DISA STIG template not applying correctly

I’m trying to do an install of Rocky 8.7 and am checking the option to apply the DISA STIG security template during the setup screens, but it doesn’t seem to be applying any of the security settings.

Is there a trick to get this template applied correctly?

One thought comes to mind - I’m building the machine from a network boot to a kickstart server, but disabling the kickstart file so that I can configure the settings manually. Where are these STIG template files stored on the Rocky ISO so I can verify they aren’t missing?

They are contained in the scap-security-guide package, and you can find them at /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml

I regularly do KVM network installs, so I can confirm that those work just fine. The minimal ISO will not work, since it is missing the SCAP content.

This is the guide we did for the process: DISA STIG On Rocky Linux 8 - Part 1 - Documentation

Just a guess though, it would fail to run if the system wasnt partitioned correctly.

I think I have more partitions than the STIG calls for - these are the ones I set up

/
/boot
/boot/efi
/var
/var/log
/var/log/audit
/tmp
/opt/
/home

I don’t have /var/tmp created though. I’ll try again and add that partition.

That ssg-rl8-ds.xml is in the same location you mention.

Meh - creating /var/tmp didn’t make it work.
I tried getting the template applied in lots of different ways - I tried server installs with and without a GUI, workstation installs, minimal installs.
One thing I didn’t mention in the first post - the base install starts with Rocky 8.5 and it bumps up to 8.7 on it’s first update. However the STIG template is supposed to be applied during the initial install, correct? It shouldn’t care about subsequent updates. Is there any known issues with applying the STIG template to Rocky 8.5?