Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 7. Creating pre-hardened images with Image Builder OpenSCAP integration

Image Builder on-premise supports OpenSCAP integration to produce pre-hardened RHEL images. With Image Builder on-premise integrated with OpenSCAP, you can produce pre-hardened RHEL images. You can set up a blueprint, choose from a set of predefined security profiles, add a set of packages or add-on files, and build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment.

Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.

7.1. Differences between Kickstart and pre-hardened images

For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap remediation stage runs the OpenSCAP tool in the chroot, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build a more completely hardened image, if you compare it to running the remediation on a live system.

7.2. The OpenSCAP blueprint customization

With the OpenSCAP support of blueprint customization, you can create blueprints and then use them to build your own pre-hardened images. To create a pre-hardened image you can customize the mount points and configure the file system layout according to the selected security profile. During the image build, OpenSCAP applies a first-boot remediation.

After you select the OpenSCAP profile, the OpenSCAP blueprint customization configures the image to trigger the remediation during the image build with the selected profile.

To use the OpenSCAP blueprint customization in your image blueprints, enter the following information:

  • The datastream path to the datastream remediation instructions. You can find it in the /usr/share/xml/scap/ssg/content/ directory.
  • The profile_id of the required security profile. The profile_id field accepts both the long and short forms, for example: cis or xccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 8 for more details.

    The following is a blueprint with OpenSCAP customization example:

    datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"
    profile_id = "xccdf_org.ssgproject.content_profile_cis"

    The most common SCAP file type is an SCAP source datastream. To show details about the SCAP source datastream from the scap-security-guide package, enter the command:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    The oscap tool runs on the image tree to perform an offline scan of a file system that is mounted at an arbitrary path. You can use it for scanning of custom objects that are not supported by oscap-docker or oscap-vm, such as containers in formats other than Docker. oscap-chroot mimics the usage and options of the oscap tool.

    Image builder generate the necessary configurations for the osbuild stage based on your blueprint customizations. Additionally, image builder adds two packages to the image:

  • openscap-scanner - the OpenSCAP tool.
  • scap-security-guide - package which contains the remediation instructions.


    The remediation stage uses the scap-security-guide package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in the oscap configuration.

7.3. Creating a pre-hardened image with Image Builder

With the OpenSCAP and Image Builder integration, you can create pre-hardened images.


  1. Create a blueprint in the TOML format, with the following content:

    name = "blueprint_name"
    description = "blueprint_description"
    version = "0.0.1"
    modules = []
    groups = []
     distro = ""
    name = "scap-security-guide"
    description = "Admin account"
    password = secure_pass
    key = ssh-key
    home = "home/user"
    group = ["wheel"]
    mountpoint = "/tmp"
    size = 13107200
    datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml "
    profile_id = "cis"
  2. Start the build of a OpenSCAP image:

    # composer-cli compose start blueprint_name qcow2

    Where blueprint_name is the blueprint name.

    After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.


After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned to the selected security profile.


Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.

  1. Connect to the image using SSH.
  2. Run the oscap scanner.

    # scap-workbench
  3. Select the version of the system you want to scan. Click Load content.
  4. Select the profile you want to scan and click Scan. OpenSCAP checks all the requirements for the system.
  5. After the scan finishes, click Show Report.

    You can see from the results that the system is secure.