Chapter 7. Creating pre-hardened images with image builder OpenSCAP integration

Image builder on-premise supports OpenSCAP integration to produce pre-hardened RHEL images. With image builder on-premise integrated with OpenSCAP, you can produce pre-hardened RHEL images. You can set up a blueprint, choose from a set of predefined security profiles, add a set of packages or add-on files, and build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment.

Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.


Image builder does not include support for FIPS boot mode. As a result, OpenSCAP profiles that require FIPS mode to be enabled, such as DISA STIG, are not currently supported.

7.1. Differences between Kickstart and pre-hardened images

For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap remediation stage runs the OpenSCAP tool in the chroot, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build a more completely hardened image, if you compare it to running the remediation on a live system.

7.2. Installing OpenSCAP

Install the OpenSCAP tool to have access to SCAP tools to help you to create standard security checklists for your systems.


  1. Install OpenSCAP on your system:

    # *dnf install openscap-scanner*
  2. Install scap-security-guide package:

    # *dnf install scap-security-guide*

    After the installation is completed you can start using the oscap command line tool. The SCAP content will be installed in the /usr/share/xml/scap/ssg/content/ directory.

7.3. The OpenSCAP blueprint customization

With the OpenSCAP support of blueprint customization, you can create blueprints and then use them to build your own pre-hardened images. To create a pre-hardened image you can customize the mount points and configure the file system layout according to the selected security profile. During the image build, OpenSCAP applies a first-boot remediation.

After you select the OpenSCAP profile, the OpenSCAP blueprint customization configures the image to trigger the remediation during the image build with the selected profile.

To use the OpenSCAP blueprint customization in your image blueprints, enter the following information:

  • The datastream path to the datastream remediation instructions. The datastream path is located in the /usr/share/xml/scap/ssg/content/ directory.
  • The profile_id of the required security profile. The profile_id field accepts both the long and short forms, for example: cis or xccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 9 for more details.

    The following is a blueprint with OpenSCAP customization example:

    datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"
    profile_id = "xccdf_org.ssgproject.content_profile_cis"

    The most common SCAP file type is an SCAP source datastream. To show details about the SCAP source datastream from the scap-security-guide package, enter the command:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    The oscap tool runs on the image tree to perform an offline scan of a file system that is mounted at an arbitrary path. You can use it for scanning of custom objects that are not supported by oscap-docker or oscap-vm, such as containers in formats other than Docker. oscap-chroot mimics the usage and options of the oscap tool.

    Image builder generate the necessary configurations for the osbuild stage based on your blueprint customizations. Additionally, image builder adds two packages to the image:

  • openscap-scanner - the OpenSCAP tool.
  • scap-security-guide - package which contains the remediation instructions.


    The remediation stage uses the scap-security-guide package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in the oscap configuration.

7.4. Creating a pre-hardened image with image builder

With the OpenSCAP and image builder integration, you can create pre-hardened images.


  1. Create a blueprint in the TOML format, with the following content:

    name = "blueprint_name"
    description = "blueprint_description"
    version = "0.0.1"
    modules = []
    groups = []
    distro = ""
    name = "scap-security-guide"
    description = "Admin account"
    password = secure_password_hash
    key = ssh-key
    home = "/home/scap-security-guide"
    group = ["wheel"]
    mountpoint = "/tmp"
    size = 13107200
    datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml "
    profile_id = "cis"
  2. Start the build of a OpenSCAP image:

    # composer-cli compose start blueprint_name qcow2

    Where blueprint_name is the blueprint name.

    After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.


After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned to the selected security profile.


Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.

  1. Connect to the image using SSH.
  2. Run the oscap scanner.

    # scap-workbench
  3. Select the version of the system you want to scan. Click Load content.
  4. Select the profile you want to scan and click Scan. OpenSCAP checks all the requirements for the system.
  5. After the scan finishes, click Show Report.