I’m attempting to automate the creation of a Virtual Machine, based on AlmaLinux 9.5. My kickstart file contains the following section:
%addon com_redhat_oscap
content-type = scap-security-guide
datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-almalinux9-xccdf.xml
xccdf-id = scap_org.open-scap_cref_ssg-almalinux9-xccdf.xml
profile = xccdf_org.ssgproject.content_profile_cis
%end
Once the package installation is complete and the installer is finalizing the installation, the following error is shown in the installer:
The root cause appears to be a reference to https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2 from within the /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml.
The oscap process as managed by anaconda/kickstart does not receive the --fetch-remote-resources flag to access remote resources. The application of security hardening fails, causing the installer to become interrupted.
As a workaround, I’ve removed the kickstart addon script, in favor of a call to oscap xccdf eval --remediate ... in the %post section.
Since the kickstart addon doesn’t seem to have a way to allow for accessing remote resources, I’m wondering if the inclusion of a remote resource is appropriate, or intentional?