From 514fc2ac739831a030c64f298db2b9071ce1eb30 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 9 Jun 2026 16:22:50 +0000 Subject: [PATCH] Add AlmaLinux 9 support --- SOURCES/add-almalinux9-support.sh | 14 ++++++++++++++ SPECS/scap-security-guide.spec | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/SOURCES/add-almalinux9-support.sh b/SOURCES/add-almalinux9-support.sh index 8a5d02d..834e1e9 100644 --- a/SOURCES/add-almalinux9-support.sh +++ b/SOURCES/add-almalinux9-support.sh @@ -29,9 +29,20 @@ find ./shared -type f -exec sed -i \ -e 's|multi_platform_rhel|multi_platform_rhel\nmulti_platform_almalinux|g' {} \; # 4. Improve Ansible support in conditionals +# Two product-gating idioms are used in the shared rule templates: +# - list membership: {% if product in [..., "rhel9"] %} +# - equality: {% if product == "rhel9" %} +# The list form is rewritten below. The equality form is NOT a substring of +# the list form, so it must be handled separately, otherwise almalinux9 +# silently falls through to the generic `else` branch of those rules (e.g. +# configure_custom_crypto_policy_cis drops NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/ +# NO-WEAKMAC/NO-RPMSHA1, weakening the CIS crypto remediation vs the rhel9 base). find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \ -e '/if product in/ s/"rhel9"/"rhel9", "almalinux9"/g' {} \; +find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \ + -e 's/product == (["'\''])rhel9\1/(product == \1rhel9\1 or product == \1almalinux9\1)/g' {} \; + # 5. Add disa references symlinks for AlmaLinux for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do target="$(echo "$xml" | sed 's/rhel/almalinux/g')" @@ -105,6 +116,9 @@ sed -i \ sed -i 's/rhel/almalinux/g' products/almalinux9/CMakeLists.txt +sed -i '/In addition to being applicable/,/- Red Hat Containers with a Red Hat Enterprise Linux 9 image/{/- Red Hat Containers/{N;d};d}' \ + products/almalinux9/profiles/stig*.profile + sed -i -z \ -e 's/Red Hat Enterprise Linux/AlmaLinux OS/g' \ -e 's/red_hat_linux/almalinuxos_linux/g' \ diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index ac2ab26..ff25070 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.80 -Release: 1%{?dist}.alma.1 +Release: 1%{?dist}.alma.2 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -107,7 +107,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog -* Tue Mar 31 2026 Andrew Lukoshko - 0.1.80-1.alma.1 +* Tue Jun 09 2026 Andrew Lukoshko - 0.1.80-1.alma.2 - Add AlmaLinux 9 support * Wed Mar 11 2026 Vojtech Polasek - 0.1.80-1