Upstream CaC ships a maintained controls/cis_almalinux9.yml with
AlmaLinux-specific adjustments (correct source URL, SSH crypto policy
marked not applicable, almalinux NTP variable, etc.). The product-level
copy mechanically renamed from rhel9 is loaded after the top-level file
and silently overrides it, losing all those adjustments.
Drop products/almalinux9/controls/ entirely so the correct top-level
file is used.
Same gap as a10: the sed only searched linux_os/ and only matched
double-quoted product names in 'if product in' blocks, missing rules
in shared/, exclusion lists using 'if product not in', and
single-quoted product names in either form.
Extend the find path to linux_os/ and shared/, and add the three
missing -e expressions to cover all four combinations.
Step 4 only rewrote the list-membership form (product in [...,"rhel9"]), so
the shared rules using the equality form (product == "rhel9") fell through to
the generic else branch for almalinux9. Most visibly,
configure_custom_crypto_policy_cis dropped NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/
NO-WEAKMAC/NO-RPMSHA1, weakening the CIS crypto remediation vs the rhel9 base
(no hard failure since NO-SHA1 still ships on EL9). Now almalinux9 follows the
rhel9 branch.
Also set auto_increment on the .alma.1 release suffix.