Merge pull request #12432 from a-skr/feature-debian12.6

Feature debian12.6

linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml

@@ -48,3 +48,4 @@ template:
         servicename: chronyd
         servicename@ubuntu2004: chrony
         servicename@ubuntu2204: chrony
+        servicename@debian12: chrony

linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml

@@ -4,7 +4,11 @@ documentation_complete: true
 title: 'Enable the NTP Daemon'
 
 description: |-
+    {{% if "debian" in product %}}
+    {{{ ocil_service_enabled(service="chrony") }}}
+    {{% else %}}
     {{{ ocil_service_enabled(service="chronyd") }}}
+    {{% endif %}}
     Note: The <tt>chronyd</tt> daemon is enabled by default.
     <br /><br />
     {{{ ocil_service_enabled(service="ntpd") }}}
@@ -23,7 +27,7 @@ description: |-
     for guidance which NTP daemon to choose depending on the environment used.
 
 rationale: |-
-    Enabling some of <tt>chronyd</tt> or <tt>ntpd</tt> services ensures
+    Enabling some of {{% if "debian" in product %}}<tt>chrony</tt>{{% else %}}<tt>chronyd</tt>{{% endif %}} or <tt>ntpd</tt> services ensures
     that the NTP daemon will be running and that the system will synchronize its
     time to any servers specified. This is important whether the system is
     configured to be a client (and synchronize only its own clock) or it is also
@@ -60,5 +64,9 @@ references:
     srg: SRG-APP-000116-CTR-000235
 
 ocil: |-
+    {{% if "debian" in product %}}
+    {{{ ocil_service_enabled(service="chrony") }}}
+    {{% else %}}
     {{{ ocil_service_enabled(service="chronyd") }}}
+    {{% endif %}}
     {{{ ocil_service_enabled(service="ntpd") }}}

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh

@@ -2,9 +2,13 @@
 
 {{{ bash_package_install("aide") }}}
 
-aide_conf="/etc/aide.conf"
+aide_conf="{{{ aide_conf_path }}}"
 
+{{% if "debian" in product %}}
+groups=$(LC_ALL=C grep "^OwnerMode" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+{{% else %}}
 groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+{{% endif %}}
 
 for group in $groups
 do

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml

@@ -3,20 +3,24 @@
     {{{ oval_metadata("AIDE should be configured to verify Access Control Lists (ACLs).") }}}
     <criteria operator="AND">
       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-      <criterion comment="acl is set in /etc/aide.conf" test_ref="test_aide_verify_acls" />
+      <criterion comment="acl is set in {{{ aide_conf_path }}}" test_ref="test_aide_verify_acls" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test id="test_aide_verify_acls"
-  comment="acl is set in /etc/aide.conf" check="all"
+  comment="acl is set in {{{ aide_conf_path }}}" check="all"
   check_existence="all_exist" version="1">
     <ind:object object_ref="object_aide_verify_acls" />
     <ind:state state_ref="state_aide_verify_acls" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_aide_verify_acls"
   version="2">
-    <ind:filepath>/etc/aide.conf</ind:filepath>
+    <ind:filepath>{{{ aide_conf_path }}}</ind:filepath>
+    {{% if "debian" in product %}}
+    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)OwnerMode[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml

@@ -7,14 +7,19 @@ description: |-
     By default, the <tt>acl</tt> option is added to the <tt>FIPSR</tt> ruleset in AIDE.
     If using a custom ruleset or the <tt>acl</tt> option is missing, add <tt>acl</tt>
     to the appropriate ruleset.
-    For example, add <tt>acl</tt> to the following line in <tt>/etc/aide.conf</tt>:
+    For example, add <tt>acl</tt> to the following line in <tt>{{{ aide_conf_path }}}</tt>:
     <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre>
     AIDE rules can be configured in multiple ways; this is merely one example that is already
     configured by default.
 
+    {{% if "debian" in product %}}
+    The remediation provided with this rule adds <tt>acl</tt> to the OwnerMode rule
+    in <tt>{{{ aide_conf_path }}}</tt>
+    {{% else %}}
     The remediation provided with this rule adds <tt>acl</tt> to all rule sets available in
-    <tt>/etc/aide.conf</tt>
-
+    <tt>{{{ aide_conf_path }}}</tt>
+    {{% endif %}}
+    
 rationale: |-
     ACLs can provide permissions beyond those permitted through the file mode and must be
     verified by the file integrity tools.
@@ -49,7 +54,7 @@ ocil_clause: 'the acl option is missing or not added to the correct ruleset'
 
 ocil: |-
     To determine that AIDE is verifying ACLs, run the following command:
-    <pre>$ grep acl /etc/aide.conf</pre>
+    <pre>$ grep acl {{{ aide_conf_path }}}</pre>
     Verify that the <tt>acl</tt> option is added to the correct ruleset.
 
 fixtext: |-

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh

@@ -2,9 +2,13 @@
 
 {{{ bash_package_install("aide") }}}
 
-aide_conf="/etc/aide.conf"
+aide_conf="{{{ aide_conf_path }}}"
 
+{{% if "debian" in product %}}
+groups=$(LC_ALL=C grep "^InodeData" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+{{% else %}}
 groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+{{% endif %}}
 
 for group in $groups
 do

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml

@@ -3,20 +3,24 @@
     {{{ oval_metadata("AIDE should be configured to verify extended file attributes.") }}}
     <criteria operator="AND">
       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-      <criterion comment="xattrs is set in /etc/aide.conf" test_ref="test_aide_verify_ext_attributes" />
+      <criterion comment="xattrs is set in {{{ aide_conf_path }}}" test_ref="test_aide_verify_ext_attributes" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test id="test_aide_verify_ext_attributes"
-  comment="xattrs is set in /etc/aide.conf" check="all"
+  comment="xattrs is set in {{{ aide_conf_path }}}" check="all"
   check_existence="all_exist" version="1">
     <ind:object object_ref="object_aide_verify_ext_attributes" />
     <ind:state state_ref="state_aide_verify_ext_attributes" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_aide_verify_ext_attributes"
   version="2">
-    <ind:filepath>/etc/aide.conf</ind:filepath>
+    <ind:filepath>{{{ aide_conf_path }}}</ind:filepath>
+    {{% if "debian" in product %}}
+    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)InodeData[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml

@@ -7,14 +7,19 @@ description: |-
     By default, the <tt>xattrs</tt> option is added to the <tt>FIPSR</tt> ruleset in AIDE.
     If using a custom ruleset or the <tt>xattrs</tt> option is missing, add <tt>xattrs</tt>
     to the appropriate ruleset.
-    For example, add <tt>xattrs</tt> to the following line in <tt>/etc/aide.conf</tt>:
+    For example, add <tt>xattrs</tt> to the following line in <tt>{{{ aide_conf_path }}}</tt>:
     <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre>
     AIDE rules can be configured in multiple ways; this is merely one example that is already
     configured by default.
 
+    {{% if "debian" in product %}}
+    The remediation provided with this rule adds <tt>xattrs</tt> to the InodeData rule in
+    <tt>{{{ aide_conf_path }}}</tt>
+    {{% else %}}
     The remediation provided with this rule adds <tt>xattrs</tt> to all rule sets available in
-    <tt>/etc/aide.conf</tt>
-
+    <tt>{{{ aide_conf_path }}}</tt>
+    {{% endif %}}
+    
 rationale: |-
     Extended attributes in file systems are used to contain arbitrary data and file metadata
     with security implications.
@@ -49,7 +54,7 @@ ocil_clause: 'the xattrs option is missing or not added to the correct ruleset'
 
 ocil: |-
     To determine that AIDE is verifying extended file attributes, run the following command:
-    <pre>$ grep xattrs /etc/aide.conf</pre>
+    <pre>$ grep xattrs {{{ aide_conf_path }}}</pre>
     Verify that the <tt>xattrs</tt> option is added to the correct ruleset.
 
 fixtext: |-

products/debian12/product.yml

@@ -21,7 +21,8 @@ oval_feed_url: "https://www.debian.org/security/oval/oval-definitions-bookworm.x
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
 chrony_d_path: "/etc/chrony/chrony.d/"
-
+aide_conf_path: "/etc/aide/aide.conf"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - debian12:

tests/data/product_stability/debian12.yml

@@ -1,7 +1,7 @@
 aide_also_checks_audispd: 'no'
 aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/sbin/aide
-aide_conf_path: /etc/aide.conf
+aide_conf_path: /etc/aide/aide.conf
 audisp_conf_path: /etc/audit
 auid: 1000
 basic_properties_derived: true