CIS Tailoring not working

Rocky Linux Tech Help
1

hi,

can’t manage to apply my tailored custom cis profile, any ideas whats going on here?
running Rocky 9.4, kickstart file looks like this

%pre --interpreter=/bin/bash --log=/root/kickstart-pre-tailoring.log --erroronfail
set -x

mkdir -p /tmp/openscap_data
cat <<"EOF" > /tmp/openscap_data/ssg-rl9-ds-tailored.xml
<?xml version="1.0" encoding="UTF-8"?>
<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_rl9_tailoring_customized">
  <xccdf-1.2:status>draft</xccdf-1.2:status>
  <xccdf-1.2:version time="2024-12-05T12:50:24">1</xccdf-1.2:version>
  <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_custom" extends="xccdf_org.ssgproject.content_profile_cis">
    <xccdf-1.2:title>Minimal Tailoring Profile</xccdf-1.2:title>
    <xccdf-1.2:description>This is a minimal example of a tailored profile.</xccdf-1.2:description>
    <!--Disable change passwort on first login -->
    <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past" selected="false"/>
    <!--Configure firewall -->
    <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" selected="true"/>
    <!--Only elevated users can change network settings -->
    <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_network_nmcli_permissions" selected="true"/>
  </xccdf-1.2:Profile>
</xccdf-1.2:Tailoring>
EOF

sed -i '/<\/xccdf-1.2:Benchmark>/i \  <xccdf-1.2:import href="ssg-rl9-ds-tailored.xml"/>' /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
%end

%addon com_redhat_oscap
    content-type = scap-security-guide
    profile = xccdf_org.ssgproject.content_profile_custom
    tailoring-path = ssg-rl9-ds-tailored.xml
    #tailoring-path = ../../usr/share/xml/scap/ssg/content/ssg-rl9-ds-tailored.xml
%end

this results in the following error:

Expected a file /tmp/openscap_data/ssg-rl9-ds-tailored.xml to be part of the supplied content, but it was not the case only got /usr/share/xml/scap/content//ssg-rl9-ds.xml the installation should be aborted.

tried a couple of things like %pre-install instead of %pre or coping …tailored.xml and …-ds.xml to /usr/share/xml/scap/ssg/content/ or /tmp/openscap_data/ but no success.