What were you trying to do that didn't work?

We are generating SCAP tailoring profiles using autotailor for CIS RHEL9 profiles and uploading them into Red Hat Satellite.

When the tailoring file is generated using the standard autotailor command, Satellite is unable to detect or manage the profile after upload. The profile either does not appear correctly in Satellite.

What is the impact of this issue to you?

This prevents us from using autotailor in a standard way to create tailoring file.

Because the generated tailoring file references a local filesystem path:

<ns0:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"/>

Satellite cannot resolve this benchmark reference and therefore cannot properly register the profile.

As a result:

• The tailoring profile is not detected correctly in Satellite

• The profile becomes unmanaged or undeletable

• Automation pipelines using autotailor cannot be used directly with Satellite

• Manual post-processing (sed workaround) is required

This breaks automation and introduces operational risk.

Please provide the package NVR for which the bug is seen

openscap-utils-1.4.3-1.el10_1.x86_64.rpm

How reproducible is this bug?

100% reproducible.

It occurs every time a tailoring file is generated using autotailor and uploaded into Red Hat Satellite.

Steps to reproduce

1. Generate a tailoring file using autotailor:

{{autotailor --new-profile-id xccdf_org.ssgproject.content_profile_si_cis_server_l1 \
--select xccdf_org.ssgproject.content_rule_set_is_banner \
--select xccdf_org.ssgproject.content_rule_banner_etc_issue \
--output rhel9-cis-l1-tailoring.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml \
xccdf_org.ssgproject.content_profile_cis_server_l1}}

1. Inspect the generated tailoring file:

cat rhel9-cis-l1-tailoring.xml

It contains:

<ns0:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"/>

1. Upload the tailoring file into Red Hat Satellite (Security Compliance → Policies).

1. Observe that Satellite cannot properly detect the profile.

Expected Results

autotailor should generate a tailoring file that is compatible with Red Hat Satellite by referencing the DataStream filename instead of a local filesystem path, for example:

<ns0:benchmark href="ssg-rhel9-ds.xml"/>

This would allow Satellite to correctly associate the tailoring file with the uploaded SCAP content.

Actual Results

autotailor generates tailoring files with a hardcoded local filesystem path:

<ns0:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"/>

Satellite cannot resolve this path, resulting in:

• Profile not being detected properly

• Profile becoming unmanaged or undeletable

• Manual sed-based workaround required

Workaround

A manual workaround is required:

sed "s|benchmark href=\"file:///.*ssg-rhel9-ds.xml\"|benchmark href=\"ssg-rhel9-ds.xml\"|" rhel9-cis-l1-tailoring.xml > fixed-tailoring.xml

Only after this modification does Satellite correctly recognize and manage the profile.

Summary

autotailor currently generates tailoring files that are not compatible with Red Hat Satellite due to hardcoded local filesystem benchmark references. This breaks compliance automation workflows and requires manual post-processing.

This should be corrected so that autotailor can generate Satellite-compatible tailoring files out of the box.