From 2df3231d6dd5941def2ed97a896969da66a0086f Mon Sep 17 00:00:00 2001 From: Paul Rensing Date: Wed, 18 Oct 2023 15:35:40 -0400 Subject: [PATCH 1/5] Copy Debian11 product to Debian12 --- CMakeLists.txt | 5 ++ build_product | 1 + .../rule.yml | 2 +- .../oval/debian12.xml | 27 +++++++++ .../apt/apt_sources_list_official/rule.yml | 2 +- .../package_net-snmp_removed/rule.yml | 2 +- .../service_snmpd_disabled/rule.yml | 2 +- .../snmpd_not_default_password/rule.yml | 2 +- .../audit_rules_file_deletion_events/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../audit_rules_login_events/rule.yml | 2 +- .../rule.yml | 2 +- .../audit_rules_login_events_lastlog/rule.yml | 2 +- .../rule.yml | 2 +- .../auditing/package_audit_installed/rule.yml | 1 + .../aide/aide_build_database/rule.yml | 2 +- .../aide/package_aide_installed/rule.yml | 2 +- products/debian12/CMakeLists.txt | 6 ++ products/debian12/overlays/.gitkeep | 0 products/debian12/product.yml | 39 +++++++++++++ .../profiles/anssi_np_nt28_average.profile | 34 +++++++++++ .../profiles/anssi_np_nt28_high.profile | 11 ++++ .../profiles/anssi_np_nt28_minimal.profile | 31 ++++++++++ .../anssi_np_nt28_restrictive.profile | 18 ++++++ products/debian12/profiles/standard.profile | 57 +++++++++++++++++++ products/debian12/transforms/constants.xslt | 13 +++++ products/debian12/transforms/table-style.xslt | 5 ++ .../transforms/xccdf-apply-overlay-stig.xslt | 8 +++ .../debian12/transforms/xccdf2table-cce.xslt | 9 +++ .../xccdf2table-profileccirefs.xslt | 9 +++ .../oval/installed_OS_is_debian12.xml | 27 +++++++++ .../oval.template | 2 +- ssg/constants.py | 5 +- 43 files changed, 328 insertions(+), 26 deletions(-) create mode 100644 linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml create mode 100644 products/debian12/CMakeLists.txt create mode 100644 products/debian12/overlays/.gitkeep create mode 100644 products/debian12/product.yml create mode 100644 products/debian12/profiles/anssi_np_nt28_average.profile create mode 100644 products/debian12/profiles/anssi_np_nt28_high.profile create mode 100644 products/debian12/profiles/anssi_np_nt28_minimal.profile create mode 100644 products/debian12/profiles/anssi_np_nt28_restrictive.profile create mode 100644 products/debian12/profiles/standard.profile create mode 100644 products/debian12/transforms/constants.xslt create mode 100644 products/debian12/transforms/table-style.xslt create mode 100644 products/debian12/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 products/debian12/transforms/xccdf2table-cce.xslt create mode 100644 products/debian12/transforms/xccdf2table-profileccirefs.xslt create mode 100644 shared/applicability/oval/installed_OS_is_debian12.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index a9bcfe3e413..a9bb429d346 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -76,6 +76,7 @@ option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be b option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE) option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -294,6 +295,7 @@ message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}") message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}") message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}") +message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}") message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}") message(STATUS "EKS: ${SSG_PRODUCT_EKS}") message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}") @@ -372,6 +374,9 @@ endif() if(SSG_PRODUCT_DEBIAN11) add_subdirectory("products/debian11" "debian11") endif() +if(SSG_PRODUCT_DEBIAN12) + add_subdirectory("products/debian12" "debian12") +endif() if(SSG_PRODUCT_EXAMPLE) add_subdirectory("products/example" "example") endif() diff --git a/build_product b/build_product index 30064130390..96828ac3926 100755 --- a/build_product +++ b/build_product @@ -312,6 +312,7 @@ all_cmake_products=( CHROMIUM DEBIAN10 DEBIAN11 + DEBIAN12 EXAMPLE EKS FEDORA diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml index 05ed2d331b2..2b353e2fddf 100644 --- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml +++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: debian10,debian11,debian12,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Disable unauthenticated repositories in APT configuration' diff --git a/linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml new file mode 100644 index 00000000000..5e2b212f677 --- /dev/null +++ b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml @@ -0,0 +1,27 @@ + + + {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}} + + + + + + + + + + ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$ + ^deb[\s]+http://[a-z\.]+\.debian\.org/debian[/]?[\s]+bookworm[\s]+main + 1 + + + + + + ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$ + ^deb[\s]+http://security\.debian\.org/debian-security[/]?[\s]+bookworm-security[\s]+main + 1 + + diff --git a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml index c51fbb2ffa4..38a1bdd84b4 100644 --- a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml +++ b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11 +prodtype: debian10,debian11,debian12 title: 'Ensure that official distribution repositories are used' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index 3f8d8cf5c88..fd5ec3458d0 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: debian10,debian11,debian12,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall net-snmp Package' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index 49f0fc3f519..a724c1d6d1a 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,openembedded,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,openembedded,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable snmpd Service' diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml index f02c9a7e01b..c654c31453f 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11,fedora,ol7,ol8,rhel7,rhel8 +prodtype: debian10,debian11,debian12,fedora,ol7,ol8,rhel7,rhel8 title: 'Ensure Default SNMP Password Is Not Used' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml index f3e0836c8c5..ee54cd52635 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 title: 'Ensure auditd Collects File Deletion Events by User' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml index 5b036e57b3e..eed46aa465f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 71931e61a32..79d5aa6dd1f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 4b5320d3b7b..3dd68b7c5c7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 0cf69fb361e..7efdc37c60c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 123cc83d867..e4288e5a6c8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 99cf3236eba..0d6795e0641 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - openat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 011a1b67883..71a4bfaacc5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Unsuccessful Access Attempts to Files - truncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml index 18778fd6dc2..a4ca095aadf 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index c7eac12a250..4fe88b2bb15 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 4166e059725..f4397059dc5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 8514acdd103..ca93d9f4cae 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml index a6d668dbcbd..8b6abf3d21d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 +prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 title: 'Record Attempts to Alter Logon and Logout Events' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml index 93a43951456..95d5d4f472a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Record Attempts to Alter Logon and Logout Events - faillock' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index c858278e7fe..241e4c4e564 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index 6c71b0c2f84..49082caf773 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Attempts to Alter Logon and Logout Events - tallylog' diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml index 6606405c77f..98ca964541d 100644 --- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml @@ -65,3 +65,4 @@ template: pkgname@ubuntu2204: auditd pkgname@debian10: auditd pkgname@debian11: auditd + pkgname@debian12: auditd diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index 6ff74126f03..2ccae747bac 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Build and Test AIDE Database' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index a00657f57ee..0759cdae413 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openembedded,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,openembedded,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Install AIDE' diff --git a/products/debian12/CMakeLists.txt b/products/debian12/CMakeLists.txt new file mode 100644 index 00000000000..cdf9a7e31ed --- /dev/null +++ b/products/debian12/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd debian11; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("debian12") diff --git a/products/debian12/overlays/.gitkeep b/products/debian12/overlays/.gitkeep new file mode 100644 index 00000000000..e69de29bb2d diff --git a/products/debian12/product.yml b/products/debian12/product.yml new file mode 100644 index 00000000000..5017583ba2f --- /dev/null +++ b/products/debian12/product.yml @@ -0,0 +1,39 @@ +product: debian12 +full_name: Debian 12 +type: platform + +families: + - debian + - debian-like + +major_version_ordinal: 12 + +benchmark_id: DEBIAN-12 +benchmark_root: "../../linux_os/guide" + +profiles_root: "./profiles" + +pkg_manager: "apt_get" + +init_system: "systemd" + + +cpes_root: "../../shared/applicability" +cpes: + - debian12: + name: "cpe:/o:debian:debian_linux:12" + title: "Debian Linux 12" + check_id: installed_OS_is_debian12 + +# Mapping of CPE platform to package +platform_package_overrides: + gdm: gdm3 + grub2: grub2-common + net-snmp: snmp + nss-pam-ldapd: libpam-ldap + pam: libpam-runtime + shadow: login + sssd: sssd-common + +reference_uris: + cis: 'https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf' diff --git a/products/debian12/profiles/anssi_np_nt28_average.profile b/products/debian12/profiles/anssi_np_nt28_average.profile new file mode 100644 index 00000000000..4c428147192 --- /dev/null +++ b/products/debian12/profiles/anssi_np_nt28_average.profile @@ -0,0 +1,34 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level' + +description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security + stacks.' + +extends: anssi_np_nt28_minimal + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_ntp_installed + - package_ntpdate_removed + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 + - rsyslog_files_ownership + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" + - ensure_logrotate_activated + - file_permissions_systemmap + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_fs_suid_dumpable + - sysctl_kernel_randomize_va_space diff --git a/products/debian12/profiles/anssi_np_nt28_high.profile b/products/debian12/profiles/anssi_np_nt28_high.profile new file mode 100644 index 00000000000..eb756ff2840 --- /dev/null +++ b/products/debian12/profiles/anssi_np_nt28_high.profile @@ -0,0 +1,11 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level' + +description: 'This profile contains items for GNU/Linux installations storing sensitive information that can be accessible + from unauthenticated or uncontroled networks.' + +extends: anssi_np_nt28_restrictive + +selections: + - grub2_enable_iommu_force diff --git a/products/debian12/profiles/anssi_np_nt28_minimal.profile b/products/debian12/profiles/anssi_np_nt28_minimal.profile new file mode 100644 index 00000000000..797aee747d7 --- /dev/null +++ b/products/debian12/profiles/anssi_np_nt28_minimal.profile @@ -0,0 +1,31 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Minimal Level' + +description: 'This profile contains items to be applied systematically.' + +selections: + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - package_telnetd_removed + - package_inetutils-telnetd_removed + - package_telnetd-ssl_removed + - package_nis_removed + - package_rsyslog_installed + - service_rsyslog_enabled + - package_syslogng_installed + - service_syslogng_enabled + - apt_conf_disallow_unauthenticated + - apt_sources_list_official + - file_permissions_etc_shadow + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_passwd + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_group + - file_owner_etc_group + - file_groupowner_etc_group diff --git a/products/debian12/profiles/anssi_np_nt28_restrictive.profile b/products/debian12/profiles/anssi_np_nt28_restrictive.profile new file mode 100644 index 00000000000..27e4ec396f9 --- /dev/null +++ b/products/debian12/profiles/anssi_np_nt28_restrictive.profile @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Restrictive Level' + +description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.' + +extends: anssi_np_nt28_average + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_audit_installed + - package_cron_installed + - service_auditd_enabled + - service_ntp_enabled diff --git a/products/debian12/profiles/standard.profile b/products/debian12/profiles/standard.profile new file mode 100644 index 00000000000..a6e253324c8 --- /dev/null +++ b/products/debian12/profiles/standard.profile @@ -0,0 +1,57 @@ +documentation_complete: true + +title: 'Standard System Security Profile for Debian 12' + +description: |- + This profile contains rules to ensure standard security baseline + of a Debian 12 system. Regardless of your system's workload + all of these checks should pass. + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_audit_installed + - package_cron_installed + - package_ntp_installed + - package_rsyslog_installed + - package_telnetd_removed + - package_inetutils-telnetd_removed + - package_telnetd-ssl_removed + - package_nis_removed + - package_ntpdate_removed + - service_auditd_enabled + - service_cron_enabled + - service_ntp_enabled + - service_rsyslog_enabled + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 + - rsyslog_files_ownership + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" + - ensure_logrotate_activated + - file_permissions_systemmap + - file_permissions_etc_shadow + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_passwd + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_group + - file_owner_etc_group + - file_groupowner_etc_group + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_fs_suid_dumpable + - sysctl_kernel_randomize_va_space diff --git a/products/debian12/transforms/constants.xslt b/products/debian12/transforms/constants.xslt new file mode 100644 index 00000000000..8161c3d92d9 --- /dev/null +++ b/products/debian12/transforms/constants.xslt @@ -0,0 +1,13 @@ + + + + +Debian 12 +Debian 12 +DEBIAN_12_STIG +debian12 + + +https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf + + diff --git a/products/debian12/transforms/table-style.xslt b/products/debian12/transforms/table-style.xslt new file mode 100644 index 00000000000..8b6caeab8cd --- /dev/null +++ b/products/debian12/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/debian12/transforms/xccdf-apply-overlay-stig.xslt b/products/debian12/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 00000000000..4789419b80a --- /dev/null +++ b/products/debian12/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/debian12/transforms/xccdf2table-cce.xslt b/products/debian12/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000000..f156a669566 --- /dev/null +++ b/products/debian12/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/debian12/transforms/xccdf2table-profileccirefs.xslt b/products/debian12/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 00000000000..30419e92b28 --- /dev/null +++ b/products/debian12/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/applicability/oval/installed_OS_is_debian12.xml b/shared/applicability/oval/installed_OS_is_debian12.xml new file mode 100644 index 00000000000..9c0a8ca7d39 --- /dev/null +++ b/shared/applicability/oval/installed_OS_is_debian12.xml @@ -0,0 +1,27 @@ + + + + Debian Linux 12 + + multi_platform_all + + + The operating system installed on the system is Debian 12 + + + + + + + + + + + + + /etc/debian_version + ^12.[0-9]+$ + 1 + + + diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template index 80fc1c6c1f5..60d043e0c1c 100644 --- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template @@ -2,7 +2,7 @@ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} - {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} + {{% if product in ["debian10", "debian11", "debian12", "ubuntu1604"] %}} {{% endif %}} diff --git a/ssg/constants.py b/ssg/constants.py index cd4235f97ab..ed6fc95f8fd 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -42,7 +42,7 @@ 'anolis8', 'anolis23', 'chromium', - 'debian10', 'debian11', + 'debian10', 'debian11', 'debian12', 'example', 'eks', 'fedora', @@ -200,6 +200,7 @@ "Chromium": "chromium", "Debian 10": "debian10", "Debian 11": "debian11", + "Debian 12": "debian12", "Example": "example", "Amazon Elastic Kubernetes Service": "eks", "Fedora": "fedora", @@ -279,7 +280,7 @@ MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], "multi_platform_anolis": ["anolis8", "anolis23"], - "multi_platform_debian": ["debian10", "debian11"], + "multi_platform_debian": ["debian10", "debian11", "debian12"], "multi_platform_example": ["example"], "multi_platform_eks": ["eks"], "multi_platform_fedora": ["fedora"], From a2fd6a249ac88e8b05e4f5544b4188b6b734594d Mon Sep 17 00:00:00 2001 From: Paul Rensing Date: Wed, 18 Oct 2023 17:23:18 -0400 Subject: [PATCH 2/5] Some templates which need Debian12 listed --- .../file_groupowner_backup_etc_gshadow/rule.yml | 1 + .../file_groupowner_etc_gshadow/rule.yml | 1 + .../file_permissions_backup_etc_gshadow/rule.yml | 1 + .../file_permissions_backup_etc_shadow/rule.yml | 1 + .../file_permissions_etc_gshadow/rule.yml | 1 + .../file_permissions_etc_shadow/rule.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml index 8c7c1b0fea8..af1afc4246b 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml @@ -55,6 +55,7 @@ template: gid_or_name: '0' gid_or_name@debian10: '42' gid_or_name@debian11: '42' + gid_or_name@debian12: '42' gid_or_name@ubuntu1604: '42' gid_or_name@ubuntu1804: '42' gid_or_name@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index 701a7e00963..c1abd87a7fa 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -59,6 +59,7 @@ template: gid_or_name: '0' gid_or_name@debian10: '42' gid_or_name@debian11: '42' + gid_or_name@debian12: '42' gid_or_name@ubuntu1604: '42' gid_or_name@ubuntu1804: '42' gid_or_name@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml index 1664e496eb0..1c797df6e0c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml @@ -57,6 +57,7 @@ template: filemode: '0000' filemode@debian10: '0640' filemode@debian11: '0640' + filemode@debian12: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index c47c89ea804..fea8fe612d3 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -60,6 +60,7 @@ template: filemode: '0000' filemode@debian10: '0640' filemode@debian11: '0640' + filemode@debian12: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml index 826e5e92f0e..317d99509f7 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml @@ -64,6 +64,7 @@ template: filemode: '0000' filemode@debian10: '0640' filemode@debian11: '0640' + filemode@debian12: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index 531d3e3df2f..4359ecf75d9 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -74,6 +74,7 @@ template: filemode: '0000' filemode@debian10: '0640' filemode@debian11: '0640' + filemode@debian12: '0640' filemode@sle12: '0640' filemode@sle15: '0640' filemode@ubuntu1604: '0640' From 661f48b72e5eaf326aa45f4ac9246f44385b2618 Mon Sep 17 00:00:00 2001 From: Paul Rensing Date: Fri, 27 Oct 2023 14:17:09 -0400 Subject: [PATCH 3/5] Fix test of gshadow - should fix most Debian versions --- .../file_groupowner_etc_gshadow/rule.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index c1abd87a7fa..25142138f77 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -56,11 +56,8 @@ template: name: file_groupowner vars: filepath: /etc/gshadow +{{% if "ubuntu" in product or "debian" in product %}} + gid_or_name: '42' +{{% else %}} gid_or_name: '0' - gid_or_name@debian10: '42' - gid_or_name@debian11: '42' - gid_or_name@debian12: '42' - gid_or_name@ubuntu1604: '42' - gid_or_name@ubuntu1804: '42' - gid_or_name@ubuntu2004: '42' - gid_or_name@ubuntu2204: '42' +{{% endif %}} From a6a80c6e18d55e0d5fb6533f8a594e23edb68de5 Mon Sep 17 00:00:00 2001 From: Paul Rensing Date: Fri, 27 Oct 2023 14:39:12 -0400 Subject: [PATCH 4/5] Fix rsyslog file test - use Jinja variable for group name --- .../rsyslog_files_groupownership/rule.yml | 39 ++++++------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml index b047e475d92..a6791060c1c 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml @@ -2,32 +2,24 @@ documentation_complete: true title: 'Ensure Log Files Are Owned By Appropriate Group' -description: |- - The group-owner of all log files written by - rsyslog should be -{{% if 'debian' in product or 'ubuntu' in product %}} - adm. +{{% if "ubuntu" in product or "debian" in product %}} + {{% set target_group="adm" %}} {{% else %}} - root. + {{% set target_group="root" %}} {{% endif %}} + +description: |- + The group-owner of all log files written by + rsyslog should be {{{ target_group }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
- If the owner is not - {{% if 'debian' in product or 'ubuntu' in product %}} - adm, - {{% else %}} - root, - {{% endif %}} + If the owner is not {{{ target_group }}}, run the following command to correct this: -{{% if 'debian' in product or 'ubuntu' in product %}} - 
$ sudo chgrp adm LOGFILE
-{{% else %}} - 
$ sudo chgrp root LOGFILE
-{{% endif %}} + 
$ sudo chgrp {{{ target_group }}} LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system @@ -65,11 +57,7 @@ ocil_clause: 'the group-owner is not correct' ocil: |- The group-owner of all log files written by rsyslog should be - {{% if 'debian' in product or 'ubuntu' in product %}} - adm. - {{% else %}} - root. - {{% endif %}} + {{{ target_group }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: @@ -79,9 +67,4 @@ template: name: rsyslog_logfiles_attributes_modify vars: attribute: groupowner - value: root - value@debian10: adm - value@debian11: adm - value@ubuntu1604: adm - value@ubuntu2004: adm - value@ubuntu2204: adm + value: {{{ target_group }}} From c2b0788d447929ae3749c7cd39de108ed340e714 Mon Sep 17 00:00:00 2001 From: Paul Rensing Date: Fri, 27 Oct 2023 17:06:50 -0400 Subject: [PATCH 5/5] Remove references to CIS/STIG benchmarks, since Debian 12 has not been released. --- products/debian12/product.yml | 3 --- products/debian12/transforms/constants.xslt | 4 ---- 2 files changed, 7 deletions(-) diff --git a/products/debian12/product.yml b/products/debian12/product.yml index 5017583ba2f..93a29d900f3 100644 --- a/products/debian12/product.yml +++ b/products/debian12/product.yml @@ -34,6 +34,3 @@ platform_package_overrides: pam: libpam-runtime shadow: login sssd: sssd-common - -reference_uris: - cis: 'https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf' diff --git a/products/debian12/transforms/constants.xslt b/products/debian12/transforms/constants.xslt index 8161c3d92d9..89dc4457399 100644 --- a/products/debian12/transforms/constants.xslt +++ b/products/debian12/transforms/constants.xslt @@ -4,10 +4,6 @@ Debian 12 Debian 12 -DEBIAN_12_STIG debian12 - -https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf -