Add UBI8 Dockerfile and use in place of CS8 in Automatus testing

Author: Mab879

.github/workflows/automatus-cs8.yaml

@@ -1,4 +1,4 @@
-name: Automatus CS8
+name: Automatus UBI8
 on:
   pull_request:
     branches: [ master, 'stabilization*' ]
@@ -92,7 +92,7 @@ jobs:
         run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa
       - name: Build test suite container
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
-        run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-cs8
+        run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubi8
         working-directory: ./Dockerfiles
       - name: Get oscap-ssh
         if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}

Dockerfiles/test_suite-ubi

@@ -0,0 +1,24 @@
+# This Dockerfile is a minimal example for a Red Hat UBI 8 Automatus test suite target container.
+FROM registry.access.redhat.com/ubi8/ubi:latest
+
+ENV AUTH_KEYS=/root/.ssh/authorized_keys
+
+ARG CLIENT_PUBLIC_KEY
+ARG ADDITIONAL_PACKAGES
+
+# Install Python so Ansible remediations can work
+# Don't clean all, as the test scenario may require package install.
+RUN true \
+        && yum install -y openssh-clients openssh-server openscap-scanner \
+		python39 \
+		$ADDITIONAL_PACKAGES \
+        && true
+
+RUN true \
+        && for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \
+        && mkdir -p /root/.ssh \
+        && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \
+        && chmod og-rw /root/.ssh "$AUTH_KEYS" \
+        && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \
+&& true
+