-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.4
-
None
-
No
-
Moderate
-
rhel-sst-security-compliance
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
use a tailoring file.
What is the impact of this issue to you?
There is no official or documented way to use a tailoring file for an openscap profile when installing RHEL.
Please provide the package NVR for which the bug is seen:
Steps to reproduce
Create a kickstart that pulls in (or creates) a tailoring file via %pre (Because what is the alternative?)
%pre --interpreter=/bin/bash --log=/tmp/pre-ks.log --erroronfail [ -d /tmp/openscap_data/ ] || /bin/mkdir -m 755 /tmp/openscap_data /bin/wget -v http://192.168.122.212/ssg-rhel9-ds-rhcpp-tailoring.xml -O /tmp/openscap_data/ssg-rhel9-ds-rhcpp-tailoring.xml %end %addon org_fedora_oscap content-type = scap-security-guide tailoring-path = ssg-rhel9-ds-rhcpp-tailoring.xml profile = xccdf_org.ssgproject.content_profile_rht-ccp_customized %end
Expected results
The customized profile should be used.
If we MUST combine the files, then we need an official documented solution, not a KCS with a mysterious script.
Actual results
The installer does not use the tailoring file
Workaround
Currently the only workaround is to combine the tailoring file with a default scap file, then import that to the installer using this:
Combine the tailoring file into the main file with the script here:
https://access.redhat.com/articles/4551581
Then host that over http and pull it in like this:
%addon org_fedora_oscap
content-type = datastream
content-url = http://192.168.86.72/ssg-rhel9-ds-tailored.xml
content-path = ssg-rhel9-ds-tailored.xml
profile=xccdf_org.ssgproject.content_profile_cisSLF_customized
%end
