Merge pull request #12084 from a-skr/fixes-debian

Fixes debian
ComplianceAsCode · Aug 2, 2024 · 0c4f15e · 0c4f15e
2 parents 7377bf6 + ded9af2
commit 0c4f15e
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 4 deletions.
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
@@ -15,7 +15,7 @@
 
  <ind:textfilecontent54_object comment="Ensure at least one NTP server is set"
  id="object_chronyd_remote_server" version="1">
- <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:filepath operation="pattern match">^({{{ chrony_conf_path }}}|{{{ chrony_d_path }}}/.+\.conf)$</ind:filepath>
  <ind:pattern operation="pattern match">^[\s]*(?:server|pool)[\s]+.+$</ind:pattern>
  <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

diff --git a/products/debian12/product.yml b/products/debian12/product.yml
@@ -19,6 +19,9 @@ init_system: "systemd"
 
 oval_feed_url: "https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2"
 
+chrony_conf_path: "/etc/chrony/chrony.conf"
+chrony_d_path: "/etc/chrony/chrony.d"
+
 cpes_root: "../../shared/applicability"
 cpes:
  - debian12:

diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -35,6 +35,11 @@ selections:
  - '!accounts_polyinstantiated_tmp'
  - '!accounts_polyinstantiated_var_tmp'
  - '!enable_pam_namespace'
+ # there is no tmp.mount unit on Debian 12.
+ - '!systemd_tmp_mount_enabled'
+ # this rule cannot handle /etc/chrony/chrony.conf path properly.
+ # chronyd_specify_remote_server still report wether chrony is configured.
+ - '!chronyd_configure_pool_and_server'
 
  # Following rules once had a prodtype incompatible with the debian12 product
  - '!accounts_passwords_pam_tally2_deny_root'

diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
@@ -35,6 +35,11 @@ selections:
  - '!accounts_polyinstantiated_tmp'
  - '!accounts_polyinstantiated_var_tmp'
  - '!enable_pam_namespace'
+ # there is no tmp.mount unit on Debian 12.
+ - '!systemd_tmp_mount_enabled'
+ # this rule cannot handle /etc/chrony/chrony.conf path properly.
+ # chronyd_specify_remote_server still report wether chrony is configured.
+ - '!chronyd_configure_pool_and_server'
 
  # Following rules once had a prodtype incompatible with the debian12 product
  - '!accounts_passwords_pam_tally2_deny_root'

diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -30,6 +30,8 @@ selections:
  - '!accounts_polyinstantiated_tmp'
  - '!accounts_polyinstantiated_var_tmp'
  - '!enable_pam_namespace'
+ # there is no tmp.mount unit on Debian 12.
+ - '!systemd_tmp_mount_enabled'
 
  # Following rules once had a prodtype incompatible with the debian12 product
  - '!accounts_passwords_pam_tally2_deny_root'

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
@@ -17,7 +17,7 @@
 {{% endif %}}
 {{%- endmacro -%}}
 {{%- macro sysctl_match() -%}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*\S)[\s]*$</ind:pattern>
  <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
 {{%- endmacro -%}}
 {{%- if "P" in FLAGS -%}}

diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
@@ -7,8 +7,8 @@ auid: 1000
 basic_properties_derived: true
 benchmark_id: DEBIAN-12
 benchmark_root: ../../linux_os/guide
-chrony_conf_path: /etc/chrony.conf
-chrony_d_path: /etc/chrony.d/
+chrony_conf_path: /etc/chrony/chrony.conf
+chrony_d_path: /etc/chrony/chrony.d
 cpes:
 - debian12:
  check_id: installed_OS_is_debian12