08-010690
+    - accounts_user_home_paths_only
+
+    # RHEL-08-010700
+    - dir_perms_world_writable_root_owned
+
+    # RHEL-08-010710
+
+    # RHEL-08-010720
+    - accounts_user_interactive_home_directory_defined
+
+    # RHEL-08-010730
+    - file_permissions_home_directories
+
+    # RHEL-08-010740
+    - file_groupownership_home_directories
+
+    # RHEL-08-010750
+    - accounts_user_interactive_home_directory_exists
+
+    # RHEL-08-010760
+    - accounts_have_homedir_login_defs
+
+    # RHEL-08-010770
+    - file_permission_user_init_files
+
+    # RHEL-08-010780
+    - no_files_unowned_by_user
+
+    # RHEL-08-010790
+    - file_permissions_ungroupowned
+
+    # RHEL-08-010800
+    - partition_for_home
+
+    # RHEL-08-010820
+    - gnome_gdm_disable_automatic_login
+
+    # RHEL-08-010830
+    - sshd_do_not_permit_user_env
+
+    # RHEL-08-020000
+    - account_temp_expire_date
+
+    # RHEL-08-020010
+    - accounts_passwords_pam_faillock_deny
+
+    # RHEL-08-020011
+
+    # RHEL-08-020012
+    - accounts_passwords_pam_faillock_interval
+
+    # RHEL-08-020013
+
+    # RHEL-08-020014
+    - accounts_passwords_pam_faillock_unlock_time
+
+    # RHEL-08-020015
+
+    # RHEL-08-020016
+
+    # RHEL-08-020017
+
+    # RHEL-08-020018
+
+    # RHEL-08-020019
+
+    # RHEL-08-020020
+
+    # RHEL-08-020021
+
+    # RHEL-08-020022
+    - accounts_passwords_pam_faillock_deny_root
+
+    # RHEL-08-020023
+
+    # RHEL-08-020024
+    - accounts_max_concurrent_login_sessions
+
+    # RHEL-08-020030
+    - dconf_gnome_screensaver_lock_enabled
+
+    # RHEL-08-020040
+    - package_tmux_installed
+    - configure_tmux_lock_command
+
+    # RHEL-08-020041
+    - configure_bashrc_exec_tmux
+
+    # RHEL-08-020042
+    - no_tmux_in_shells
+
+    # RHEL-08-020050
+    - dconf_gnome_lock_screen_on_smartcard_removal
+
+    # RHEL-08-020060
+    - dconf_gnome_screensaver_idle_delay
+
+    # RHEL-08-020070
+    - configure_tmux_lock_after_time
+
+    # RHEL-08-020080
+
+    # RHEL-08-020090
+
+    # RHEL-08-020100
+    - accounts_password_pam_retry
+
+    # RHEL-08-020110
+    - accounts_password_pam_ucredit
+
+    # RHEL-08-020120
+    - accounts_password_pam_lcredit
+
+    # RHEL-08-020130
+    - accounts_password_pam_dcredit
+
+    # RHEL-08-020140
+    - accounts_password_pam_maxclassrepeat
+
+    # RHEL-08-020150
+    - accounts_password_pam_maxrepeat
+
+    # RHEL-08-020160
+    - accounts_password_pam_minclass
+
+    # RHEL-08-020170
+    - accounts_password_pam_difok
+
+    # RHEL-08-020180
+    - accounts_password_set_min_life_existing
+
+    # RHEL-08-020190
+    - accounts_minimum_age_login_defs
+
+    # RHEL-08-020200
+    - accounts_maximum_age_login_defs
+
+    # RHEL-08-020210
+    - accounts_password_set_max_life_existing
+
+    # RHEL-08-020220
+    - accounts_password_pam_unix_remember
+
+    # RHEL-08-020230
+    - accounts_password_pam_minlen
+
+    # RHEL-08-020231
+    - accounts_password_minlen_login_defs
+
+    # RHEL-08-020240
+
+    # RHEL-08-020250
+    - sssd_enable_smartcards
+
+    # RHEL-08-020260
+    - account_disable_post_pw_expiration
+
+    # RHEL-08-020270
+
+    # RHEL-08-020280
+    - accounts_password_pam_ocredit
+
+    # RHEL-08-020290
+    - sssd_offline_cred_expiration
+
+    # RHEL-08-020300
+
+    # RHEL-08-020310
+    - accounts_logon_fail_delay
+
+    # RHEL-08-020320
+    # - accounts_authorized_local_users
+
+    # RHEL-08-020330
+    - no_empty_passwords
+    - sshd_disable_empty_passwords
+
+    # RHEL-08-020340
+    - display_login_attempts
+
+    # RHEL-08-020350
+    - sshd_print_last_log
+
+    # RHEL-08-020351
+    - accounts_umask_etc_login_defs
+
+    # RHEL-08-020352
+    - accounts_umask_interactive_users
+
+    # RHEL-08-020353
+    - accounts_umask_etc_bashrc
+
+    # RHEL-08-030000
+
+    # RHEL-08-030010
+    - rsyslog_cron_logging
+
+    # RHEL-08-030020
+    - auditd_data_retention_action_mail_acct
+
+    # RHEL-08-030030
+    - postfix_client_configure_mail_alias
+
+    # RHEL-08-030040
+    - auditd_data_disk_error_action
+
+    # RHEL-08-030050
+    - auditd_data_retention_max_log_file_action
+
+    # RHEL-08-030060
+    - auditd_data_disk_full_action
+
+    # RHEL-08-030061
+    - auditd_local_events
+
+    # RHEL-08-030062
+    - auditd_name_format
+
+    # RHEL-08-030063
+    - auditd_log_format
+
+    # RHEL-08-030070
+    - file_permissions_var_log_audit
+
+    # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110
+    ### NOTE: These might get broken up, but currently the following
+    ### rule accounts for these STIG ID's
+    - file_ownership_var_log_audit
+
+    # RHEL-08-030120
+    - directory_permissions_var_log_audit
+
+    # *** NOTE *** #
+    # Audit rules are currently under review as to how best to approach
+    # them. We are working with DISA and our internal audit experts to
+    # provide a final solution soon.
+    # ************ #
+
+    # RHEL-08-030121
+    # - audit_rules_immutable
+
+    # RHEL-08-030122
+    # - audit_immutable_login_uids
+
+    # RHEL-08-030130
+    # - audit_rules_usergroup_modification_shadow
+
+    # RHEL-08-030140
+    # - audit_rules_usergroup_modification_opasswd
+
+    # RHEL-08-030150
+    # - audit_rules_usergroup_modification_passwd
+
+    # RHEL-08-030160
+    # - audit_rules_usergroup_modification_gshadow
+
+    # RHEL-08-030170
+    # - audit_rules_usergroup_modification_group
+
+    # RHEL-08-030171, RHEL-08-030172
+    # - audit_rules_sysadmin_actions
+
+    # RHEL-08-030180
+    - package_audit_installed
+    - service_auditd_enabled
+
+    # RHEL-08-030190
+    # - audit_rules_privileged_commands_sudo
+
+    # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240
+    # - audit_perm_change_failed
+    # - audit_perm_change_success
+
+    # RHEL-08-030250
+    # - audit_rules_privileged_commands_chage
+
+    # RHEL-08-030260
+    # - audit_rules_execution_chcon
+
+    # RHEL-08-030270
+    # - audit_perm_change_failed
+    # - audit_perm_change_success
+
+    # RHEL-08-030280
+
+    # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301
+    # - audit_ospp_general
+
+    # RHEL-08-030302
+    # - audit_rules_media_export
+
+    # RHEL-08-030310
+
+    # RHEL-08-030311
+    # - audit_rules_privileged_commands_postdrop
+
+    # RHEL-08-030312
+    # - audit_rules_privileged_commands_postqueue
+
+    # RHEL-08-030313
+    # - audit_rules_execution_semanage
+
+    # RHEL-08-030314
+    # - audit_rules_execution_setfiles
+
+    # RHEL-08-030315
+    # - audit_ospp_general
+
+    # RHEL-08-030316
+    # - audit_rules_execution_setsebool
+
+    # RHEL-08-030317
+    # - audit_ospp_general
+
+    # RHEL-08-030320
+    # - audit_rules_privileged_commands_ssh_keysign
+
+    # RHEL-08-030330
+
+    # RHEL-08-030340
+    # - audit_rules_privileged_commands_pam_timestamp_check
+
+    # RHEL-08-030350
+    # - audit_ospp_general
+
+    # RHEL-08-030360
+    # - audit_module_load
+
+    # RHEL-08-030361, RHEL-08-030362
+    # - audit_delete_failed
+    # - audit_delete_success
+
+    # RHEL-08-030363
+
+    # RHEL-08-030364, RHEL-08-030365
+    # - audit_delete_failed
+    # - audit_delete_success
+
+    # RHEL-08-030370
+    # - audit_ospp_general
+
+    # RHEL-08-030380, RHEL-08-030390
+    # - audit_module_load
+
+    # RHEL-08-030400
+    # - audit_ospp_general
+
+    # RHEL-08-030410
+    # - audit_rules_privileged_commands_chsh
+
+    # RHEL-08-030420
+    # - audit_modify_failed
+    # - audit_modify_success
+
+    # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450
+    # - audit_create_failed
+    # - audit_create_success
+    # - audit_modify_failed
+    # - audit_modify_success
+    # - audit_access_failed
+    # - audit_access_success
+
+    # RHEL-08-030460
+    # - audit_modify_failed
+    # - audit_modify_success
+
+    # RHEL-08-030470
+    # - audit_create_failed
+    # - audit_create_success
+
+    # RHEL-08-030480
+    # - audit_owner_change_failed
+    # - audit_owner_change_success
+
+    # RHEL-08-030490
+    # - audit_perm_change_failed
+    # - audit_perm_change_success
+
+    # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520
+    # - audit_owner_change_failed
+    # - audit_owner_change_success
+
+    # RHEL-08-030530, RHEL-08-030540
+    # - audit_perm_change_failed
+    # - audit_perm_change_success
+
+    # RHEL-08-030550
+    # - audit_rules_privileged_commands_sudo
+
+    # RHEL-08-030560
+
+    # RHEL-08-030570
+
+    # RHEL-08-030580
+
+    # RHEL-08-030590
+    # - audit_rules_login_events_faillock
+
+    # RHEL-08-030600
+    # - audit_rules_login_events_lastlog
+
+    # RHEL-08-030601
+    - grub2_audit_argument
+
+    # RHEL-08-030602
+    - grub2_audit_backlog_limit_argument
+
+    # RHEL-08-030603
+    - configure_usbguard_auditbackend
+
+    # RHEL-08-030610
+
+    # RHEL-08-030620
+
+    # RHEL-08-030630
+
+    # RHEL-08-030640
+
+    # RHEL-08-030650
+
+    # RHEL-08-030660
+
+    # RHEL-08-030670
+    - package_rsyslog_installed
+
+    # RHEL-08-030680
+    - package_rsyslog-gnutls_installed
+
+    # RHEL-08-030690
+    - rsyslog_remote_loghost
+
+    # RHEL-08-030700
+
+    # RHEL-08-030710
+
+    # RHEL-08-030720
+
+    # RHEL-08-030730
+    # this rule expects configuration in MB instead percentage as how STIG demands
+    # - auditd_data_retention_space_left
+    - auditd_data_retention_space_left_action
+
+    # RHEL-08-030740
+    # remediation fails because default configuration file contains pool instead of server keyword
+    - chronyd_or_ntpd_set_maxpoll
+
+    # RHEL-08-030741
+    - chronyd_client_only
+
+    # RHEL-08-030742
+    - chronyd_no_chronyc_network
+
+    # RHEL-08-040000
+    - package_telnet-server_removed
+
+    # RHEL-08-040001
+    - package_abrt_removed
+    - package_abrt-addon-ccpp_removed
+    - package_abrt-addon-kerneloops_removed
+    - package_abrt-addon-python_removed
+    - package_abrt-cli_removed
+    - package_abrt-plugin-logger_removed
+    - package_abrt-plugin-rhtsupport_removed
+    - package_abrt-plugin-sosreport_removed
+
+    # RHEL-08-040002
+    - package_sendmail_removed
+
+    # RHEL-08-040003
+    ### NOTE: Will be removed in V1R2, merged into RHEL-08-040370
+
+    # RHEL-08-040004
+    - grub2_pti_argument
+
+    # RHEL-08-040010
+    - package_rsh-server_removed
+
+    # RHEL-08-040020
+
+    # RHEL-08-040021
+    - kernel_module_atm_disabled
+
+    # RHEL-08-040022
+    - kernel_module_can_disabled
+
+    # RHEL-08-040023
+    - kernel_module_sctp_disabled
+
+    # RHEL-08-040024
+    - kernel_module_tipc_disabled
+
+    # RHEL-08-040025
+    - kernel_module_cramfs_disabled
+
+    # RHEL-08-040026
+    - kernel_module_firewire-core_disabled
+
+    # RHEL-08-040030
+    - configure_firewalld_ports
+
+    # RHEL-08-040060
+    ### NOTE: Will be removed in V1R2
+
+    # RHEL-08-040070
+    - service_autofs_disabled
+
+    # RHEL-08-040080
+    - kernel_module_usb-storage_disabled
+
+    # RHEL-08-040090
+
+    # RHEL-08-040100
+    - service_firewalld_enabled
+    - package_firewalld_installed
+
+    # RHEL-08-040110
+    - wireless_disable_interfaces
+
+    # RHEL-08-040111
+    - kernel_module_bluetooth_disabled
+
+    # RHEL-08-040120
+    - mount_option_dev_shm_nodev
+
+    # RHEL-08-040121
+    - mount_option_dev_shm_nosuid
+
+    # RHEL-08-040122
+    - mount_option_dev_shm_noexec
+
+    # RHEL-08-040123
+    - mount_option_tmp_nodev
+
+    # RHEL-08-040124
+    - mount_option_tmp_nosuid
+
+    # RHEL-08-040125
+    - mount_option_tmp_noexec
+
+    # RHEL-08-040126
+    - mount_option_var_log_nodev
+
+    # RHEL-08-040127
+    - mount_option_var_log_nosuid
+
+    # RHEL-08-040128
+    - mount_option_var_log_noexec
+
+    # RHEL-08-040129
+    - mount_option_var_log_audit_nodev
+
+    # RHEL-08-040130
+    - mount_option_var_log_audit_nosuid
+
+    # RHEL-08-040131
+    - mount_option_var_log_audit_noexec
+
+    # RHEL-08-040132
+    - mount_option_var_tmp_nodev
+
+    # RHEL-08-040133
+    - mount_option_var_tmp_nosuid
+
+    # RHEL-08-040134
+    - mount_option_var_tmp_noexec
+
+    # RHEL-08-040135
+    - package_fapolicyd_installed
+    - service_fapolicyd_enabled
+
+    # RHEL-08-040140
+    - package_usbguard_installed
+    - service_usbguard_enabled
+
+    # RHEL-08-040150
+
+    # RHEL-08-040160
+    - package_openssh-server_installed
+    - service_sshd_enabled
+
+    # RHEL-08-040161
+    - sshd_rekey_limit
+
+    # RHEL-08-040162
+    - ssh_client_rekey_limit
+
+    # RHEL-08-040170
+    - disable_ctrlaltdel_reboot
+
+    # RHEL-08-040171
+    - dconf_gnome_disable_ctrlaltdel_reboot
+
+    # RHEL-08-040172
+    - disable_ctrlaltdel_burstaction
+
+    # RHEL-08-040180
+    - service_debug-shell_disabled
+
+    # RHEL-08-040190
+    - package_tftp-server_removed
+
+    # RHEL-08-040200
+    - accounts_no_uid_except_zero
+
+    # RHEL-08-040210
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects
+
+    # RHEL-08-040220
+    - sysctl_net_ipv4_conf_all_send_redirects
+
+    # RHEL-08-040230
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+    # RHEL-08-040240
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_all_accept_source_route
+
+    # RHEL-08-040250
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route
+
+    # RHEL-08-040260
+    - sysctl_net_ipv4_ip_forward
+
+    # RHEL-08-040261
+    - sysctl_net_ipv6_conf_all_accept_ra
+
+    # RHEL-08-040262
+    - sysctl_net_ipv6_conf_default_accept_ra
+
+    # RHEL-08-040270
+    - sysctl_net_ipv4_conf_default_send_redirects
+
+    # RHEL-08-040280
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_redirects
+
+    # RHEL-08-040281
+    - sysctl_kernel_unprivileged_bpf_disabled
+
+    # RHEL-08-040282
+    - sysctl_kernel_yama_ptrace_scope
+
+    # RHEL-08-040283
+    - sysctl_kernel_kptr_restrict
+
+    # RHEL-08-040284
+    - sysctl_user_max_user_namespaces
+
+    # RHEL-08-040285
+    - sysctl_net_ipv4_conf_all_rp_filter
+
+    # RHEL-08-040290
+    # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
+    # there needs to be a new platform check to identify when postfix is installed or not
+    # - postfix_prevent_unrestricted_relay
+
+    # RHEL-08-040300
+    - aide_verify_ext_attributes
+
+    # RHEL-08-040310
+    - aide_verify_acls
+
+    # RHEL-08-040320
+    - xwindows_remove_packages
+
+    # RHEL-08-040330
+    - network_sniffer_disabled
+
+    # RHEL-08-040340
+    - sshd_disable_x11_forwarding
+
+    # RHEL-08-040341
+    - sshd_x11_use_localhost
+
+    # RHEL-08-040350
+    - tftpd_uses_secure_mode
+
+    # RHEL-08-040360
+    - package_vsftpd_removed
+
+    # RHEL-08-040370
+    - package_gssproxy_removed
+
+    # RHEL-08-040380
+    - package_iprutils_removed
+
+    # RHEL-08-040390
+    - package_tuned_removed
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl
new file mode 100644
index 00000000..59d708ad
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_cci2html.xsl"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt
new file mode 100644
index 00000000..0df9c540
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt
@@ -0,0 +1,21 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Red Hat Enterprise Linux 8</xsl:variable>
+<xsl:variable name="product_short_name">RHEL 8</xsl:variable>
+<xsl:variable name="product_stig_id_name">RHEL_8_STIG</xsl:variable>
+<xsl:variable name="prod_type">rhel8</xsl:variable>
+
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/red_hat_linux/</xsl:variable>
+<xsl:variable name="product_guide_id_name">RHEL-8</xsl:variable>
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
+
+<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
+<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt
new file mode 100644
index 00000000..e017cf6f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt
@@ -0,0 +1,8 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:param name="ssg_version">unknown</xsl:param>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt
new file mode 100644
index 00000000..e741fb89
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_table-add-srgitems.xslt"/>
+<xsl:variable name="srgtable" select="document('../output/table-rhel8-srgmap-flat.xhtml')/html/body/table" />
+<xsl:variable name="cci_list" select="document('../../shared/references/disa-cci-list.xml')/cci:cci_list" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt
new file mode 100644
index 00000000..bd97ee1c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_table-sortbyref.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt
new file mode 100644
index 00000000..23c2f60a
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt
new file mode 100644
index 00000000..218d0f75
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000..38b354af
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt
new file mode 100644
index 00000000..5421604f
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" exclude-result-prefixes="cdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf2stigformat.xslt"/>
+<xsl:include href="constants.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt
new file mode 100644
index 00000000..88a53f50
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000..1ffb2221
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt
new file mode 100644
index 00000000..b790974c
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileanssirefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000..5a104d95
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt
new file mode 100644
index 00000000..92cbdf9b
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt
new file mode 100644
index 00000000..7596f8b4
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs-cui.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt
new file mode 100644
index 00000000..8e97c333
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt
new file mode 100644
index 00000000..2fb56fa7
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-stig.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ComplianceAsCode/content_for_supporting_rocky8/tools/add_product_rocky8.sh b/ComplianceAsCode/content_for_supporting_rocky8/tools/add_product_rocky8.sh
new file mode 100755
index 00000000..22f894a5
--- /dev/null
+++ b/ComplianceAsCode/content_for_supporting_rocky8/tools/add_product_rocky8.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+### copy rocky8 directory under new directory
+cp -pr ./content_for_supporting_rocky8/files/rocky8 .
+cp -pr ./content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml ./shared/checks/oval/
+
+### patch to several files for supporting rocky8
+patch -p1 < ./content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8
+
+### add rocky8 to several XML definition files.
+find ./linux_os -type f -exec sed -i '/prodtype:/s/rhel8/rhel8,rocky8/g' {} \;
+find ./linux_os -type f -exec sed -i '/platform/s/multi_platform_ol/multi_platform_ol,multi_platform_rocky/g' {} \;
diff --git a/ansible/ansible-role-rocky-cjis b/ansible/ansible-role-rocky-cjis
new file mode 160000
index 00000000..a9b3fb56
--- /dev/null
+++ b/ansible/ansible-role-rocky-cjis
@@ -0,0 +1 @@
+Subproject commit a9b3fb56de8d596140eb5de8b271144be6576bab
diff --git a/ansible/ansible-role-rocky-cui b/ansible/ansible-role-rocky-cui
new file mode 160000
index 00000000..6d72ac31
--- /dev/null
+++ b/ansible/ansible-role-rocky-cui
@@ -0,0 +1 @@
+Subproject commit 6d72ac31f54bf93d72bfc8db0d1a30daf007bcc3
diff --git a/ansible/ansible-role-rocky-hipaa b/ansible/ansible-role-rocky-hipaa
new file mode 160000
index 00000000..9ac4dc8f
--- /dev/null
+++ b/ansible/ansible-role-rocky-hipaa
@@ -0,0 +1 @@
+Subproject commit 9ac4dc8f46f6b7d1b07f84e0a90bcf728d92d9a0
diff --git a/ansible/ansible-role-rocky-ospp b/ansible/ansible-role-rocky-ospp
new file mode 160000
index 00000000..aed3a654
--- /dev/null
+++ b/ansible/ansible-role-rocky-ospp
@@ -0,0 +1 @@
+Subproject commit aed3a65443125d8cc10a75bc928170fe3fa0bf21
diff --git a/ansible/ansible-role-rocky-pci-dss b/ansible/ansible-role-rocky-pci-dss
new file mode 160000
index 00000000..1f3527d4
--- /dev/null
+++ b/ansible/ansible-role-rocky-pci-dss
@@ -0,0 +1 @@
+Subproject commit 1f3527d450a14d8dee7d5cb460965b99cfe24606
diff --git a/ansible/ansible-role-rocky-rht-ccp b/ansible/ansible-role-rocky-rht-ccp
new file mode 160000
index 00000000..877ef3e2
--- /dev/null
+++ b/ansible/ansible-role-rocky-rht-ccp
@@ -0,0 +1 @@
+Subproject commit 877ef3e219201b015f2be5e058fdd555249176cb
diff --git a/ansible/ansible-role-rocky-stig b/ansible/ansible-role-rocky-stig
new file mode 160000
index 00000000..bd8729b8
--- /dev/null
+++ b/ansible/ansible-role-rocky-stig
@@ -0,0 +1 @@
+Subproject commit bd8729b813bcbaef433d14338bda6e3942a2b3c8
diff --git a/tools/README.md b/tools/README.md
new file mode 100644
index 00000000..d312b6a3
--- /dev/null
+++ b/tools/README.md
@@ -0,0 +1,22 @@
+Placeholder directory for conversion tools for SCAP & STIG content
+
+RepoName Bash Script.
+        This script is provided to download OpenSCAP Enterprise Linux Ansible Repositories and change them to function with Rocky Linux.
+        Contact information: https://github.com/rocky-linux/openscap/
+
+        Usage: bash ./RepoName [-u URL] [-r Repo Name] [-a All Repos] [-V Version] [-o OS Repo Version]
+        If no repository is given it will assume you want all repositoris from Enterprise Linux 8.
+
+        -V Version      Print the version of this script.
+        -a              Do all Repositories for given URL.
+        -r              Name of the repository to Download
+        -u              URL of the repos you want to download and rebrand.
+        -o              OS repo version default is Enterprise Linux 8
+        -h              Print this Message
+
+        Examples: 
+            Get ansible-role-rhel8-stig repository and change the branding.
+            ./RepoName -u https://github.com/RedHatOfficial/ -r ansible-role-rhel8-stig
+
+            Get all rhel8 repositories and change the branding.
+            ./RepoName -u https://github.com/RedHatOfficial/ -a
diff --git a/tools/RepoName b/tools/RepoName
new file mode 100755
index 00000000..95acdefb
--- /dev/null
+++ b/tools/RepoName
@@ -0,0 +1,159 @@
+#!/bin/bash
+dir=`pwd`
+version='0.0.2'
+
+# Print Usage and Help. 
+show_help()
+{
+echo "
+
+RepoName ($version)
+	
+        This script is provided to download OpenSCAP Enterprise Linux Ansible Repositories and change them to function with Rocky Linux.
+        Contact information: https://github.com/rocky-linux/openscap/
+
+        Usage: $0 [-u URL] [-r Repo Name] [-a All Repos] [-V Version] [-o OS Repo Version]
+        If no repository is given it will assume you want all repositoris from Enterprise Linux 8.
+
+        -v Version      Print the version of this script.
+        -a              Do all Repositories for given URL.
+        -r              Name of the repository to Download
+        -u              URL of the repos you want to download and rebrand.
+        -o              OS repo version default is Enterprise Linux 8
+        -h              Print this Message
+
+        Examples: 
+            Get ansible-role-rhel8-stig repository and change the branding.
+            $0 -u https://github.com/RedHatOfficial/ -r ansible-role-rhel8-stig
+
+            Get all rhel8 repositories and change the branding.
+            $0 -u https://github.com/RedHatOfficial/ -a
+"
+}
+
+# Print Version
+show_version()
+{
+echo "RepoName version: $version";
+}
+
+#Download repository from url provided.
+download_repo()
+{
+# Create directory and git repos.
+        url=$1
+        repository_name=$2;
+
+	declare -a Debrand=("s/rhel8/rocky8/g" "s/redhat/rocky/g" "s/CentOS/Rocky/g" "s/RedHat/Rocky/g" "s/Red\sHat/Rocky/g" "s/red\shat/rocky/g");
+	echo "$url $repository_name"
+	git clone $url/$repository_name;
+	declare -a Files=(`find $dir/ansible/ -type f -not -path '*/\.*'`)
+       	# For each set of Debrand run through all files and change the Name.
+	for f in "${Files[@]}"
+        do
+        	for d in "${Debrand[@]}"
+                do
+                # Uncomment for Debugging
+                #echo sed -i $d $f
+                	sed -i $d $f
+		done
+	done
+        new_repostitory_name=`echo $repository_name | sed 's/rhel8/rocky/g'`
+        mv $repository_name $new_repostitory_name
+
+}
+one_repo()
+{
+        if [[ -z "$url" ]];
+        then
+                show_help
+	fi
+	echo "Passed in -r this will download the specified repository $repo"
+	download_repo "$url" "$repo"
+        check_repo
+}
+# Get all repositories from provided source.
+all_repos()
+{
+	if [[ -z $url ]]; then
+		show_help;
+		exit;
+	fi
+	echo "Passed in -a this will download and clean all repos with rhel8 in the name."
+	repos=(`curl -sL $url | grep 'href' | grep 'rhel8' | grep item | sed 's/.*\/RedHatOfficial\///g' | sed 's/".*//g'| tr '\n' ' '`); 
+	for r in ${repos[@]}; do
+		echo "Downloading and rebranding $r"
+	        download_repo "$url" "$r"
+	done;
+	check_repo
+}
+
+# Verify repositories are cleaned.
+check_repo()
+{
+	if [[ -d "$dir/ansible/" ]]; then
+		cd $dir/ansible
+	        #Check if branding stil exists.
+	        redhat=(`grep -rci 'redhat' | grep -v .git | cut -d: -f2-`)
+        	centos=(`grep -rci 'centos' | grep -v .git | cut -d: -f2-`)
+	        rhel8=(`grep -rci 'rhel8' | grep -v .git | cut -d: -f2-`)
+		red_hat=(`grep -rci 'red hat' | grep -v .git | cut -d: -f2-`)
+	        declare -i sumredhat
+	        declare -i sumcentos
+	        declare -i sumrhel8
+	        IFS=+ sumredhat="${redhat[*]}"
+		IFS=+ sumred_hat="${red_hat[*]}"
+	        IFS=+ sumcentos="${centos[*]}"
+	        IFS=+ sumrhel8="${rhel8[*]}"
+		# Run through the list of copyrighted names and grep out any names still remaining.
+		if [[ $sumredhat -gt 0 ]]; then
+			echo "Mentions of RedHat still found: $sumredhat\n";
+		elif [[ $sumred_hat -gt 0 ]]; then
+                        echo "Mentions of Red Hat still found: $sumred_hat\n";
+		elif [[ $sumcentos -gt 0 ]]; then 
+			echo "Mentions of CentOS still found found: $sumcentos\n";
+		elif [[ $sumrhel8 -gt 0 ]]; then
+			echo "Mentions of rhel8 still found: $sumrhel8\n";
+		else
+			echo
+			echo "It appears the repo has been cleaned and all copyrights removed. This should be peer reviewed before making these repositories public.";
+			echo
+		fi
+	else
+		echo "./ansible director not found something went wrong. Please report bug https://github.com/RedHatOfficial/";
+	fi
+}
+
+# Create and move to ansible subdirectory
+mkdir -p ansible
+cd ansible
+
+# Get arguements Repo and Url.
+while getopts ":u:r:ahv" FLAG; do
+  case $FLAG in
+        u ) # Set option "u" [URL]
+                url=$OPTARG;;
+        r ) # Set option "r" [Repository_Name]
+		repo=$OPTARG; one_repo;;
+        a ) # Set option "a" [All_Repositories]
+                all_repos;;
+        h ) # Set option "h" [Help_Message]
+                show_help;;
+	v ) # Print version of this script.
+		show_version;;
+        \? )
+                echo "Invalid option: -$OPTARG. Use -h flag for help.";
+                exit;
+                ;;
+  esac
+done
+# Uncomment for debugging Verify Arguements
+#echo "$url $repository_name $help"
+# If URL not provided echo usage.
+if [[ $# -eq 0 ]]; then
+        show_help
+
+fi
+
+# Verify all repos no longer contain copyrights and print out count.
+exit;