Adds three more OS Policy examples to CIS folder (#509)

* Add more samples to the CIS folder

Additional example policies for CIS benchmark scanning.

* Add more samples to the CIS folder

Add three more example policies for CIS benchmark scanning.

* Revert "Add more samples to the CIS folder"

This reverts commit a278ae3.

* Revert "Revert "Add more samples to the CIS folder""

This reverts commit be74342.

examples/OSPolicyAssignments/CIS/cis-exclude-check-once-a-day.yaml

@@ -0,0 +1,35 @@
+# An OS policy to opt-out of CIS check and check compliance status once a day.
+osPolicies:
+- id: exclude-cis-check-and-check-compliance-once-a-day-policy
+  mode: ENFORCEMENT
+  resourceGroups:
+  - resources:
+      id: exclude-cis-check-and-check-compliance-once-a-day
+      exec:
+        validate:
+          interpreter: SHELL
+          # If cis-compliance-scanner.service is active, return an exit code
+          # 100 to indicate that the instance is in compliant state.
+          # Otherwise, return an exit code of 101 to run `enforce` step.
+          script: |-
+            is_active=$(systemctl is-active cis-compliance-scanner.timer)
+            result=$(systemctl show -p Result --value cis-compliance-scanner.service)
+
+            if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then
+              exit 100;
+            else
+              exit 101;
+            fi
+        enforce:
+          interpreter: SHELL
+          # Return an exit code of 100 to indicate that the desired changes
+          # were successfully applied.
+          script: |-
+            # Opt-out of the etc-passwd-permissions check.
+            sed -i 's/^EXTRA.*$/EXTRA_OPTIONS="--benchmark-opt-out-ids=etc-passwd-permissions"/' /etc/cis-scanner/env_vars &&
+            # Check the compliance of the instance once a day.
+            systemctl start cis-compliance-scanner.timer
+            # Ensure cis-compliance-scanner completes before exiting
+            PID=`systemctl show --property MainPID --value cis-compliance-scanner.service` &&
+            timeout 5m bash -c -- 'while [ -e /proc/'$PID' ]; do echo "CIS Scanner with PID:'$PID' is still running"; sleep 1; done' &&
+            exit 100

examples/OSPolicyAssignments/CIS/cis-level1-once-an-hour-policy.yaml

@@ -0,0 +1,43 @@
+# An OS policy to check CIS level 1 compliance once an hour.
+osPolicies:
+- id: ensure-cis-level1-compliance-once-an-hour-policy
+  mode: ENFORCEMENT
+  resourceGroups:
+  - resources:
+      id: ensure-cis-level1-compliance-once-an-hour
+      exec:
+        validate:
+          interpreter: SHELL
+          # If cis-compliance-scanner.service is active, return an exit code
+          # 100 to indicate that the instance is in compliant state.
+          # Otherwise, return an exit code of 101 to run `enforce` step.
+          script: |-
+            is_active=$(systemctl is-active cis-compliance-scanner.timer)
+            result=$(systemctl show -p Result --value cis-compliance-scanner.service)
+
+            if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then
+              exit 100;
+            else
+              exit 101;
+            fi
+        enforce:
+          interpreter: SHELL
+          # Return an exit code of 100 to indicate that the desired changes
+          # were successfully applied.
+          script: |-
+            # Overwrite "OnUnitActiveSec" field of the
+            # cis-compliance-scanner.timer to trigger
+            # cis-compliance-scanner.service once an hour
+            # instead of once a day.
+            mkdir /etc/systemd/system/cis-compliance-scanner.timer.d
+            tee /etc/systemd/system/cis-compliance-scanner.timer.d/override.conf <<EOF
+            [Unit]
+            Description=Run CIS Scanner once an hour
+
+            [Timer]
+            OnUnitActiveSec=1h
+            EOF
+            # Reload systemd units.
+            systemctl daemon-reload
+            # Check the compliance of the instance once an hour.
+            systemctl start cis-compliance-scanner.timer && exit 100

examples/OSPolicyAssignments/CIS/cis-level2-once-a-day-policy.yaml

@@ -0,0 +1,33 @@
+# An OS policy to check CIS level 2 compliance once a day.
+osPolicies:
+- id: ensure-cis-level2-compliance-once-a-day-policy
+  mode: ENFORCEMENT
+  resourceGroups:
+  - resources:
+      id: ensure-cis-level2-compliance-once-a-day
+      exec:
+        validate:
+          interpreter: SHELL
+          # If cis-compliance-scanner.service is active, return an exit code
+          # 100 to indicate that the instance is in compliant state.
+          # Otherwise, return an exit code of 101 to run `enforce` step.
+          script: |-
+            is_active=$(systemctl is-active cis-compliance-scanner.timer)
+            result=$(systemctl show -p Result --value cis-compliance-scanner.service)
+
+            if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then
+              exit 100;
+            else
+              exit 101;
+            fi
+        enforce:
+          interpreter: SHELL
+          # Return an exit code of 100 to indicate that the desired changes
+          # were successfully applied.
+          script: |-
+            # Configure the instance for CIS level 2.
+            systemctl start cis-level2.service
+            # Change the scan level to 2.
+            sed -i 's/^LEVEL=.*$/LEVEL="2"/' /etc/cis-scanner/env_vars
+            # Check the compliance of the instance once a day.
+            systemctl start cis-compliance-scanner.timer && exit 100