Apply CIS rules to the machine image

[syuu1228]

To hardening our machine image, let's apply CIS rules generated by USG
(Ubuntu Security Guide).
see: https://ubuntu.com/security/certifications/docs/cis

closes scylladb/scylla-pkg#2953

[syuu1228]

This improves usg audit cis_level1_server score from 69% to 91%:

[syuu1228]

Full details is here (need to download and then open in browser locally): https://drive.google.com/file/d/1-JwL9hETrkNbDlUWgOq535R91GKl8jcF/view?usp=sharing
We can't cover some of rules such as make /tmp as separated partition, set bootloader password, etc.

[syuu1228]

AMI test failed:
https://jenkins.scylladb.com/view/master/job/scylla-master/job/releng-testing/job/ami/1375

Seems like it timed out while copying files:
https://jenkins.scylladb.com/job/scylla-master/job/releng-testing/job/artifacts/job/artifacts-ami-test/170/consoleFull

[yaronkaikov]

@syuu1228 Please resolve conflicts

[yaronkaikov]

@syuu1228 i ran https://jenkins.scylladb.com/job/scylla-master/job/releng-testing/job/next-machine-image/336/ for verification , GCE and AZURE artifacts failed. let's make sure it's not related to the changes here

[syuu1228]

Rebased with latest next, but it's getting strange error which is looks like unrelated with this PR:

Run docker run -v `pwd`:/scylla-machine-image -w /scylla-machine-image  --rm rockylinux bash -c './dist/redhat/build_rpm.sh -t centos8'
Unable to find image 'rockylinux:latest' locally
docker: Error response from daemon: manifest for rockylinux:latest not found: manifest unknown: manifest unknown.
See 'docker run --help'.
Error: Process completed with exit code 125.

https://github.com/scylladb/scylla-machine-image/runs/7378920298?check_suite_focus=true

[fruch]

Rebased with latest next, but it's getting strange error which is looks like unrelated with this PR:

Run docker run -v `pwd`:/scylla-machine-image -w /scylla-machine-image  --rm rockylinux bash -c './dist/redhat/build_rpm.sh -t centos8'
Unable to find image 'rockylinux:latest' locally
docker: Error response from daemon: manifest for rockylinux:latest not found: manifest unknown: manifest unknown.
See 'docker run --help'.
Error: Process completed with exit code 125.

https://github.com/scylladb/scylla-machine-image/runs/7378920298?check_suite_focus=true

rocky doesn't seems to have latest anymore, try rockylinux:8

[syuu1228]

Fixed CentOS8 rpm build error, now github test passed.

[syuu1228]

Rebased with next

[yaronkaikov]

@syuu1228 please rebase

[yaronkaikov]

@syuu1228 ping

[syuu1228]

Rebased.
But it still failing AMI test, trying to find which script breaking the test
(Becaise this changes tons of configurations on the system)

[syuu1228]

Note:
I found that USG(Ubuntu Security Guide) is not currently available on Ubuntu 22.04LTS yet.
Even though I suceeded to force installing 20.04LTS's USG package in 22.04LTS by manually coping .deb.
But the tool is written just for 20.04LTS environment, I found that at least one rule are not working on 22.04LTS (the software is deprecated), need to comment out them.
It's not great to have the tool can install natively, but I guess it's not critical since we actually don't need to install it on our image by default (we need to install it only when we verify security level).