From fb5fe024f16ca433b1427954890e9ca3aa02a17f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 22 Jul 2024 11:18:35 -0500 Subject: [PATCH 1/9] Remove Debian 10 Product --- products/debian10/CMakeLists.txt | 6 - products/debian10/overlays/.gitkeep | 0 products/debian10/product.yml | 42 --- .../profiles/anssi_np_nt28_average.profile | 34 -- .../profiles/anssi_np_nt28_high.profile | 11 - .../profiles/anssi_np_nt28_minimal.profile | 31 -- .../anssi_np_nt28_restrictive.profile | 18 - products/debian10/profiles/default.profile | 319 ------------------ products/debian10/profiles/standard.profile | 57 ---- products/debian10/transforms/constants.xslt | 13 - products/debian10/transforms/table-style.xslt | 5 - .../transforms/xccdf-apply-overlay-stig.xslt | 8 - .../debian10/transforms/xccdf2table-cce.xslt | 9 - .../xccdf2table-profileccirefs.xslt | 9 - 14 files changed, 562 deletions(-) delete mode 100644 products/debian10/CMakeLists.txt delete mode 100644 products/debian10/overlays/.gitkeep delete mode 100644 products/debian10/product.yml delete mode 100644 products/debian10/profiles/anssi_np_nt28_average.profile delete mode 100644 products/debian10/profiles/anssi_np_nt28_high.profile delete mode 100644 products/debian10/profiles/anssi_np_nt28_minimal.profile delete mode 100644 products/debian10/profiles/anssi_np_nt28_restrictive.profile delete mode 100644 products/debian10/profiles/default.profile delete mode 100644 products/debian10/profiles/standard.profile delete mode 100644 products/debian10/transforms/constants.xslt delete mode 100644 products/debian10/transforms/table-style.xslt delete mode 100644 products/debian10/transforms/xccdf-apply-overlay-stig.xslt delete mode 100644 products/debian10/transforms/xccdf2table-cce.xslt delete mode 100644 products/debian10/transforms/xccdf2table-profileccirefs.xslt diff --git a/products/debian10/CMakeLists.txt b/products/debian10/CMakeLists.txt deleted file mode 100644 index 269f1690538..00000000000 --- a/products/debian10/CMakeLists.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Sometimes our users will try to do: "cd debian10; cmake ." That needs to error in a nice way. -if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") - message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -endif() - -ssg_build_product("debian10") diff --git a/products/debian10/overlays/.gitkeep b/products/debian10/overlays/.gitkeep deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/products/debian10/product.yml b/products/debian10/product.yml deleted file mode 100644 index e80b24de24d..00000000000 --- a/products/debian10/product.yml +++ /dev/null @@ -1,42 +0,0 @@ -product: debian10 -full_name: Debian 10 -type: platform - -families: - - debian - - debian-like - -major_version_ordinal: 10 - -benchmark_id: DEBIAN-10 -benchmark_root: "../../linux_os/guide" - -profiles_root: "./profiles" - -pkg_manager: "apt_get" - -init_system: "systemd" - - -chrony_conf_path: "/etc/chrony/chrony.conf" -chrony_d_path: "/etc/chrony/conf.d/" - -cpes_root: "../../shared/applicability" -cpes: - - debian10: - name: "cpe:/o:debian:debian_linux:10" - title: "Debian Linux 10" - check_id: installed_OS_is_debian10 - -# Mapping of CPE platform to package -platform_package_overrides: - gdm: gdm3 - grub2: grub2-common - net-snmp: snmp - nss-pam-ldapd: libpam-ldap - pam: libpam-runtime - shadow: login - sssd: sssd-common - -reference_uris: - cis: 'https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf' diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile deleted file mode 100644 index 4c428147192..00000000000 --- a/products/debian10/profiles/anssi_np_nt28_average.profile +++ /dev/null @@ -1,34 +0,0 @@ -documentation_complete: true - -title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level' - -description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security - stacks.' - -extends: anssi_np_nt28_minimal - -selections: - - partition_for_tmp - - partition_for_var - - partition_for_var_log - - partition_for_var_log_audit - - partition_for_home - - package_ntp_installed - - package_ntpdate_removed - - sshd_idle_timeout_value=5_minutes - - sshd_set_idle_timeout - - sshd_disable_root_login - - sshd_disable_empty_passwords - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - rsyslog_files_ownership - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" - - ensure_logrotate_activated - - file_permissions_systemmap - - sysctl_fs_protected_symlinks - - sysctl_fs_protected_hardlinks - - sysctl_fs_suid_dumpable - - sysctl_kernel_randomize_va_space diff --git a/products/debian10/profiles/anssi_np_nt28_high.profile b/products/debian10/profiles/anssi_np_nt28_high.profile deleted file mode 100644 index eb756ff2840..00000000000 --- a/products/debian10/profiles/anssi_np_nt28_high.profile +++ /dev/null @@ -1,11 +0,0 @@ -documentation_complete: true - -title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level' - -description: 'This profile contains items for GNU/Linux installations storing sensitive information that can be accessible - from unauthenticated or uncontroled networks.' - -extends: anssi_np_nt28_restrictive - -selections: - - grub2_enable_iommu_force diff --git a/products/debian10/profiles/anssi_np_nt28_minimal.profile b/products/debian10/profiles/anssi_np_nt28_minimal.profile deleted file mode 100644 index 797aee747d7..00000000000 --- a/products/debian10/profiles/anssi_np_nt28_minimal.profile +++ /dev/null @@ -1,31 +0,0 @@ -documentation_complete: true - -title: 'Profile for ANSSI DAT-NT28 Minimal Level' - -description: 'This profile contains items to be applied systematically.' - -selections: - - sudo_remove_nopasswd - - sudo_remove_no_authenticate - - package_telnetd_removed - - package_inetutils-telnetd_removed - - package_telnetd-ssl_removed - - package_nis_removed - - package_rsyslog_installed - - service_rsyslog_enabled - - package_syslogng_installed - - service_syslogng_enabled - - apt_conf_disallow_unauthenticated - - apt_sources_list_official - - file_permissions_etc_shadow - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - file_permissions_etc_gshadow - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - file_permissions_etc_passwd - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - file_permissions_etc_group - - file_owner_etc_group - - file_groupowner_etc_group diff --git a/products/debian10/profiles/anssi_np_nt28_restrictive.profile b/products/debian10/profiles/anssi_np_nt28_restrictive.profile deleted file mode 100644 index 27e4ec396f9..00000000000 --- a/products/debian10/profiles/anssi_np_nt28_restrictive.profile +++ /dev/null @@ -1,18 +0,0 @@ -documentation_complete: true - -title: 'Profile for ANSSI DAT-NT28 Restrictive Level' - -description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.' - -extends: anssi_np_nt28_average - -selections: - - partition_for_tmp - - partition_for_var - - partition_for_var_log - - partition_for_var_log_audit - - partition_for_home - - package_audit_installed - - package_cron_installed - - service_auditd_enabled - - service_ntp_enabled diff --git a/products/debian10/profiles/default.profile b/products/debian10/profiles/default.profile deleted file mode 100644 index 2252b672370..00000000000 --- a/products/debian10/profiles/default.profile +++ /dev/null @@ -1,319 +0,0 @@ -documentation_complete: true - -hidden: true - -title: Default Profile for Debian 10 - -description: |- - This profile contains all the rules that once belonged to the - debian10 product via 'prodtype'. This profile won't - be rendered into an XCCDF Profile entity, nor it will select any - of these rules by default. The only purpose of this profile - is to keep a rule in the product's XCCDF Benchmark. - -selections: - - file_permissions_backup_etc_passwd - - accounts_umask_etc_login_defs - - kernel_config_module_sig_key - - gid_passwd_group_same - - auditd_data_disk_full_action - - grub2_rng_core_default_quality_argument - - kernel_config_debug_list - - audit_rules_sysadmin_actions - - audit_rules_dac_modification_chown - - gnome_gdm_disable_xdmcp - - grub2_nosmep_argument_absent - - configure_user_data_backups - - package_MFEhiplsm_installed - - accounts_polyinstantiated_var_tmp - - audit_rules_session_events - - kernel_config_module_sig_sha512 - - kernel_config_page_table_isolation - - accounts_password_warn_age_login_defs - - kernel_config_page_poisoning_no_sanity - - audit_rules_dac_modification_fchownat - - audit_rules_media_export - - kernel_config_slub_debug - - dir_ownership_binary_dirs - - rsyslog_encrypt_offload_defaultnetstreamdriver - - file_permissions_library_dirs - - file_ownership_library_dirs - - audit_rules_login_events_lastlog - - coredump_disable_storage - - kernel_config_seccomp - - snmpd_not_default_password - - auditd_data_retention_max_log_file_action_stig - - sysctl_net_ipv6_conf_default_disable_ipv6 - - audit_rules_usergroup_modification - - sshd_set_keepalive - - kernel_config_security_yama - - sshd_set_loglevel_verbose - - file_owner_backup_etc_group - - audit_rules_dac_modification_umount - - no_empty_passwords - - kernel_module_uvcvideo_disabled - - accounts_maximum_age_login_defs - - audit_rules_file_deletion_events_rename - - sshd_disable_user_known_hosts - - file_groupowner_backup_etc_gshadow - - sudoers_no_command_negation - - restrict_serial_port_logins - - sysctl_net_ipv4_conf_all_arp_filter - - auditd_local_events - - kernel_config_default_mmap_min_addr - - kernel_config_hibernation - - set_iptables_default_rule_forward - - set_ip6tables_default_rule - - account_use_centralized_automated_auth - - display_login_attempts - - audit_rules_dac_modification_chmod - - kernel_config_seccomp_filter - - sshd_rekey_limit - - file_owner_backup_etc_shadow - - audit_rules_dac_modification_lremovexattr - - kernel_config_security - - sysctl_net_ipv6_conf_all_disable_ipv6 - - sudo_require_authentication - - sudo_vdsm_nopasswd - - auditd_data_retention_space_left_action - - kernel_config_security_writable_hooks - - partition_for_dev_shm - - fapolicyd_prevent_home_folder_access - - kernel_config_binfmt_misc - - sshd_enable_warning_banner - - audit_rules_dac_modification_umount2 - - kernel_config_security_dmesg_restrict - - package_postfix_installed - - sysctl_net_ipv4_conf_all_accept_local - - audit_privileged_commands_poweroff - - sysctl_kernel_kptr_restrict - - accounts_umask_etc_profile - - audit_rules_file_deletion_events_unlink - - sshd_set_max_sessions - - sudoers_no_root_target - - auditd_write_logs - - grub2_mce_argument - - audit_rules_time_stime - - disable_host_auth - - dir_perms_world_writable_sticky_bits - - coredump_disable_backtraces - - file_owner_backup_etc_gshadow - - audit_rules_unsuccessful_file_modification_truncate - - auditd_data_retention_action_mail_acct - - sshd_do_not_permit_user_env - - kernel_config_kexec - - accounts_polyinstantiated_tmp - - file_owner_backup_etc_passwd - - rsyslog_remote_loghost - - kernel_disable_entropy_contribution_for_solid_state_drives - - aide_build_database - - avahi_disable_publishing - - package_chrony_installed - - sudo_custom_logfile - - sshd_use_priv_separation - - audit_rules_time_settimeofday - - kernel_module_rds_disabled - - audit_privileged_commands_shutdown - - file_groupownership_sshd_pub_key - - account_passwords_pam_faillock_dir - - audit_rules_dac_modification_lsetxattr - - audit_rules_unsuccessful_file_modification - - audit_rules_kernel_module_loading_init - - directory_permissions_var_log_audit - - kernel_config_debug_credentials - - kernel_config_devkmem - - file_ownership_var_log_audit - - kernel_config_panic_timeout - - file_permissions_backup_etc_gshadow - - file_permissions_var_log - - kernel_config_legacy_ptys - - file_ownership_sshd_private_key - - sshd_enable_warning_banner_net - - kernel_config_panic_on_oops - - audit_rules_dac_modification_fchmod - - file_groupowner_var_log_syslog - - grub2_systemd_debug-shell_argument_absent - - service_netfs_disabled - - ftp_limit_users - - file_groupownership_sshd_private_key - - kernel_module_ipv6_option_disabled - - file_groupownership_audit_configuration - - rsyslog_accept_remote_messages_tcp - - audit_rules_privileged_commands - - auditd_data_disk_full_action_stig - - file_ownership_sshd_pub_key - - kernel_config_randomize_memory - - file_permissions_unauthorized_world_writable - - sudo_add_requiretty - - sshd_disable_compression - - sshd_disable_gssapi_auth - - sshd_enable_gssapi_auth - - kernel_config_debug_sg - - sshd_print_last_log - - kernel_config_module_sig_hash - - grub2_nosmap_argument_absent - - dir_ownership_library_dirs - - file_groupowner_backup_etc_shadow - - kernel_config_randomize_base - - sshd_set_loglevel_info - - audit_rules_dac_modification_fremovexattr - - sysctl_net_ipv4_conf_default_shared_media - - grub2_l1tf_argument - - file_groupowner_var_log - - ftp_configure_firewall - - audit_rules_file_deletion_events_unlinkat - - audit_rules_immutable - - audit_rules_dac_modification_removexattr - - auditd_data_disk_error_action - - kernel_config_x86_vsyscall_emulation - - auditd_data_retention_admin_space_left_action - - mount_option_dev_shm_nodev - - sshd_disable_tcp_forwarding - - kernel_config_debug_notifiers - - kernel_config_proc_kcore - - audit_rules_file_deletion_events_rmdir - - auditd_overflow_action - - service_systemd-journald_enabled - - auditd_data_retention_max_log_file_action - - audit_rules_networkconfig_modification - - grub2_spectre_v2_argument - - kernel_config_ipv6 - - sysctl_net_ipv4_conf_all_arp_ignore - - file_permissions_home_dirs - - audit_rules_unsuccessful_file_modification_open - - file_ownership_binary_dirs - - audit_rules_login_events_tallylog - - grub2_disable_recovery - - no_netrc_files - - postfix_client_configure_mail_alias_postmaster - - securetty_root_login_console_only - - file_permissions_var_log_messages - - no_direct_root_logins - - accounts_password_minlen_login_defs - - account_unique_name - - selinux_not_disabled - - sudo_add_use_pty - - package_nss-tools_installed - - accounts_root_path_dirs_no_write - - sysctl_net_ipv4_conf_all_shared_media - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_kernel_module_loading_delete - - sshd_enable_strictmodes - - root_path_no_dot - - kernel_config_bug - - sshd_set_login_grace_time - - kernel_config_page_poisoning_zero - - package_logrotate_installed - - no_rsh_trust_files - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fchmodat - - sshd_enable_pubkey_auth - - kernel_config_compat_vdso - - postfix_client_configure_mail_alias - - no_empty_passwords_etc_shadow - - service_iptables_enabled - - postfix_client_configure_relayhost - - audit_privileged_commands_init - - file_permissions_backup_etc_group - - iptables_sshd_disabled - - chronyd_server_directive - - kernel_config_compat_brk - - dir_permissions_library_dirs - - package_net-snmp_removed - - auditd_data_retention_max_log_file - - sshd_enable_pam - - accounts_no_uid_except_zero - - audit_rules_time_clock_settime - - grub2_spec_store_bypass_disable_argument - - kernel_config_unmap_kernel_at_el0 - - audit_rules_time_adjtimex - - package_openssh-server_removed - - partition_for_srv - - sudo_add_noexec - - sysctl_net_ipv4_conf_all_route_localnet - - auditd_log_format - - accounts_minimum_age_login_defs - - kernel_config_retpoline - - kernel_config_debug_fs - - account_passwords_pam_faillock_audit - - disallow_bypass_password_sudo - - audit_rules_login_events_faillock - - audit_rules_dac_modification_fchown - - sudoers_explicit_command_args - - sshd_set_maxstartups - - accounts_root_gid_zero - - accounts_max_concurrent_login_sessions - - auditd_data_retention_num_logs - - audit_rules_dac_modification_setxattr - - file_owner_var_log - - prefer_64bit_os - - file_permissions_sshd_private_key - - sshd_disable_x11_forwarding - - mount_option_dev_shm_nosuid - - sshd_enable_x11_forwarding - - service_sshd_disabled - - audit_rules_kernel_module_loading - - sshd_disable_rhosts_rsa - - audit_rules_login_events - - sysctl_kernel_panic_on_oops - - file_permissions_audit_configuration - - harden_ssh_client_crypto_policy - - dhcp_server_minimize_served_info - - no_all_squash_exports - - sshd_set_max_auth_tries - - sshd_disable_kerb_auth - - sshd_disable_rhosts - - file_permissions_backup_etc_shadow - - service_ufw_enabled - - audit_rules_file_deletion_events_renameat - - package_openssh-server_installed - - accounts_logon_fail_delay - - selinux_state - - audit_rules_file_deletion_events - - audit_rules_dac_modification_fsetxattr - - file_groupowner_backup_etc_passwd - - file_groupowner_var_log_messages - - auditd_audispd_syslog_plugin_activated - - set_iptables_default_rule - - kernel_config_acpi_custom_method - - dir_permissions_binary_dirs - - file_groupowner_backup_etc_group - - sshd_disable_pubkey_auth - - package_gnutls-utils_installed - - dhcp_client_restrict_options - - audit_privileged_commands_reboot - - audit_rules_unsuccessful_file_modification_ftruncate - - file_permissions_binary_dirs - - auditd_freq - - package_aide_installed - - kernel_module_tipc_disabled - - accounts_passwords_pam_faillock_audit - - audit_rules_unsuccessful_file_modification_openat - - kernel_config_module_sig_all - - rsyslog_encrypt_offload_actionsendstreamdriverauthmode - - kernel_config_syn_cookies - - rsyslog_encrypt_offload_actionsendstreamdrivermode - - accounts_password_last_change_is_in_past - - auditd_data_disk_error_action_stig - - accounts_password_all_shadowed - - kernel_config_ia32_emulation - - rsyslog_accept_remote_messages_udp - - file_permissions_sshd_pub_key - - file_owner_var_log_messages - - file_permissions_var_log_syslog - - chronyd_specify_remote_server - - grub2_slab_nomerge_argument - - audit_rules_unsuccessful_file_modification_creat - - sshd_disable_root_password_login - - kernel_config_module_sig - - file_ownership_audit_configuration - - audit_rules_mac_modification_usr_share - - kernel_config_module_sig_force - - audit_rules_kernel_module_loading_finit - - service_chronyd_enabled - - file_owner_var_log_syslog - - sshd_limit_user_access - - audit_rules_mac_modification - - service_ip6tables_enabled - - audit_rules_time_watch_localtime - - service_snmpd_disabled diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile deleted file mode 100644 index 446f5aca1d2..00000000000 --- a/products/debian10/profiles/standard.profile +++ /dev/null @@ -1,57 +0,0 @@ -documentation_complete: true - -title: 'Standard System Security Profile for Debian 10' - -description: |- - This profile contains rules to ensure standard security baseline - of a Debian 10 system. Regardless of your system's workload - all of these checks should pass. - -selections: - - partition_for_tmp - - partition_for_var - - partition_for_var_log - - partition_for_var_log_audit - - partition_for_home - - package_audit_installed - - package_cron_installed - - package_ntp_installed - - package_rsyslog_installed - - package_telnetd_removed - - package_inetutils-telnetd_removed - - package_telnetd-ssl_removed - - package_nis_removed - - package_ntpdate_removed - - service_auditd_enabled - - service_cron_enabled - - service_ntp_enabled - - service_rsyslog_enabled - - sshd_idle_timeout_value=5_minutes - - sshd_set_idle_timeout - - sshd_disable_root_login - - sshd_disable_empty_passwords - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - rsyslog_files_ownership - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" - - ensure_logrotate_activated - - file_permissions_systemmap - - file_permissions_etc_shadow - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - file_permissions_etc_gshadow - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - file_permissions_etc_passwd - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - file_permissions_etc_group - - file_owner_etc_group - - file_groupowner_etc_group - - sysctl_fs_protected_symlinks - - sysctl_fs_protected_hardlinks - - sysctl_fs_suid_dumpable - - sysctl_kernel_randomize_va_space diff --git a/products/debian10/transforms/constants.xslt b/products/debian10/transforms/constants.xslt deleted file mode 100644 index 4aa0fc2d5af..00000000000 --- a/products/debian10/transforms/constants.xslt +++ /dev/null @@ -1,13 +0,0 @@ - - - - -Debian 10 -Debian 10 -DEBIAN_10_STIG -debian10 - - -https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf - - diff --git a/products/debian10/transforms/table-style.xslt b/products/debian10/transforms/table-style.xslt deleted file mode 100644 index 8b6caeab8cd..00000000000 --- a/products/debian10/transforms/table-style.xslt +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/products/debian10/transforms/xccdf-apply-overlay-stig.xslt b/products/debian10/transforms/xccdf-apply-overlay-stig.xslt deleted file mode 100644 index 4789419b80a..00000000000 --- a/products/debian10/transforms/xccdf-apply-overlay-stig.xslt +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - diff --git a/products/debian10/transforms/xccdf2table-cce.xslt b/products/debian10/transforms/xccdf2table-cce.xslt deleted file mode 100644 index f156a669566..00000000000 --- a/products/debian10/transforms/xccdf2table-cce.xslt +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/products/debian10/transforms/xccdf2table-profileccirefs.xslt b/products/debian10/transforms/xccdf2table-profileccirefs.xslt deleted file mode 100644 index 30419e92b28..00000000000 --- a/products/debian10/transforms/xccdf2table-profileccirefs.xslt +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - From 61e9d7b25e9f755f463eeee2f176c2c234ea2a7d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 22 Jul 2024 11:21:20 -0500 Subject: [PATCH 2/9] Clean up Debian 10 in shared --- .../oval/installed_OS_is_debian10.xml | 27 ------------------- .../oval.template | 2 +- 2 files changed, 1 insertion(+), 28 deletions(-) delete mode 100644 shared/applicability/oval/installed_OS_is_debian10.xml diff --git a/shared/applicability/oval/installed_OS_is_debian10.xml b/shared/applicability/oval/installed_OS_is_debian10.xml deleted file mode 100644 index 9c096e837a6..00000000000 --- a/shared/applicability/oval/installed_OS_is_debian10.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - Debian Linux 10 - - multi_platform_all - - - The operating system installed on the system is Debian 10 - - - - - - - - - - - - - /etc/debian_version - ^10.[0-9]+$ - 1 - - - diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template index 056818149de..cf3e2f90f36 100644 --- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template @@ -2,7 +2,7 @@ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} - {{% if product in ["debian10", "debian11", "debian12", "ubuntu1604"] %}} + {{% if product in ["debian11", "debian12", "ubuntu1604"] %}} {{% endif %}} From 6012a4d0da2ae9e841422caf78fc2de0acdbddc6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 22 Jul 2024 12:22:46 -0500 Subject: [PATCH 3/9] Update docs and Gitpod for Debian 10 removal --- .gitpod.launch.json | 4 ++-- docs/manual/developer/03_creating_content.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitpod.launch.json b/.gitpod.launch.json index 8561911a422..3a3214c003e 100644 --- a/.gitpod.launch.json +++ b/.gitpod.launch.json @@ -17,14 +17,14 @@ "type": "pickString", "options": [ "chromium", - "debian10", "debian11", + "debian11", "debian12", "eap6", "fedora", "firefox", "macos1015", "ocp4", "ol7", "ol8", - "opensuse", "rhel8", "rhel9", + "opensuse", "rhel8", "rhel9", "rhel10", "rhosp10", "rhosp13", "rhv4", "sle12", "sle15", diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md index 96419b7fecb..c89155e1068 100644 --- a/docs/manual/developer/03_creating_content.md +++ b/docs/manual/developer/03_creating_content.md @@ -390,7 +390,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu", 
 ...
 MULTI_PLATFORM_MAPPING = {
-    "multi_platform_debian": ["debian10", "debian11"],
+    "multi_platform_debian": ["debian11", "debian12"],
     "multi_platform_example": ["example"],
     "multi_platform_custom": ["custom6"],
     "multi_platform_fedora": ["fedora"],

From 9449798f7658cd4976ea53116927757e46794e6d Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 22 Jul 2024 12:26:31 -0500
Subject: [PATCH 4/9] Update build and tests system for Debian 10 removal

---
 CMakeLists.txt                            |  5 --
 ssg/constants.py                          |  5 +-
 tests/data/product_stability/debian10.yml | 85 -----------------------
 tests/unit/ssg-module/test_utils.py       |  2 +-
 4 files changed, 3 insertions(+), 94 deletions(-)
 delete mode 100644 tests/data/product_stability/debian10.yml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0cb15cb9b52..4b82fd3a147 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,7 +88,6 @@ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content w
 option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -317,7 +316,6 @@ message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}")
 message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}")
 message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}")
 message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
-message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
 message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
 message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
 message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
@@ -389,9 +387,6 @@ if(SSG_PRODUCT_CHROMIUM)
     add_subdirectory("products/chromium" "chromium")
 endif()
 
-if(SSG_PRODUCT_DEBIAN10)
-    add_subdirectory("products/debian10" "debian10")
-endif()
 if(SSG_PRODUCT_DEBIAN11)
     add_subdirectory("products/debian11" "debian11")
 endif()
diff --git a/ssg/constants.py b/ssg/constants.py
index d8731b51b6c..02defd2db2b 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -44,7 +44,7 @@
     'anolis23',
     'al2023',
     'chromium',
-    'debian10', 'debian11', 'debian12',
+    'debian11', 'debian12',
     'example',
     'eks',
     'fedora',
@@ -203,7 +203,6 @@
     "Anolis OS 23": "anolis23",
     "Amazon Linux 2023": "al2023",
     "Chromium": "chromium",
-    "Debian 10": "debian10",
     "Debian 11": "debian11",
     "Debian 12": "debian12",
     "Example": "example",
@@ -289,7 +288,7 @@
 MULTI_PLATFORM_MAPPING = {
     "multi_platform_alinux": ["alinux2", "alinux3"],
     "multi_platform_anolis": ["anolis8", "anolis23"],
-    "multi_platform_debian": ["debian10", "debian11", "debian12"],
+    "multi_platform_debian": ["debian11", "debian12"],
     "multi_platform_example": ["example"],
     "multi_platform_eks": ["eks"],
     "multi_platform_fedora": ["fedora"],
diff --git a/tests/data/product_stability/debian10.yml b/tests/data/product_stability/debian10.yml
deleted file mode 100644
index 667c3615c8e..00000000000
--- a/tests/data/product_stability/debian10.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-aide_also_checks_audispd: 'yes'
-aide_also_checks_rsyslog: 'no'
-aide_bin_path: /usr/sbin/aide
-aide_conf_path: /etc/aide.conf
-audisp_conf_path: /etc/audit
-auid: 1000
-basic_properties_derived: true
-benchmark_id: DEBIAN-10
-benchmark_root: ../../linux_os/guide
-chrony_conf_path: /etc/chrony/chrony.conf
-chrony_d_path: /etc/chrony/conf.d/
-cpes:
-- debian10:
-    check_id: installed_OS_is_debian10
-    name: cpe:/o:debian:debian_linux:10
-    title: Debian Linux 10
-cpes_root: ../../shared/applicability
-dconf_gdm_dir: gdm.d
-faillock_path: /var/run/faillock
-families:
-- debian
-- debian-like
-full_name: Debian 10
-gid_min: 1000
-groups: {}
-grub2_boot_path: /boot/grub
-grub2_uefi_boot_path: /boot/grub2
-grub_helper_executable: update-grub
-init_system: systemd
-major_version_ordinal: 10
-nobody_gid: 65534
-nobody_uid: 65534
-pkg_manager: apt_get
-pkg_system: dpkg
-platform_package_overrides:
-  aarch64_arch: null
-  gdm: gdm3
-  grub2: grub2-common
-  login_defs: login
-  net-snmp: snmp
-  no_ovirt: null
-  non-uefi: null
-  not_aarch64_arch: null
-  not_s390x_arch: null
-  nss-pam-ldapd: libpam-ldap
-  ovirt: null
-  pam: libpam-runtime
-  s390x_arch: null
-  shadow: login
-  sssd: sssd-common
-  sssd-ldap: null
-  uefi: null
-  zipl: s390utils-base
-product: debian10
-profiles_root: ./profiles
-reference_uris:
-  anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
-  app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
-  app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform
-  bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
-  cis: https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf
-  cis-csc: https://www.cisecurity.org/controls/
-  cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf
-  cobit5: https://www.isaca.org/resources/cobit
-  cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
-  dcid: not_officially_available
-  disa: https://public.cyber.mil/stigs/cci/
-  hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf
-  isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat
-  isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu
-  ism: https://www.cyber.gov.au/acsc/view-all-content/ism
-  iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html
-  nerc-cip: https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx
-  nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
-  nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
-  os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os
-  ospp: https://www.niap-ccevs.org/Profile/PP.cfm
-  pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
-  pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
-  stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-  stigref: https://public.cyber.mil/stigs/srg-stig-tools/
-sshd_distributed_config: 'false'
-sysctl_remediate_drop_in_file: 'false'
-type: platform
-uid_min: 1000
diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
index 962eb5b4839..151827a565a 100644
--- a/tests/unit/ssg-module/test_utils.py
+++ b/tests/unit/ssg-module/test_utils.py
@@ -12,7 +12,7 @@ def test_is_applicable():
 
     assert not utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
     assert not utils.is_applicable('ol7', 'rhel7')
-    assert not utils.is_applicable('al2023,alinux2,alinux3,anolis8,anolis23,fedora,debian10,debian11,uos20',
+    assert not utils.is_applicable('al2023,alinux2,alinux3,anolis8,anolis23,fedora,debian11,debian12,uos20',
                                        'rhel7')
 
 

From 9ec21f53f381f36c6d4934e58d4ab20a746f6aab Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 22 Jul 2024 12:27:07 -0500
Subject: [PATCH 5/9] Update Gating for Debian 10 Removal

Now use Debian 12 for testing in CI Now
---
 .github/workflows/gate.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml
index 8c1817207c4..259bb14ec5e 100644
--- a/.github/workflows/gate.yaml
+++ b/.github/workflows/gate.yaml
@@ -59,15 +59,15 @@ jobs:
         working-directory: ./build
 
   validate-debian:
-    name: Build, Test on Debian 10 (Container)
+    name: Build, Test on Debian 12 (Container)
     runs-on: ubuntu-latest
     container:
-      image: debian:buster
+      image: debian:bookworm
     steps:
       - name: Update the package repository
         run: apt-get update
       - name: Install Deps
-        run: apt-get install -y ansible-lint bats check cmake libopenscap8 libxml2-utils ninja-build python3-github python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev
+        run: apt-get install -y ansible-lint bats check cmake openscap-scanner openscap-utils libxml2-utils ninja-build python3-github python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Upgrade pip python
@@ -78,7 +78,7 @@ jobs:
         env:
           ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
         run: |-
-          ./build_product debian10 debian11 debian12
+          ./build_product debian11 debian12
       - name: Test
         working-directory: ./build
         run: ctest -j2 --output-on-failure -E unique-stigids

From 7c262003e3ac7e5ae457b4a5479384683342be9c Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 22 Jul 2024 12:27:31 -0500
Subject: [PATCH 6/9] Update rules since Debian 10 was removed

---
 linux_os/guide/auditing/package_audit_installed/rule.yml        | 1 -
 linux_os/guide/auditing/service_auditd_enabled/rule.yml         | 1 -
 .../disabling_snmp_service/package_net-snmp_removed/rule.yml    | 1 -
 .../snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml | 1 -
 linux_os/guide/services/ssh/service_sshd_disabled/rule.yml      | 1 -
 .../services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml     | 1 -
 .../rsyslog_logging_configured/oval/shared.xml                  | 2 +-
 .../file_groupowner_backup_etc_gshadow/rule.yml                 | 1 -
 .../file_permissions_backup_etc_gshadow/rule.yml                | 1 -
 .../file_permissions_backup_etc_shadow/rule.yml                 | 1 -
 .../file_permissions_etc_gshadow/rule.yml                       | 1 -
 .../file_permissions_etc_shadow/rule.yml                        | 1 -
 12 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml
index 552b27f738f..7f037efd2b2 100644
--- a/linux_os/guide/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/auditing/package_audit_installed/rule.yml
@@ -59,6 +59,5 @@ template:
         pkgname@ubuntu1804: auditd
         pkgname@ubuntu2004: auditd
         pkgname@ubuntu2204: auditd
-        pkgname@debian10: auditd
         pkgname@debian11: auditd
         pkgname@debian12: auditd
diff --git a/linux_os/guide/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/auditing/service_auditd_enabled/rule.yml
index 7fc1fd1a625..56b90f8f02f 100644
--- a/linux_os/guide/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/auditing/service_auditd_enabled/rule.yml
@@ -82,7 +82,6 @@ template:
     vars:
         servicename: auditd
         packagename: audit
-        packagename@debian10: auditd
         packagename@debian11: auditd
         packagename@debian12: auditd
         packagename@ubuntu1604: auditd
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
index c39820631de..560c867f267 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -42,7 +42,6 @@ template:
     name: package_removed
     vars:
         pkgname: net-snmp
-        pkgname@debian10: snmp
         pkgname@debian11: snmp
         pkgname@ubuntu1604: snmp
         pkgname@ubuntu1804: snmp
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
index 9a168127ab3..4be58ce9312 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
@@ -36,7 +36,6 @@ template:
     name: service_disabled
     vars:
         servicename: snmpd
-        packagename@debian10: snmpd
         packagename@debian11: snmpd
         packagename@debian12: snmpd
         packagename: net-snmp
diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
index b7e48957f81..3253fc499a3 100644
--- a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
+++ b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
@@ -46,7 +46,6 @@ template:
         packagename: openssh-server
         packagename@opensuse: openssh
         packagename@sle12: openssh
-        daemonname@debian10: ssh
         daemonname@debian11: ssh
         daemonname@ubuntu1604: ssh
         daemonname@ubuntu1804: ssh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
index 4989d0dcbbb..e8ad0e5047b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
@@ -30,7 +30,6 @@ identifiers:
     cce@sle15: CCE-91394-7
 
 references:
-    cis@debian10: 9.3.2
     cis@debian11: 9.3.2
     cis@sle12: 5.2.5
     cis@sle15: 5.2.5
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
index 8951448e918..94ce9d66f61 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
@@ -3,7 +3,7 @@
     {{{ oval_metadata("Syslog logs should be configured") }}}
 
     
-      {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}}
+      {{% if product in ["debian11", "ubuntu1604", "ubuntu1804"] %}}
       
       {{% endif %}}
       
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
index 4597c54ae17..b1677b1ee3d 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -47,7 +47,6 @@ template:
     vars:
         filepath: /etc/gshadow-
         gid_or_name: '0'
-        gid_or_name@debian10: '42'
         gid_or_name@debian11: '42'
         gid_or_name@debian12: '42'
         gid_or_name@ubuntu1604: '42'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
index e004d565104..491c0bc766c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -50,7 +50,6 @@ template:
     vars:
         filepath: /etc/gshadow-
         filemode: '0000'
-        filemode@debian10: '0640'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
index 459bf6106dc..126fc77a62a 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -52,7 +52,6 @@ template:
     vars:
         filepath: /etc/shadow-
         filemode: '0000'
-        filemode@debian10: '0640'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index c8d774fdfbb..353bcab6ed2 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -56,7 +56,6 @@ template:
     vars:
         filepath: /etc/gshadow
         filemode: '0000'
-        filemode@debian10: '0640'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
index 81cae327912..6ee4795ac32 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -65,7 +65,6 @@ template:
     vars:
         filepath: /etc/shadow
         filemode: '0000'
-        filemode@debian10: '0640'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
         filemode@sle12: '0640'

From 8c0ee28a80fdebbe51b03c62188fa75bb5575a81 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 22 Jul 2024 13:35:46 -0500
Subject: [PATCH 7/9] Add Debian 10 Removal to content notes

---
 docs/manual/user/30_content_notes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/manual/user/30_content_notes.md b/docs/manual/user/30_content_notes.md
index 96352d0d664..67069333727 100644
--- a/docs/manual/user/30_content_notes.md
+++ b/docs/manual/user/30_content_notes.md
@@ -7,6 +7,7 @@ Below is list of products that have been removed from the project.
 |----------------------------------------------|--------------------|------------------------------------------------------------------------------------|
 | Debian 8                                     | June 30, 2020      | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
 | Debian 9                                     | June 30, 2022      | [content 0.1.65](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65) |
+| Debian 10                                    | June 30, 2024      | [content 0.1.73](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.73) |
 | Java Runtime Environment                     | -                  | [content 0.1.64](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64) |
 | JBoss EAP 5                                  | November 30, 2016  | [content 0.1.35](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.35) |
 | JBoss EAP 6                                  | June 30, 2019      | [content 0.1.53](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53) |

From e459129fcff563fba5df6a9d1e89b3448e2010b3 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 22 Jul 2024 14:13:53 -0500
Subject: [PATCH 8/9] Fix Debian 12 CI

---
 .github/workflows/gate.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml
index 259bb14ec5e..97f996c72da 100644
--- a/.github/workflows/gate.yaml
+++ b/.github/workflows/gate.yaml
@@ -67,13 +67,13 @@ jobs:
       - name: Update the package repository
         run: apt-get update
       - name: Install Deps
-        run: apt-get install -y ansible-lint bats check cmake openscap-scanner openscap-utils libxml2-utils ninja-build python3-github python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev
+        run: apt-get install -y ansible-lint bats check cmake openscap-scanner openscap-utils libxml2-utils ninja-build python3-pip xsltproc libxslt1-dev libxml2-dev zlib1g-dev python3.11-venv
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Upgrade pip python
-        run: pip3 install --upgrade pip
+        run: pip install --upgrade pip --break-system-packages
       - name: Install deps python
-        run: pip3 install -r requirements.txt -r test-requirements.txt --ignore-installed PyYAML
+        run: pip3 install -r requirements.txt -r test-requirements.txt --ignore-installed PyYAML PyGithub --break-system-packages
       - name: Build
         env:
           ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"

From e3135b52728d8f41eacb948bfb63783b310ac783 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Wed, 24 Jul 2024 09:55:40 -0500
Subject: [PATCH 9/9] Remove DEBIAN12 ./build_product

---
 build_product | 1 -
 1 file changed, 1 deletion(-)

diff --git a/build_product b/build_product
index ecb93022c28..b3246a268cd 100755
--- a/build_product
+++ b/build_product
@@ -354,7 +354,6 @@ all_cmake_products=(
 	ANOLIS8
 	ANOLIS23
 	CHROMIUM
-	DEBIAN10
 	DEBIAN11
 	DEBIAN12
 	EXAMPLE