autopatch/scap-security-guide
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix product=="rhel8" equality gates for almalinux8; enable auto_increment

Browse Source 
Step 5 only rewrote the list-membership form (product in [...,"rhel8"]), so
the shared rules using the equality form (product == "rhel8") fell through to
the generic else branch for almalinux8. Most visibly,
configure_custom_crypto_policy_cis dropped NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/
NO-WEAKMAC, weakening the CIS crypto remediation vs the rhel8 base (no hard
failure since NO-SHA1 still ships on EL8). Now almalinux8 follows the rhel8
branch.

Also set auto_increment on the .alma.1 release suffix.
This commit is contained in:
Andrew Lukoshko 2026-06-09 18:22:35 +02:00
parent da010269e1
commit deb4aeb854
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config.yaml
View File

@ -124,6 +124,7 @@ actions:
- modify_release:
- suffix: ".alma.1"
enabled: true
auto_increment: true
- changelog_entry:
- name: "Andrew Lukoshko"

11
files/add-almalinux8-support.sh
View File

@ -36,9 +36,20 @@ find ./shared -type f -exec sed -i \
-e 's|<platform>multi_platform_rhel</platform>|<platform>multi_platform_rhel</platform>\n<platform>multi_platform_almalinux</platform>|g' {} \;
# 5. Improve Ansible support in conditionals
# Two product-gating idioms are used in the shared rule templates:
# - list membership: {% if product in [..., "rhel8"] %}
# - equality: {% if product == "rhel8" %}
# The list form is rewritten below. The equality form is NOT a substring of
# the list form, so it must be handled separately, otherwise almalinux8
# silently falls through to the generic `else` branch of those rules (e.g.
# configure_custom_crypto_policy_cis drops NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/
# NO-WEAKMAC, weakening the CIS crypto remediation versus the rhel8 base).
find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
-e '/if product in/ s/"rhel8"/"rhel8", "almalinux8"/g' {} \;
find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \
-e 's/product == (["'\''])rhel8\1/(product == \1rhel8\1 or product == \1almalinux8\1)/g' {} \;
# 6. Add disa references symlinks for AlmaLinux
for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do
target="$(echo "$xml" | sed 's/rhel/almalinux/g')"