From ee20a463900387d5259216fe352359a28398bc07 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 27 Jun 2025 17:33:26 +0200
Subject: [PATCH] apply fixes to rules related to grub2 bootloader and UEFI

    Resolves: RHEL-94803
---
 scap-security-guide.spec                      |  11 +-
 ...-guide_0_1_78_fix_uefi_applicability.patch |  40 +++++++
 ..._0_1_78_fix_uefi_applicability_jinja.patch |  42 ++++++++
 ...-guide_0_1_78_fix_wrong_grubmkconfig.patch | 101 ++++++++++++++++++
 4 files changed, 193 insertions(+), 1 deletion(-)
 create mode 100644 scap-security-guide_0_1_78_fix_uefi_applicability.patch
 create mode 100644 scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
 create mode 100644 scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 654866c..77758a6 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -6,11 +6,16 @@
 
 Name:		scap-security-guide
 Version:	0.1.77
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
+# fix applicability of grub2_admin_username and grub2_password rules on uefi systems
+Patch0:	scap-security-guide_0_1_78_fix_uefi_applicability.patch
+Patch1:	scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
+# fix wrong grub-mkconfig (should be grub2-mkconfig) command in rule descriptions
+Patch2:	scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt
@@ -96,6 +101,10 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Fri Jun 27 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.77-3
+- fix incorrect applicability of Grub2 UEFI specific rules
+- replace grub-mkconfig with grub2-mkconfig in rule descriptions
+
 * Fri Jun 06 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-2
 - Turn on SCE for this release (RHEL-94803)
 
diff --git a/scap-security-guide_0_1_78_fix_uefi_applicability.patch b/scap-security-guide_0_1_78_fix_uefi_applicability.patch
new file mode 100644
index 0000000..67dd18e
--- /dev/null
+++ b/scap-security-guide_0_1_78_fix_uefi_applicability.patch
@@ -0,0 +1,40 @@
+From 35a873bf3da694876a1390eb4ea324cfb3d64327 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 18 Jun 2025 14:04:34 +0200
+Subject: [PATCH] Remove uefi/non-uefi from grub2 rules in case they do not
+ need.
+
+Products that have the same grub2 path for both UEFI/non-UEFI do not
+need to set the platform and the products have now consolidated the use
+of the grub2 rules to only select the ones that come from the non-UEFI
+set of rules.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 2 ++
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index b093bdad864..2a79674b363 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,4 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
++{{%- endif -%}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index e08747fe8c9..08f2e4ad9d0 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,7 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
++{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
++{{%- endif -%}}
+ 
+ warnings:
+     - functionality: |-
diff --git a/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch b/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
new file mode 100644
index 0000000..ddfe407
--- /dev/null
+++ b/scap-security-guide_0_1_78_fix_uefi_applicability_jinja.patch
@@ -0,0 +1,42 @@
+From 884ccb32e27aca7e3a4b0af841ddd5ecba81ae67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 19 Jun 2025 14:40:17 +0200
+Subject: [PATCH] Remove excess dashes in Jinja 2 expression
+
+These dashes consume all surrounding namespaces. As a result,
+the platform key isn't taken as a key but becomes part of the
+description value.
+---
+ linux_os/guide/system/bootloader-grub2/non-uefi/group.yml | 4 ++--
+ linux_os/guide/system/bootloader-grub2/uefi/group.yml     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+index 2a79674b363..67c0612649c 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/group.yml
+@@ -5,6 +5,6 @@ title: 'Non-UEFI GRUB2 bootloader configuration'
+ description: |-
+     Non-UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: non-uefi
+-{{%- endif -%}}
++{{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/group.yml b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+index 08f2e4ad9d0..b9516b94403 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/group.yml
+@@ -5,9 +5,9 @@ title: 'UEFI GRUB2 bootloader configuration'
+ description: |-
+     UEFI GRUB2 bootloader configuration
+ 
+-{{%- if grub2_boot_path != grub2_uefi_boot_path -%}}
++{{% if grub2_boot_path != grub2_uefi_boot_path -%}}
+ platform: uefi
+-{{%- endif -%}}
++{{%- endif %}}
+ 
+ warnings:
+     - functionality: |-
diff --git a/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch b/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
new file mode 100644
index 0000000..70471c9
--- /dev/null
+++ b/scap-security-guide_0_1_78_fix_wrong_grubmkconfig.patch
@@ -0,0 +1,101 @@
+From 0e0667783e9901f898af637c00464217654fcf9e Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Fri, 27 Jun 2025 13:53:28 +0200
+Subject: [PATCH] replace instances of grub-mkconfig with correct
+ grub2-mkconfig
+
+---
+ .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml   | 4 ++--
+ .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml  | 4 ++--
+ .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml  | 4 ++--
+ .../system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+index 20c824cd0b6..53baf2b128a 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -85,7 +85,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+index cf660bff13e..326cfda1a84 100644
+--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -111,7 +111,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+index ad52e7797e1..451537e032f 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+@@ -23,7 +23,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -89,7 +89,7 @@ fixtext: |-
+     Once the superuser account has been added, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+index 357c2e8defa..0d75ba87338 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+@@ -28,7 +28,7 @@ description: |-
+     update the
+     <tt>grub.cfg</tt> file by running:
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}
+@@ -109,7 +109,7 @@ fixtext: |-
+     Then, update the grub.cfg file by running:
+ 
+     {{%- if "rhel" in product %}}
+-    <pre>grub-mkconfig -o /boot/grub2/grub.cfg</pre>
++    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+     {{%- else %}}
+     <pre>{{{ grub_command("update") }}}</pre>
+     {{%- endif %}}