I use a kickstart to deploy servers with a tailored NIST 800-171 OpenSCAP policy.
After I kickstarted a non tailored AlmaLinux 9.2 I noticed some changes:
For 9.1 I used this succcessfully:
%addon com_redhat_oscap
content-type = scap-security-guide
datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-almalinux9-xccdf-1.2.xml
xccdf-id = scap_org.open-scap_cref_ssg-almalinux9-xccdf-1.2.xml
profile = xccdf_org.ssgproject.content_profile_cui_customized
tailoring-path = ssg-almalinux9-ds-1-tailoring.xml
%end
Now I seen a non tailored kickstart was using:
%addon com_redhat_oscap
content-type = scap-security-guide
datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-almalinux9-xccdf.xml
xccdf-id = scap_org.open-scap_cref_ssg-almalinux9-xccdf.xml
profile = xccdf_org.ssgproject.content_profile_cui
%end
So it dropped the “-1.2”.
So of course I figured I just change my tailored kickstart to:
%addon com_redhat_oscap
content-type = scap-security-guide
datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-almalinux9-xccdf.xml
xccdf-id = scap_org.open-scap_cref_ssg-almalinux9-xccdf.xml
profile = xccdf_org.ssgproject.content_profile_cui_customized
tailoring-path = ssg-almalinux9-ds-1-tailoring.xml
%end
This was a no go since I get during start of the kickstart:
There was a problem with the supplied security content: Expected a file /tmp/openscap_data/ssg-almalinux9-ds-1-tailoring.xml to be a part of the supplied content but it was not the case, got only ['/usr/share/xml/scap/ssg/content//ssg-almalinux9-ds.xml']
The installation should be aborted.
Would you like to ignore this and continue the installation?
Please respond 'yes' or 'no':
Going to a shell with Alt+F2 shows that both files are in the right places:
/tmp/openscap_data/ssg-almalinux9-ds-1-tailoring.xml
/usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
Performing the kickstart without the tailoring file works fine so I am a little puzzled why it does not accept the tailoring file that worked file in AlmaLinux 9.1.
My tailoring file looks like:
<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
<xccdf:benchmark href="ssg-almalinux9-ds.xml"/>
<xccdf:version time="2023-05-11T19:14:49">1</xccdf:version>
<xccdf:Profile id="xccdf_org.ssgproject.content_profile_cui_customized" extends="xccdf_org.ssgproject.content_profile_cui">
<xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) [CUSTOMIZED]</xccdf:title>
<xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">NIST 800-171 Red Hat Enterprise Linux 9 to the NIST Special"</xccdf:description>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_enable_dracut_fips_module" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_enable_fips_mode" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_configure_tmux_lock_command" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_package_tmux_installed" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_audit_access_success" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_page_alloc_shuffle_argument" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_init_on_alloc_argument" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_bls_entries_only" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_zipl_audit_argument" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_snmp" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_boot_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_service_postfix_enabled" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_mail" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_enable_pam" selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" selected="false"/>
<xccdf:set-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout">3600</xccdf:set-value>
<xccdf:set-value idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">test@test.com</xccdf:set-value>
<xccdf:set-value idref="xccdf_org.ssgproject.content_value_firewalld_sshd_zone">drop</xccdf:set-value>
<xccdf:set-value idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</xccdf:set-value>
</xccdf:Profile>
</xccdf:Tailoring>