This is due to

/root/.bash_profile
/root/.bashrc
/root/.cshrc
/root/.tcshrc
/root/.bash_logout

being scanned with 0644 mode.

These come from /usr/lib/tmpfiles.d/rootfiles.conf:

# create initial /root directories shell content
C /root/.bash_logout   644 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile  644 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc        644 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc         644 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc        644 root root - /usr/share/rootfiles/.tcshrc

provided by the rootfiles RPM package.

So I think the proper fix here is to ensure the package is not installed + if the files exist at the time of remediation, their mode is changed.

The reason we see them during productization testing is that we reboot the host after remediation, which lets systemd tmpfiles.d re-set the mode.

Another solution is dropping in our own file in /etc/tmpfiles.d/rootconf.conf and setting the right permissions. If we remove the package we also remove the default .bashrc and friends which might prevent things from umask from being load globally.

If we remove the package we also remove the default .bashrc

Not strictly as they are defined as

%ghost /root/.bash_logout
%ghost /root/.bash_profile
%ghost /root/.bashrc
%ghost /root/.cshrc
%ghost /root/.tcshrc

but for remediation types like oscap-generated kickstart, excluding it might cause issues.

So /etc/ override might be better.