diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch
index 428ede7..80b2a96 100644
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@@ -8,7 +8,6 @@ Also disable tables for profiles that are not built.
---
rhel8/CMakeLists.txt | 2 --
rhel8/profiles/cjis.profile | 2 +-
- rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
@@ -39,16 +38,6 @@ index 05ea9cdd6..9c55ac5b1 100644
title: 'Criminal Justice Information Services (CJIS) Security Policy'
-diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile
-index eb62252a4..e8f369708 100644
---- a/rhel8/profiles/cui.profile
-+++ b/rhel8/profiles/cui.profile
-@@ -1,4 +1,4 @@
--documentation_complete: true
-+documentation_complete: false
-
- title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
-
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
diff --git a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
new file mode 100644
index 0000000..927acb5
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
@@ -0,0 +1,183 @@
+From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 2 Sep 2020 10:01:45 +0200
+Subject: [PATCH] add CUI kickstart for rhel8
+
+---
+ rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
+ 1 file changed, 167 insertions(+)
+ create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+
+diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+new file mode 100644
+index 0000000000..0957fded96
+--- /dev/null
++++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+@@ -0,0 +1,167 @@
++# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
++#
++# Based on:
++# http://fedoraproject.org/wiki/Anaconda/Kickstart
++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
++
++# Install a fresh new system (optional)
++install
++
++# Specify installation method to use for installation
++# To use a different one comment out the 'url' one below, update
++# the selected choice with proper options & un-comment it
++#
++# Install from an installation tree on a remote server via FTP or HTTP:
++# --url the URL to install from
++#
++# Example:
++#
++# url --url=http://192.168.122.1/image
++#
++# Modify concrete URL in the above example appropriately to reflect the actual
++# environment machine is to be installed in
++#
++# Other possible / supported installation methods:
++# * install from the first CD-ROM/DVD drive on the system:
++#
++# cdrom
++#
++# * install from a directory of ISO images on a local drive:
++#
++# harddrive --partition=hdb2 --dir=/tmp/install-tree
++#
++# * install from provided NFS server:
++#
++# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
++#
++# Set language to use during installation and the default language to use on the installed system (required)
++lang en_US.UTF-8
++
++# Set system keyboard type / layout (required)
++keyboard us
++
++# Configure network information for target system and activate network devices in the installer environment (optional)
++# --onboot enable device at a boot time
++# --device device to be activated and / or configured with the network command
++# --bootproto method to obtain networking configuration for device (default dhcp)
++# --noipv6 disable IPv6 on this device
++#
++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
++# "--bootproto=static" must be used. For example:
++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
++#
++network --onboot yes --bootproto dhcp
++
++# Set the system's root password (required)
++# Plaintext password is: server
++# Refer to e.g.
++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
++# to see how to create encrypted password form for different plaintext password
++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
++
++# The selected profile will restrict root login
++# Add a user that can login and escalate privileges
++# Plaintext password is: admin123
++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
++
++# Configure firewall settings for the system (optional)
++# --enabled reject incoming connections that are not in response to outbound requests
++# --ssh allow sshd service through the firewall
++firewall --enabled --ssh
++
++# Set up the authentication options for the system (required)
++# --enableshadow enable shadowed passwords by default
++# --passalgo hash / crypt algorithm for new passwords
++# See the manual page for authconfig for a complete list of possible options.
++authconfig --enableshadow --passalgo=sha512
++
++# State of SELinux on the installed system (optional)
++# Defaults to enforcing
++selinux --enforcing
++
++# Set the system time zone (required)
++timezone --utc America/New_York
++
++# Specify how the bootloader should be installed (required)
++# Refer to e.g.
++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
++# to see how to create encrypted password form for different plaintext password
++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
++
++# Initialize (format) all disks (optional)
++zerombr
++
++# The following partition layout scheme assumes disk of size 20GB or larger
++# Modify size of partitions appropriately to reflect actual machine's hardware
++#
++# Remove Linux partitions from the system prior to creating new ones (optional)
++# --linux erase all Linux partitions
++# --initlabel initialize the disk label to the default based on the underlying architecture
++clearpart --linux --initlabel
++
++# Create primary system partitions (required for installs)
++part /boot --fstype=xfs --size=512
++part pv.01 --grow --size=1
++
++# Create a Logical Volume Management (LVM) group (optional)
++volgroup VolGroup --pesize=4096 pv.01
++
++# Create particular logical volumes (optional)
++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
++# Ensure /home Located On Separate Partition
++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
++# Ensure /tmp Located On Separate Partition
++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
++# Ensure /var/tmp Located On Separate Partition
++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
++# Ensure /var Located On Separate Partition
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++# Ensure /var/log Located On Separate Partition
++logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
++# Ensure /var/log/audit Located On Separate Partition
++logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
++logvol swap --name=swap --vgname=VolGroup --size=2016
++
++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
++# content - security policies - on the installed system.This add-on has been enabled by default
++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
++# functionality will automatically be installed. However, by default, no policies are enforced,
++# meaning that no checks are performed during or after installation unless specifically configured.
++#
++# Important
++# Applying a security policy is not necessary on all systems. This screen should only be used
++# when a specific policy is mandated by your organization rules or government regulations.
++# Unlike most other commands, this add-on does not accept regular options, but uses key-value
++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
++# Values can be optionally enclosed in single quotes (') or double quotes (").
++#
++# The following keys are recognized by the add-on:
++# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
++# - If the content-type is scap-security-guide, the add-on will use content provided by the
++# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
++# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
++# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
++# xccdf-id - ID of the benchmark you want to use.
++# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
++# profile - ID of the profile to be applied. Use default to apply the default profile.
++# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
++# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
++#
++# The following is an example %addon org_fedora_oscap section which uses content from the
++# scap-security-guide on the installation media:
++%addon org_fedora_oscap
++ content-type = scap-security-guide
++ profile = xccdf_org.ssgproject.content_profile_cui
++%end
++
++# Packages selection (%packages section is required)
++%packages
++
++# Require @Base
++@Base
++
++%end # End of %packages section
++
++# Reboot after the installation is complete (optional)
++# --eject attempt to eject CD or DVD media before rebooting
++reboot --eject
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index eb6eb3a..e098e0d 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.50
-Release: 12%{?dist}
+Release: 14%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -34,6 +34,7 @@ Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911
Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
+Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
BuildArch: noarch
@@ -94,6 +95,7 @@ present in %{name} package.
%patch23 -p1
%patch24 -p1
%patch25 -p1
+%patch26 -p1
mkdir build
%build
@@ -128,6 +130,12 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
+- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
+
+* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
+- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
+
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)