Add AlmaLinux 9 support

2026-03-31 12:59:26 +00:00 · 2026-03-31 12:59:26 +00:00 · 436ca4751d
commit 436ca4751d
parent 1122f5c9a5 19cfbb4d4f
6 changed files with 165 additions and 23289 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.79.tar.bz2
+SOURCES/scap-security-guide-0.1.80.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -1 +1 @@
-91163dda2ac5ca31984d3488bcea8eda7fce1de8 SOURCES/scap-security-guide-0.1.79.tar.bz2
+8edd4588f733ffbf56a11f925e26e46f0badfe61 SOURCES/scap-security-guide-0.1.80.tar.bz2
--- a/SOURCES/1001-add-almalinux-to-ansible-product-whitelist.patch
+++ b/SOURCES/1001-add-almalinux-to-ansible-product-whitelist.patch
@ -0,0 +1,26 @@
+From 2011f053dac69527a78ad8dff692cea8a53dce9c Mon Sep 17 00:00:00 2001
+From: Andrew Lukoshko <alukoshko@cloudlinux.com>
+Date: Mon, 14 Jul 2025 13:26:40 +0000
+Subject: [PATCH] Add almalinux8,9,10 to ansible's PRODUCT_WHITELIST
+
+---
+ utils/ansible_playbook_to_role.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py
+index 3eede4fcb..a7c03e1e7 100755
+--- a/utils/ansible_playbook_to_role.py
+++ b/utils/ansible_playbook_to_role.py
+@@ -65,6 +65,9 @@ PRODUCT_ALLOWLIST = set([
+     "rhel8",
+     "rhel9",
+     "rhel10",
+    "almalinux8",
+    "almalinux9",
+    "almalinux10",
+ ])
+ 
+ PROFILE_DENYLIST = set([
+-- 
+2.43.7
+
--- a/SOURCES/add-almalinux9-support.sh
+++ b/SOURCES/add-almalinux9-support.sh
@ -0,0 +1,121 @@
+#!/bin/bash
+# Add AlmaLinux 9 support to scap-security-guide
+# This script is intended to run from the unpacked source root during %prep
+
+set -euo pipefail
+
+# 1. Change GRUB EFI dir to /boot/efi/EFI/almalinux everywhere
+find ./shared ./linux_os ./tests -type f -exec sed -i 's|EFI/redhat|EFI/almalinux|g' {} \;
+
+# 2. Use ensure_almalinux_gpgkey_installed where applicable in controls
+find ./controls -maxdepth 1 -type f -exec sed -i 's|ensure_redhat_gpgkey_installed|ensure_almalinux_gpgkey_installed|g' {} \;
+
+# 3. Add AlmaLinux support to linux_os, tests, and shared
+find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
+    -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \
+    -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \
+    -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' {} \;
+
+find ./tests -type f -exec sed -i \
+    -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \
+    -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \
+    -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' {} \;
+
+find ./shared -type f -exec sed -i \
+    -e '/prodtype:/s/rhel9/rhel9,almalinux9/g' \
+    -e '/# platform =/{ /multi_platform_almalinux/! s/multi_platform_rhel/multi_platform_rhel,multi_platform_almalinux/g }' \
+    -e '/# platform =/s/Red Hat Enterprise Linux 9/Red Hat Enterprise Linux 9,AlmaLinux OS 9/g' \
+    -e 's|<platform>Red Hat Enterprise Linux 9</platform>|<platform>Red Hat Enterprise Linux 9</platform>\n<platform>AlmaLinux OS 9</platform>|g' \
+    -e 's|<platform>multi_platform_rhel</platform>|<platform>multi_platform_rhel</platform>\n<platform>multi_platform_almalinux</platform>|g' {} \;
+
+# 4. Improve Ansible support in conditionals
+find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
+    -e '/if product in/ s/"rhel9"/"rhel9", "almalinux9"/g' {} \;
+
+# 5. Add disa references symlinks for AlmaLinux
+for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do
+    target="$(echo "$xml" | sed 's/rhel/almalinux/g')"
+    if [ ! -e "$target" ]; then
+        ln -s "$(basename "$xml")" "$target"
+    fi
+done
+
+# 6. Add AlmaLinux 9 product (copy from rhel9 and rebrand)
+rm -fr products/almalinux9
+cp -r products/rhel9 products/almalinux9
+
+if [ -d products/almalinux9/kickstart ]; then
+    for cfg in $(find products/almalinux9/kickstart/ -type f); do
+        mv "$cfg" "$(echo "$cfg" | sed 's/rhel9/almalinux9/g')"
+    done
+    sed -i 's/Red Hat Enterprise Linux 9.*/AlmaLinux OS 9/g' products/almalinux9/kickstart/*
+fi
+
+if [ -d products/almalinux9/transforms ]; then
+    sed -i \
+        -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \
+        -e 's/RHEL */AL/g' \
+        -e 's/rhel/almalinux/g' \
+        -e 's/red_hat_linux/almalinuxos_linux/g' \
+        products/almalinux9/transforms/*
+fi
+
+if [ -d products/almalinux9/overlays ]; then
+    sed -i \
+        -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \
+        -e 's/Red Hat Network or a Satellite Server/Foreman/g' \
+        -e 's/Red Hat/AlmaLinux/g' \
+        -e 's/RHEL9/AlmaLinux OS 9/g' \
+        -e 's/RHEL/AlmaLinux OS/g' \
+        products/almalinux9/overlays/*
+fi
+
+if [ -d products/almalinux9/controls ]; then
+    for ctl in $(find products/almalinux9/controls/ -type f -name '*rhel9*'); do
+        mv "$ctl" "$(echo "$ctl" | sed 's/rhel9/almalinux9/g')"
+    done
+    find products/almalinux9/controls -type f -exec sed -i \
+        -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \
+        -e 's/RHEL9/ALMALINUX9/g' \
+        -e 's/RHEL-9/ALMALINUX-9/g' \
+        -e '/^id:/s/rhel9/almalinux9/g' \
+        -e '/^product:/s/rhel9/almalinux9/g' \
+        -e 's/ensure_redhat_gpgkey_installed/ensure_almalinux_gpgkey_installed/g' {} \;
+fi
+
+sed -i \
+    -e 's/rhel9/almalinux9/' \
+    -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \
+    -e 's/RHEL-9/ALMALINUX-9/g' \
+    -e 's#https://access.redhat.com/security/team/key#https://almalinux.org/security/#' \
+    -e 's/^pkg_release:.*/pkg_release: "61e69f29"/g' \
+    -e 's/^pkg_version:.*/pkg_version: "b86b3716"/g' \
+    -e '/^aux_pkg_release:/d' \
+    -e '/^aux_pkg_version:/d' \
+    -e 's/release_key_fingerprint:.*/release_key_fingerprint: "BF18AC2876178908D6E71267D36CB86CB86B3716"/g' \
+    -e '/^release_key_fingerprint:/a oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-9.xml.bz2"' \
+    -e '/^auxiliary_key_fingerprint:/d' \
+    -e '/^pqc_key_fingerprint:/d' \
+    -e '/^pqc_pkg_release:/d' \
+    -e '/^pqc_pkg_version:/d' \
+    -e 's/redhat:enterprise_linux/almalinux:almalinux/g' \
+    -e 's/red_hat_linux/almalinuxos_linux/g' \
+    -e '/^centos_/d' \
+    products/almalinux9/product.yml
+
+sed -i 's/rhel/almalinux/g' products/almalinux9/CMakeLists.txt
+
+sed -i -z \
+    -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \
+    -e 's/red_hat_linux/almalinuxos_linux/g' \
+    -e 's/Red Hat Enterprise\n    Linux/\n    AlmaLinux OS/g' \
+    -e 's/released ....-..-../released 2024-06-24/g' \
+    -e 's/RHEL/AlmaLinux OS/g' \
+    products/almalinux9/profiles/*
+
+sed -i \
+    -e 's/ensure_redhat_gpgkey_installed/ensure_almalinux_gpgkey_installed/g' \
+    -e 's/rhel9:/almalinux9:/g' \
+    -e "s/'\!ensure_almalinux_gpgkey_installed'/ensure_almalinux_gpgkey_installed/g" \
+    -e '/"!ensure_almalinux_gpgkey_installed"/d' \
+    products/almalinux9/profiles/*
--- a/SOURCES/scap-security-guide-add-almalinux9-product.patch
+++ b/SOURCES/scap-security-guide-add-almalinux9-product.patch
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -5,15 +5,18 @@
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly

 Name:		scap-security-guide
-Version:	0.1.79
+Version:	0.1.80
 Release:	1%{?dist}.alma.1
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2

+# AlmaLinux Source
+Source9001: add-almalinux9-support.sh
+
 # AlmaLinux Patch
-Patch1000: scap-security-guide-add-almalinux9-product.patch
+Patch1001: 1001-add-almalinux-to-ansible-product-whitelist.patch

 BuildArch:	noarch

@ -59,6 +62,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul

 %prep
 %autosetup -p1
+bash %{SOURCE9001}

 %define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF -DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF
 %define cmake_defines_specific %{nil}
@ -103,9 +107,18 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif

 %changelog
-* Mon Dec 22 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.79-1.alma.1
+* Tue Mar 31 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.80-1.alma.1
 - Add AlmaLinux 9 support

+* Wed Mar 11 2026 Vojtech Polasek <vpolasek@redhat.com> - 0.1.80-1
+- Fix inconsistent and missing audit keys in some audit rules (RHEL-141394)
+- Modify shipped kickstart files so that the size of boot partition aligns with official recommended size (RHEL-145201)
+- Disable SHA-1 for the RPM component in RHEL 9 CIS profiles (RHEL-138448)
+- Use correct permissions and consider the log_group option in rules file_permissions_var_log_audit and directory_permissions_var_log_audit (RHEL-138549)
+- Rule configure_ssh_crypto_policy has been removed from RHEL 9 and RHEL 10 profiles. (RHEL-65737)
+- Rules of type sshd_use_strong_kex have been removed from RHEL CIS profiles in favor of system wide crypto policies usage. (RHEL-62941)
+- Rebase scap-security-guide to the latest upstream version 0.1.80 (RHEL-136121)
+
 * Mon Dec 15 2025 Jan Černý <jcerny@redhat.com> - 0.1.79-1
 - Update to the latest upstream release (RHEL-135773)