Add AlmaLinux 9 support

.gitignore

@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.76.tar.bz2
+SOURCES/scap-security-guide-0.1.77.tar.bz2

.scap-security-guide.metadata

@@ -1 +1 @@
-f4e1956b455a4c66160229334046efbe297fb001 SOURCES/scap-security-guide-0.1.76.tar.bz2
+3422596a0d3e3c2b68aa33683819b20b9a0c3ab0 SOURCES/scap-security-guide-0.1.77.tar.bz2

SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability.patch

@@ -0,0 +1,40 @@
+From 35a873bf3da694876a1390eb4ea324cfb3d64327 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 18 Jun 2025 14:04:34 +0200
+Subject: [PATCH] Remove uefi/non-uefi from grub2 rules in case they do not
+ need.
+
+Products that have the same grub2 path for both UEFI/non-UEFI do not
+need to set the platform and the products have now consolidated the use
+of the grub2 rules to only select the ones that come from the non-UEFI
+set of rules.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 2 ++
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index b093bdad864..2a79674b363 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,4 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
++{{%- endif -%}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index e08747fe8c9..08f2e4ad9d0 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,7 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
++{{%- endif -%}}
+ 
+ warnings:
+     - functionality: |-

SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch

@@ -0,0 +1,42 @@
+From 884ccb32e27aca7e3a4b0af841ddd5ecba81ae67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 19 Jun 2025 14:40:17 +0200
+Subject: [PATCH] Remove excess dashes in Jinja 2 expression
+
+These dashes consume all surrounding namespaces. As a result,
+the platform key isn't taken as a key but becomes part of the
+description value.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 4 ++--
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index 2a79674b363..67c0612649c 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,6 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
+-{{%- endif -%}}
++{{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index 08f2e4ad9d0..b9516b94403 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,9 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
+-{{%- endif -%}}
++{{%- endif %}}
+ 
+ warnings:
+     - functionality: |-

SOURCES/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch

@@ -0,0 +1,101 @@
+From 0e0667783e9901f898af637c00464217654fcf9e Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Fri, 27 Jun 2025 13:53:28 +0200
+Subject: [PATCH] replace instances of grub-mkconfig with correct
+ grub2-mkconfig
+
+---
+ .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml   | 4 ++--
+ .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml  | 4 ++--
+ .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml  | 4 ++--
+ .../system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+index 20c824cd0b6..53baf2b128a 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -85,7 +85,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+index cf660bff13e..326cfda1a84 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -111,7 +111,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+index ad52e7797e1..451537e032f 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -89,7 +89,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+index 357c2e8defa..0d75ba87338 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -109,7 +109,7 @@ fixtext: |-
+     Then, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}

SPECS/scap-security-guide.spec

@@ -5,16 +5,21 @@
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
 
 Name:		scap-security-guide
-Version:	0.1.76
-Release:	1%{?dist}.alma.1
+Version:	0.1.77
+Release:	3%{?dist}.alma.1
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
-BuildArch:	noarch
+# fix applicability of grub2_admin_username and grub2_password rules on uefi systems
+Patch0:	scap-security-guide_0_1_78_fix_uefi_applicability.patch
+Patch1:	scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
+# fix wrong grub-mkconfig (should be grub2-mkconfig) command in rule descriptions
+Patch2:	scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
 
-# AlmaLinux 9
-Patch1000:      scap-security-guide-%{version}-add-almalinux9-product.patch
+# AlmaLinux Patch
+Patch1000: scap-security-guide-add-almalinux9-product.patch
+BuildArch:	noarch
 
 BuildRequires:	libxslt
 BuildRequires:	openscap-scanner >= 1.2.5
@@ -62,13 +67,13 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
 %define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF -DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF
 %define cmake_defines_specific %{nil}
 %if 0%{?rhel}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON -DSSG_SCE_ENABLED:BOOL=ON
 %endif
 %if 0%{?centos}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON -DSSG_SCE_ENABLED:BOOL=ON
 %endif
 %if 0%{?almalinux}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_ALMALINUX%{almalinux}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_ALMALINUX%{almalinux}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_SCE_ENABLED:BOOL=ON -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
 %endif
 
 mkdir -p build
@@ -102,9 +107,22 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
-* Tue Apr 29 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.76-1.alma.1
+* Mon Jul 14 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.77-3.alma.1
 - Add AlmaLinux 9 support
 
+* Fri Jun 27 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.77-3
+- fix incorrect applicability of Grub2 UEFI specific rules
+- replace grub-mkconfig with grub2-mkconfig in rule descriptions
+
+* Fri Jun 06 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-2
+- Turn on SCE for this release (RHEL-94803)
+
+* Tue Jun 03 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-1
+- Rebase to scap-security-guide version 0.1.77 (RHEL-94803)
+- rule networkmanager_dns_mode now checks dropin files and has more resilient regex (RHEL-62843)
+- rsyslog_remote_loghost checks for Rainer Script syntax as well (RHEL-62731)
+- improve checking of Grub2 superuser and password configuration (RHEL-58818)
+
 * Tue Feb 25 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.76-1
 - rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74240)
 - modify the rule require_singleuser_auth to honor overriding mechanism offered by Systemd (RHEL-71936)
@@ -147,6 +165,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Update description for audit_rules_kernel_module_loading (RHEL-1489)
 - Disable remediation for /dev/shm options in offline mode (RHEL-16801)
 - Include explanatory comment in the remediation of CCE-83871-4 (RHEL-17418)
+
 * Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
 - Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)