From bc5b337584131ab33eb7a770400df484d5fea271 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 15 Nov 2021 15:28:09 +0100
Subject: [PATCH 1/2] Add CentOS Stream 9 derivative product from RHEL9.

---
 build-scripts/enable_derivatives.py           |  3 +-
 products/rhel9/CMakeLists.txt                 |  4 ++
 products/rhel9/product.yml                    |  4 ++
 shared/applicability/derivatives.yml          |  5 ++
 .../checks/oval/installed_OS_is_centos9.xml   | 47 +++++++++++++++++++
 ssg/constants.py                              |  1 +
 6 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 shared/checks/oval/installed_OS_is_centos9.xml

diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index 3d9f10a2160..867520b758d 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -97,7 +97,8 @@ def main():
         raise RuntimeError("No Benchmark found!")
 
     for namespace, benchmark in benchmarks:
-        ssg.build_derivatives.profile_handling(benchmark, namespace)
+        if args[1] != "cs9":
+            ssg.build_derivatives.profile_handling(benchmark, namespace)
         if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
             raise RuntimeError(
                 "Could not add derivative OS CPEs to Benchmark '%s'."
diff --git a/products/rhel9/CMakeLists.txt b/products/rhel9/CMakeLists.txt
index 47efb8b6625..65402ca1dfd 100644
--- a/products/rhel9/CMakeLists.txt
+++ b/products/rhel9/CMakeLists.txt
@@ -15,3 +15,7 @@ ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
 # ssg_build_html_stig_tables(${PRODUCT} "stig")
 
 #ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+if (SSG_CENTOS_DERIVATIVES_ENABLED)
+    ssg_build_derivative_product(${PRODUCT} "centos" "cs9")
+endif()
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index b4f80662616..ce0667fa9c2 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -42,3 +42,7 @@ platform_package_overrides:
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
+
+centos_pkg_release: "5ccc5b19"
+centos_pkg_version: "8483c65d"
+centos_major_version: "9"
diff --git a/shared/applicability/derivatives.yml b/shared/applicability/derivatives.yml
index e980f9c1c5c..a5701bc8d66 100644
--- a/shared/applicability/derivatives.yml
+++ b/shared/applicability/derivatives.yml
@@ -10,6 +10,11 @@ cpes:
       title: "CentOS 8"
       check_id: installed_OS_is_centos8
 
+  - cs9:
+      name: "cpe:/o:centos:centos:9"
+      title: "CentOS Stream 9"
+      check_id: installed_OS_is_centos9
+
   - sl7:
       name: "cpe:/o:scientificlinux:scientificlinux:7"
       title: "Scientific Linux 7"
diff --git a/shared/checks/oval/installed_OS_is_centos9.xml b/shared/checks/oval/installed_OS_is_centos9.xml
new file mode 100644
index 00000000000..65f3b42d8ac
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_centos9.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_centos9" version="2">
+    <metadata>
+      <title>CentOS Stream 9</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:centos:centos:9"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      CentOS Stream 9</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="OS is CentOS Stream" test_ref="test_centos9_name" />
+      <criterion comment="OS version is 9" test_ref="test_centos9_version" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_centos9_name" version="1">
+    <ind:object object_ref="obj_name_centos9" />
+    <ind:state state_ref="state_name_centos9" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_name_centos9" version="1" comment="Check os-release ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_name_centos9" version="1">
+    <ind:subexpression>centos</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_centos9_version" version="1">
+    <ind:object object_ref="obj_version_centos9" />
+    <ind:state state_ref="state_version_centos9" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_version_centos9" version="1" comment="Check os-release VERSION_ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_version_centos9" version="1">
+    <ind:subexpression>9</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index 982c8c64f7a..66c72665b34 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -282,6 +282,7 @@
     "cpe:/o:redhat:enterprise_linux:6": "cpe:/o:centos:centos:6",
     "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7",
     "cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8",
+    "cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9",
 }
 
 RHEL_SL_CPE_MAPPING = {

From f6e90ef5846ebc11fd4fe2b4d350b86f9470aacf Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 16 Nov 2021 17:39:20 +0100
Subject: [PATCH 2/2] Add comment explaining why profiles are kept in CentOS
 Stream 9.

---
 build-scripts/enable_derivatives.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index 867520b758d..48a2379ea69 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -98,6 +98,8 @@ def main():
 
     for namespace, benchmark in benchmarks:
         if args[1] != "cs9":
+            # In CentOS Stream 9 profiles are kept because it is a system
+            # intended to test content that will get into RHEL
             ssg.build_derivatives.profile_handling(benchmark, namespace)
         if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
             raise RuntimeError(