ComplianceAsCode · vojtapolasek · Apr 2, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -96,6 +96,7 @@ option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PR
 option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
 option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_HUMMINGBIRD "If enabled, the Hummingbird SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_KYLINSERVER10 "If enabled, the Kylin Server V10 content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -333,6 +334,7 @@ message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
 message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
 message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
 message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
+message(STATUS "Hummingbird: ${SSG_PRODUCT_HUMMINGBIRD}")
 message(STATUS "Kylin Server V10: ${SSG_PRODUCT_KYLINSERVER10}")
 message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
 message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
@@ -418,6 +420,9 @@ endif()
 if(SSG_PRODUCT_FIREFOX)
     add_subdirectory("products/firefox" "firefox")
 endif()
+if(SSG_PRODUCT_HUMMINGBIRD)
+    add_subdirectory("products/hummingbird" "hummingbird")
+endif()
 if(SSG_PRODUCT_KYLINSERVER10)
     add_subdirectory("products/kylinserver10" "kylinserver10")
 endif()

diff --git a/build_product b/build_product
@@ -340,6 +340,7 @@ all_cmake_products=(
 	EXAMPLE
 	FEDORA
 	FIREFOX
+	HUMMINGBIRD
 	KYLINSERVER10
 	OCP4
 	OL7

diff --git a/components/dnf.yml b/components/dnf.yml
@@ -10,6 +10,7 @@ rules:
 - enable_gpgcheck_for_all_repositories
 - ensure_gpgcheck_globally_activated
 - ensure_gpgcheck_local_packages
+- ensure_gpgcheck_never_disabled
 - ensure_gpgcheck_repo_metadata
 - package_dnf-automatic_installed
 - package_dnf-plugin-subscription-manager_installed

diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml
@@ -1,4 +1,4 @@
-{{% if 'rhel' in product or product in ['ol8','ol9'] -%}}
+{{% if 'rhel' in product or product in ['ol8','ol9', 'hummingbird'] -%}}
 {{% set pkg='rsync-daemon' %}}
 {{% else %}}
 {{% set pkg='rsync' %}}

diff --git a/...issions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/...issions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -12,12 +12,16 @@ description: |-
     /usr/lib
     /usr/lib64
     </pre>
+    {{% if product != "hummingbird" %}}
     Kernel modules, which can be added to the kernel during runtime, are also
-    stored in <tt>/lib/modules</tt>. All files in these directories should be
-    group-owned by the <tt>root</tt> user. If the  directories, is found to be owned
-    by a user other than root correct its
-    ownership with the following command:
+    stored in <tt>/lib/modules</tt>.
+    {{% endif %}}
+    All files in these directories should be group-owned by the <tt>root</tt> group.
+    {{% if product != "hummingbird" %}}
+    If the directories are found to be owned by a group other than root correct
+    its ownership with the following command:
     <pre>$ sudo chgrp root <i>DIR</i></pre>
+    {{% endif %}}
 
 rationale: |-
     Files from shared library directories are loaded into the address

diff --git a/...m/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/...m/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
@@ -11,12 +11,16 @@ description: |-
     /usr/lib
     /usr/lib64
     </pre>
+    {{% if product != "hummingbird" %}}
     Kernel modules, which can be added to the kernel during runtime, are also
-    stored in <tt>/lib/modules</tt>. All files in these directories should be
-    owned by the <tt>root</tt> user. If the  directories, is found to be owned
-    by a user other than root correct its
-    ownership with the following command:
+    stored in <tt>/lib/modules</tt>.
+    {{% endif %}}
+    All files in these directories should be owned by the <tt>root</tt> user.
+    {{% if product != "hummingbird" %}}
+    If the directories are found to be owned by a user other than root correct
+    its ownership with the following command:
     <pre>$ sudo chown root <i>DIR</i></pre>
+    {{% endif %}}
 
 rationale: |-
     Files from shared library directories are loaded into the address

diff --git a/...permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/...permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
@@ -12,12 +12,16 @@ description: |-
     /usr/lib
     /usr/lib64
     </pre>
+    {{% if product != "hummingbird" %}}
     Kernel modules, which can be added to the kernel during runtime, are
-    stored in <tt>/lib/modules</tt>. All sub-directories in these directories
-    should not be group-writable or world-writable. If any file in these
-    directories is found to be group-writable or world-writable, correct
+    stored in <tt>/lib/modules</tt>.
+    {{% endif %}}
+    All sub-directories in these directories should not be group-writable or world-writable.
+    {{% if product != "hummingbird" %}}
+    If any file in these directories is found to be group-writable or world-writable, correct
     its permission with the following command:
     <pre>$ sudo chmod go-w <i>DIR</i></pre>
+    {{% endif %}}
 
 rationale: |-
     If the operating system were to allow any user to make changes to software libraries,

diff --git a/.../permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/.../permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -11,12 +11,16 @@ description: |-
     /usr/lib
     /usr/lib64
     </pre>
+    {{% if product != "hummingbird" %}}
     Kernel modules, which can be added to the kernel during runtime, are also
-    stored in <tt>/lib/modules</tt>. All files in these directories should be
-    owned by the <tt>root</tt> user. If the directory, or any file in these
-    directories, is found to be owned by a user other than root correct its
-    ownership with the following command:
+    stored in <tt>/lib/modules</tt>.
+    {{% endif %}}
+    All files in these directories should be owned by the <tt>root</tt> user.
+    {{% if product != "hummingbird" %}}
+    If the directory, or any file in these directories, is found to be owned
+    by a user other than root correct its ownership with the following command:
     <pre>$ sudo chown root <i>FILE</i></pre>
+    {{% endif %}}
 
 rationale: |-
     Files from shared library directories are loaded into the address

diff --git a/...ermissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/...ermissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -11,12 +11,16 @@ description: |-
     /usr/lib
     /usr/lib64
     </pre>
+    {{% if product != "hummingbird" %}}
     Kernel modules, which can be added to the kernel during runtime, are
-    stored in <tt>/lib/modules</tt>. All files in these directories
-    should not be group-writable or world-writable. If any file in these
-    directories is found to be group-writable or world-writable, correct
-    its permission with the following command:
+    stored in <tt>/lib/modules</tt>.
+    {{% endif %}}
+    All files in these directories should not be group-writable or world-writable.
+    {{% if product != "hummingbird" %}}
+    If any file in these directories is found to be group-writable
+    or world-writable, correct its permission with the following command:
     <pre>$ sudo chmod go-w <i>FILE</i></pre>
+    {{% endif %}}
 
 rationale: |-
     Files from shared library directories are loaded into the address

diff --git a/...stem/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/...stem/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
@@ -8,6 +8,7 @@
       <extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
       <extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" />
       <extend_definition comment="Installed OS is RHEL10" definition_ref="installed_OS_is_rhel10" />
+      <extend_definition comment="Installed OS is Hummingbird" definition_ref="installed_OS_is_hummingbird" />
       <extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7" />
       <extend_definition comment="Installed OS is OL8" definition_ref="installed_OS_is_ol8" />
       <extend_definition comment="Installed OS is OL9" definition_ref="installed_OS_is_ol9" />

diff --git a/...uide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/...uide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -60,7 +60,7 @@ ocil_clause: 'the installed operating system is not supported'
 ocil: |-
     To verify that the installed operating system is supported, run
     the following command:
-{{% if product.startswith("rhel") %}}
+{{% if product.startswith("rhel") or product == "hummingbird" %}}
     <pre>$ grep -i "red hat" /etc/redhat-release</pre>
 {{% elif 'ol' in families %}}
     <pre>$ grep -i "oracle" /etc/oracle-release</pre>

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -4,6 +4,7 @@ documentation_complete: true
 title: 'Configure System Cryptography Policy'
 
 description: |-
+    {{% if product != "hummingbird" -%}}
     To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
     {{% if product != "rhcos4" -%}}
     policy, run the following command:
@@ -42,6 +43,7 @@ description: |-
     </p>
     {{{ machineconfig_description_footer() | indent(4) }}}
     {{% endif -%}}
+    {{% endif -%}}
     The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
     Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
 
@@ -86,8 +88,10 @@ ocil: |-
     Outputs of two previous commands should match.
 
 warnings:
+    {{% if product != "hummingbird" -%}}
     - general: |-
         The system needs to be rebooted for these changes to take effect.
+    {{% endif -%}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
@@ -75,3 +75,7 @@ checktext: |-
     gpgcheck = 1
 
     If "gpgcheck" is not set to "1" for all returned lines, this is a finding.
+
+{{% if product == "hummingbird" %}}
+platform: package[dnf]
+{{% endif %}}
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml
@@ -6,8 +6,10 @@ title: 'Ensure Red Hat GPG Key Installed'
 description: |-
     To ensure the system can cryptographically verify base software packages
     come from Red Hat (and to connect to the Red Hat Network to receive them),
-    the Red Hat GPG key must properly be installed. To install the Red Hat GPG
-    key, run:
+    the Red Hat GPG key must properly be installed.
+
+    {{% if product != "hummingbird" %}}
+    To install the Red Hat GPG key, run:
     <pre>$ sudo subscription-manager register</pre>
 
     If the system is not connected to the Internet or an RHN Satellite, then
@@ -20,6 +22,7 @@ description: |-
     Alternatively, the key may be pre-loaded during the RHEL installation. In
     such cases, the key can be installed by running the following command:
     <pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre>
+    {{% endif %}}
 
 
 rationale: |-

diff --git a/linux_os/guide/system/software/updating/group.yml b/linux_os/guide/system/software/updating/group.yml
@@ -3,6 +3,10 @@ documentation_complete: true
 title: 'Updating Software'
 
 description: |-
+{{% if product == "hummingbird" %}}
+    {{{ full_name }}} containers and container images contain an installed software
+    catalog called the RPM database, which records metadata of installed RPM packages.
+{{% else %}}
     The <tt>{{{ pkg_manager }}}</tt> command line tool is used to install and
     update software packages. The system also provides a graphical
     software update tool in the <b>System</b> menu, in the <b>Administration</b> submenu,
@@ -13,3 +17,4 @@ description: |-
     <tt>{{{ pkg_manager }}}</tt> or the graphical <b>Software Update</b> for all software installation
     allows for insight into the current inventory of installed software on the system.
     <br /><br />
+{{% endif %}}
diff --git a/products/hummingbird/CMakeLists.txt b/products/hummingbird/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd hummingbird; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("hummingbird")
-Original file line number
+Diff line change
@@ Expand Up / @@ -340,6 +340,7 @@ all_cmake_products=( @@
     	EXAMPLE
     	FEDORA
     	FIREFOX
+    	HUMMINGBIRD
     	KYLINSERVER10
     	OCP4
     	OL7
@@ Expand Down @@