Bug 2169893

Summary: RFE: Ability to add tailoring file for scap security profile to obsuild-composer Blueprint
Product: Red Hat Enterprise Linux 9 Reporter: ckrell
Component: osbuild-composerAssignee: Image Builder team <osbuilders>
Status: NEW --- QA Contact: Release Test Team <release-test-team>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: amepatil, fgarciad, lagordon, maugarci, myllynen, obudai, rdulhani, rfurlan, sbarcomb
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ckrell 2023-02-15 00:23:59 UTC
You can currently create an image that aligns with a security profile from scap-security-guide

[Chapter 7. Creating pre-hardened images with Image Builder OpenSCAP](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/composing_a_customized_rhel_system_image/assembly_creating-pre-hardened-images-with-image-builder-openscap-integration_composing-a-customized-rhel-system-image#con_the-openscap-blueprint-customization_assembly_creating-pre-hardened-images-with-image-builder-openscap-integration)

This RFE is to request the ability to use tailoring files in locally hosted image builder to customize a scap security profile.

After chatting with the Image Builder team it sounds like this is an option for an RFE and in-progress (technically enabled in one of the lower level components but not yet exposed in the blueprints) but I wasn't able to find an RFE referencing it.

Additional info:

scap workbench allows us to create a tailoring file in an rpm format (and the rpm includes the unchanged datastream) - if we can add this rpm to the image then that may make the tailoring file available for the Image Builder blueprint to reference it.

Info on using scap workbench to create a tailoring file/rpm:

[Chapter 7. Scanning the system for configuration compliance and vulnerabilities Red Hat Enterprise Linux 9 | Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#customizing-a-security-profile-with-scap-workbench_scanning-the-system-with-a-customized-profile-using-scap-workbench)

Comment 7 Rajesh Dulhani 2023-07-07 13:22:40 UTC
Hello,

can we please have some updates on this bugzilla?
With regards to the time line,  that they would like to have this feature to be available for both RHEL 8 and RHEL 9.

Comment 8 Rajesh Dulhani 2023-07-07 13:23:55 UTC
Hello,

can we please have some updates on this bugzilla?
With regards to the time line,  that they would like to have this feature to be available for both RHEL 8 and RHEL 9.

Comment 9 Ondřej Budai 2023-07-07 19:54:15 UTC
We are tracking this initiative in this Jira ticket: https://issues.redhat.com/browse/COMPOSER-1994 However, it probably won't be ready in time for 8.9/9.3.