Install fail when selecting CIS openSCAP benchmark profile

Rocky Linux release 8.4 (Green Obsidian)

Install on ESXi via vSphere client.

Already have around 50 RHEL7/8 VM which I’ve installed without issue using the CIS openSCAP Benchmark Profile - the servers have no intenet access during the install.

I manually partition to meet CIS requirement

/tmp
/var/tmp
/var/
/var/log
/var/log/audit, then you get the
/root
/boot
/swap
/home
/opt

I select minimal install

I then select the Rocky8 CIS Bencmark, it passed the check for mounts etc, all is good to begin install.

I begin the install, which proceeds fine for a few minutes then I get a dialog box warning

“Problems in request: missing packages rsyslog, aide, openscap, openscap-scanner, scap-security-guide, proceed yes or no”

Selecting yes continues the installation (remember the VM has no internet access) and seem to go fine for a few more minutes then you get the following error

“The program reported an unknown error”

There is a debug output, which I have no easy way to submit at the moment, I do have a truncated screenshot though.

I’ve used the RHEL8 CIS benchmark openSCAP benchmark on the same environment but did’nt have this issue.

It seems that not being able to download adie, rsyslog etc maybe making it fail non-gracefully.

rockky-issue21001×654 80.6 KB

Hi,

From the minimal install, rsyslog apparently isn’t available:

I would suggest doing a minimal install, then once rebooted, login and install rsyslog and then attempt to install those packages from the console, rather than attempting during the initial installation of Rocky.

Using the benchmark profile is a great time saver though, it does much of the CIS hardening, the list is quite extensive of changes you have to do.

I do have hardening script which I can run post install, but it’s not so good as doing it during the install.

Are rsyslog, aide etc on another type of install? For example, minimal + server tools or something?

I guess I can try a few options as I have snapshots of the install.

@fishface I think you would need the DVD1 image to obtain rsyslog as well.

Did you manage to get past this? I’ve encountered the same error, as stated you don’t get the missing packages error if you use the DVD1 ISO or use remote URLs to install.

I’ve submitted a bug as this worked fine in RHEL8.4 using the same config.

No I didnt’t, and like you, it worked fine in RHEL8,4.

You can do as they suggest, install the minimal, then get the packages either by dnf or a mounted ISO.

I needed a quick fix, so in the end I cloned our RHEL8.4 hardened image and then ran the conversion script and I was good to go. Our VMWare environment is brand new and super fast, so cloning a 80GB Linux VM takes less than a minute.

Could you please provide me hardening script(CIS)? I installed minimal and it worked successfully and Thank God it dedacted my Dell R720 Perc 7 Raid1.