I have the following question: How can I deploy CIS Security Profiles with Foreman during a Kickstart PXE Boot? Does anyone have a tip for me? I couldn’t find anything in the documentation.
Thank you for your help.
You first need to get to foreman_openscap plugin installed and configured. Once you have the policy up and working, you can configure Foreman to deploy the CIS benchmark and scan the system as one of the first action right after the machine is provisioned (by leveraging ansible or puppet). It does not happen during the kickstart though. If you need to do it during the provisioning, I think the best course of action is to rather use image based provisioning with images, that are already hardened. If you try to perform any compliance hardening during the provisioning, you’ll execute those things in chrooted environment running a different (Anaconda’s) kernel, so the results may be different after the final reboot.
There is also the Anaconda plugin which integrates OpenSCAP. This would not scan but enforce some policy during installation like partitioning. (OSCAP Anaconda Addon | OpenSCAP portal)
But there is no integration yet for this, so a user would need to manually add to the kickstart file.