Tailoring file on kickstarted RHEL7.4 installation causes OSCAP plugin to not remediate

Question

I'm having trouble getting RHEL7.4 to use a tailoring file with the OSCAP addon . I've taken the following steps to make this work.

• Created a customization RPM using the scap-workbench tool
• Added that RPM to the kickstart installation

• Specified that I want OSCAP to use the tailoring file as so:

  content-type = scap-security-guide
  profile =  xccdf_org.ssgproject.content_profile_stig-rhel7-disa_custom
  tailoring-path = ../../usr/share/xml/scap/ssh-rhel7-ds/tailoring-xccdf.xml
  

I have tried to copy the tailoring file to /root/openscap_data, but I can't find a hook inside kickstart that would allow me to copy the file there before the OSCAP addon executes.

However, the OSCAP plugin doesn't seem to execute when the tailoring-path is specified, and no error or warning is emitted.

Answer 1

there were recent fixes to OSCAP addon related to tailoring in kickstart file:

• https://github.com/OpenSCAP/oscap-anaconda-addon/issues/36
• https://github.com/OpenSCAP/oscap-anaconda-addon/issues/41

Both issues were fixed in version 0.8.

But there is still one standing:

• https://github.com/OpenSCAP/oscap-anaconda-addon/issues/40

Which means that the tailoring file should reside in /tmp/openscap_data.

I'm afraid there is no easy workaround. Something that may work is providing an update.img during installation, to use OSCAP addon 0.8, and use an RPM package that provides tailoring content in /tmp/openscap_data.

Hope this helps.