From 9d14aaa6762b8ba89256405173a9561f74e9e8ad Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <andrew.lukoshko@gmail.com>
Date: Mon, 14 Jul 2025 13:53:20 +0000
Subject: [PATCH] import CS scap-security-guide-0.1.77-3.el9

---
 .gitignore                                    |   2 +-
 .scap-security-guide.metadata                 |   2 +-
 ...-guide_0_1_78_fix_uefi_applicability.patch |  40 +++++++
 ..._0_1_78_fix_uefi_applicability_jinja.patch |  42 ++++++++
 ...-guide_0_1_78_fix_wrong_grubmkconfig.patch | 101 ++++++++++++++++++
 SPECS/scap-security-guide.spec                |  26 ++++-
 6 files changed, 207 insertions(+), 6 deletions(-)
 create mode 100644 SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability.patch
 create mode 100644 SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
 create mode 100644 SOURCES/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch

diff --git a/.gitignore b/.gitignore
index 36a1149..1bc9f48 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.76.tar.bz2
+SOURCES/scap-security-guide-0.1.77.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index dc4b42f..794b6cb 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-f4e1956b455a4c66160229334046efbe297fb001 SOURCES/scap-security-guide-0.1.76.tar.bz2
+3422596a0d3e3c2b68aa33683819b20b9a0c3ab0 SOURCES/scap-security-guide-0.1.77.tar.bz2
diff --git a/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability.patch b/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability.patch
new file mode 100644
index 0000000..67dd18e
--- /dev/null
+++ b/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability.patch
@@ -0,0 +1,40 @@
+From 35a873bf3da694876a1390eb4ea324cfb3d64327 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 18 Jun 2025 14:04:34 +0200
+Subject: [PATCH] Remove uefi/non-uefi from grub2 rules in case they do not
+ need.
+
+Products that have the same grub2 path for both UEFI/non-UEFI do not
+need to set the platform and the products have now consolidated the use
+of the grub2 rules to only select the ones that come from the non-UEFI
+set of rules.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 2 ++
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index b093bdad864..2a79674b363 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,4 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
++{{%- endif -%}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index e08747fe8c9..08f2e4ad9d0 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,7 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
++{{%- endif -%}}
+ 
+ warnings:
+     - functionality: |-
diff --git a/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch b/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
new file mode 100644
index 0000000..ddfe407
--- /dev/null
+++ b/SOURCES/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
@@ -0,0 +1,42 @@
+From 884ccb32e27aca7e3a4b0af841ddd5ecba81ae67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 19 Jun 2025 14:40:17 +0200
+Subject: [PATCH] Remove excess dashes in Jinja 2 expression
+
+These dashes consume all surrounding namespaces. As a result,
+the platform key isn't taken as a key but becomes part of the
+description value.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 4 ++--
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index 2a79674b363..67c0612649c 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,6 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
+-{{%- endif -%}}
++{{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index 08f2e4ad9d0..b9516b94403 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,9 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
+-{{%- endif -%}}
++{{%- endif %}}
+ 
+ warnings:
+     - functionality: |-
diff --git a/SOURCES/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch b/SOURCES/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
new file mode 100644
index 0000000..70471c9
--- /dev/null
+++ b/SOURCES/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
@@ -0,0 +1,101 @@
+From 0e0667783e9901f898af637c00464217654fcf9e Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Fri, 27 Jun 2025 13:53:28 +0200
+Subject: [PATCH] replace instances of grub-mkconfig with correct
+ grub2-mkconfig
+
+---
+ .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml   | 4 ++--
+ .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml  | 4 ++--
+ .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml  | 4 ++--
+ .../system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+index 20c824cd0b6..53baf2b128a 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -85,7 +85,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+index cf660bff13e..326cfda1a84 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -111,7 +111,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+index ad52e7797e1..451537e032f 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -89,7 +89,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+index 357c2e8defa..0d75ba87338 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -109,7 +109,7 @@ fixtext: |-
+     Then, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index a17ce0b..77758a6 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -5,12 +5,17 @@
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
 
 Name:		scap-security-guide
-Version:	0.1.76
-Release:	1%{?dist}
+Version:	0.1.77
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
+# fix applicability of grub2_admin_username and grub2_password rules on uefi systems
+Patch0:	scap-security-guide_0_1_78_fix_uefi_applicability.patch
+Patch1:	scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
+# fix wrong grub-mkconfig (should be grub2-mkconfig) command in rule descriptions
+Patch2:	scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt
@@ -59,10 +64,10 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
 %define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF -DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF
 %define cmake_defines_specific %{nil}
 %if 0%{?rhel}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON -DSSG_SCE_ENABLED:BOOL=ON
 %endif
 %if 0%{?centos}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=OFF -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=ON -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON -DSSG_SCE_ENABLED:BOOL=ON
 %endif
 
 mkdir -p build
@@ -96,6 +101,19 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Fri Jun 27 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.77-3
+- fix incorrect applicability of Grub2 UEFI specific rules
+- replace grub-mkconfig with grub2-mkconfig in rule descriptions
+
+* Fri Jun 06 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-2
+- Turn on SCE for this release (RHEL-94803)
+
+* Tue Jun 03 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-1
+- Rebase to scap-security-guide version 0.1.77 (RHEL-94803)
+- rule networkmanager_dns_mode now checks dropin files and has more resilient regex (RHEL-62843)
+- rsyslog_remote_loghost checks for Rainer Script syntax as well (RHEL-62731)
+- improve checking of Grub2 superuser and password configuration (RHEL-58818)
+
 * Tue Feb 25 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.76-1
 - rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74240)
 - modify the rule require_singleuser_auth to honor overriding mechanism offered by Systemd (RHEL-71936)