diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 847aa3e4bb5..c4a5ce0f6bd 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -21,6 +21,29 @@ jobs: run: ctest -j2 --output-on-failure -E unique-stigids working-directory: ./build + validate-debian: + name: Build, Test on Debian 10 (Container) + runs-on: ubuntu-latest + container: + image: debian:buster + steps: + - name: Update the package repository + run: apt-get update + - name: Install Deps + run: apt-get install -y ansible-lint bats check cmake expat libopenscap8 libxml2-utils ninja-build python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-yaml xsltproc + - name: Install deps python + run: pip3 install ruamel.yaml yamlpath + - name: Checkout + uses: actions/checkout@v2 + - name: Build + env: + ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON" + run: |- + ./build_product debian9 debian10 debian11 + - name: Test + working-directory: ./build + run: ctest -j2 --output-on-failure -E unique-stigids + validate-ubuntu: name: Build, Test on Ubuntu 20.04 runs-on: ubuntu-20.04 diff --git a/CMakeLists.txt b/CMakeLists.txt index 0dc93f3b72d..79ec09693ea 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -68,6 +68,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE) option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -263,6 +264,7 @@ message(STATUS "Products:") message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}") message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}") +message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}") message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}") message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}") message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}") @@ -333,6 +335,9 @@ endif() if (SSG_PRODUCT_DEBIAN10) add_subdirectory("products/debian10" "debian10") endif() +if (SSG_PRODUCT_DEBIAN11) + add_subdirectory("products/debian11" "debian11") +endif() if (SSG_PRODUCT_EXAMPLE) add_subdirectory("products/example" "example") endif() diff --git a/build_product b/build_product index 050617dc8e4..4d7aae8762c 100755 --- a/build_product +++ b/build_product @@ -285,6 +285,7 @@ all_cmake_products=( CHROMIUM DEBIAN9 DEBIAN10 + DEBIAN11 EXAMPLE FEDORA FIREFOX diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml index 83e1d2e2ae6..fed7bb04abb 100644 --- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml +++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,ubuntu1604,ubuntu1804,ubuntu2004 +prodtype: debian11,debian10,debian9,ubuntu1604,ubuntu1804,ubuntu2004 title: 'Disable unauthenticated repositories in APT configuration' diff --git a/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml new file mode 100644 index 00000000000..92d26aea65e --- /dev/null +++ b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml @@ -0,0 +1,27 @@ + + + {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}} + + + + + + + + + + ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$ + ^deb[\s]+http://[a-z\.]+\.debian\.org/debian[/]?[\s]+bullseye[\s]+main + 1 + + + + + + ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$ + ^deb[\s]+http://security\.debian\.org/debian-security[/]?[\s]+bullseye-security[\s]+main + 1 + + diff --git a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml index 60b673a4f2e..61e0662f54e 100644 --- a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml +++ b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9 +prodtype: debian11,debian10,debian9 title: 'Ensure that official distribution repositories are used' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index bf6298fe1e4..30fa4c70bd8 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Uninstall net-snmp Package' @@ -41,6 +41,7 @@ template: pkgname: net-snmp pkgname@debian9: snmp pkgname@debian10: snmp + pkgname@debian11: snmp pkgname@ubuntu1604: snmp pkgname@ubuntu1804: snmp pkgname@ubuntu2004: snmp diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index 66a71f85331..db2ba677cba 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,rhel7,rhel8,rhel9,sle15 +prodtype: debian11,debian10,debian9,rhel7,rhel8,rhel9,sle15 title: 'Disable snmpd Service' @@ -36,4 +36,5 @@ template: servicename: snmpd packagename@debian9: snmpd packagename@debian10: snmpd + packagename@debian11: snmpd packagename: net-snmp diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml index 4e4f24f3001..632c711183a 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 +# platform = debian 11,debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh index 11b71c46827..a76c29731a3 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 +# platform = debian 11,debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019 {{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}} diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml index 19775b8cf60..ff958f108ff 100644 --- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml +++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhel7,rhel8,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhel7,rhel8,wrlinux1019 title: 'Ensure Default SNMP Password Is Not Used' diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml index 220f444874c..d33b2612305 100644 --- a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml @@ -5,7 +5,7 @@ title: 'Disable SSH Server If Possible (Unusual)' description: |- The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. - {{% if product in ['debian9', 'debian10', 'ubuntu1604', 'ubuntu1804'] %}} + {{% if product in ['debian9', 'debian10', 'debian11', 'ubuntu1604', 'ubuntu1804'] %}} {{{ describe_service_disable(service="sshd") }}} {{% else %}} {{{ describe_service_disable(service="sshd") }}} @@ -29,5 +29,6 @@ template: packagename@sle12: openssh daemonname@debian9: ssh daemonname@debian10: ssh + daemonname@debian11: ssh daemonname@ubuntu1604: ssh daemonname@ubuntu1804: ssh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index 5b7703d7da5..e8af1415311 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -25,6 +25,7 @@ identifiers: references: cis@debian10: 9.3.2 + cis@debian11: 9.3.2 cis@rhel7: 5.3.5 cis@rhel8: 5.2.5 cis@sle12: 5.3.6 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml index 47d0fe85403..185f9fc9380 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml @@ -21,6 +21,7 @@ identifiers: references: cis@debian9: 9.3.5 + cis@debian11: 9.3.5 cis@rhel7: 5.3.7 cis@rhel8: 5.2.7 cis@sle12: 5.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml index 1de2b794ce3..b60d5c86cc8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 title: 'Ensure auditd Collects File Deletion Events by User' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml index e2ff8a026b6..691dc30d493 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 247647b856b..b4eccbbb33d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - creat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 21c8ee76eb8..2f6b9af5164 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - ftruncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 9d8342f82e7..a5b48fad104 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - open' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 9bb5ffe3fcb..3de4de015f3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 6f0d00bf482..c758d704985 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - openat' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index f988e4ec8ff..3d7e3ea0fcc 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Unsuccessful Access Attempts to Files - truncate' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml index 55246da9677..e26878f293c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index cc4e3a609b6..52d25b3715e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index aa170023215..b3d3d88eb62 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 470429cc704..d51738c2f21 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml index c062cf525c5..1d4bab4ca7d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml index 6dda4dd8b90..f0617c83288 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events - faillock' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 902f411e4af..4be3216caa6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index 0da922289c0..fae95e0ef71 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events - tallylog' diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml index 8f4e46e976a..886dafad1bf 100644 --- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml @@ -46,3 +46,4 @@ template: pkgname@ubuntu2004: auditd pkgname@debian9: auditd pkgname@debian10: auditd + pkgname@debian11: auditd diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml index 539e2a4a8a7..71253143ef1 100644 --- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml @@ -71,6 +71,7 @@ template: packagename: audit packagename@debian9: auditd packagename@debian10: auditd + packagename@debian11: auditd packagename@ubuntu1604: auditd packagename@ubuntu1804: auditd packagename@ubuntu2004: auditd diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml index 8b955b06b07..96d477ea23b 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml @@ -3,7 +3,7 @@ {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}} - {{% if product in ["debian9", "debian10", "ubuntu1604"] %}} + {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604"] %}} {{% endif %}} @@ -106,7 +106,7 @@ regular - {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu2004"] %}} + {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu2004"] %}} 4 {{% else %}} 0 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index ca659a24080..c1236f84d45 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -48,7 +48,7 @@ do unset ARRAY_FOR_LOG_FILE fi done -{{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}} +{{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}} DESIRED_PERM_MOD=640 {{% else %}} DESIRED_PERM_MOD=600 diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index c0557c881fe..a04e6fd8900 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -3,7 +3,7 @@ {{{ oval_metadata("File permissions for all syslog log files should be set correctly.") }}} - {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804"] %}} + {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}} {{% endif %}} @@ -108,7 +108,7 @@ regular false - {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}} + {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}} true {{% else %}} false diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index bc75de1e413..ac80bf2a15c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -66,5 +66,6 @@ template: datatype: int sysctlval@debian9: '' sysctlval@debian10: '' + sysctlval@debian11: '' sysctlval@ubuntu1604: '' sysctlval@ubuntu1804: '' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml index f1f7c7a4d65..128acbffff5 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml @@ -38,6 +38,7 @@ template: filegid: '0' filegid@debian9: '42' filegid@debian10: '42' + filegid@debian11: '42' filegid@ubuntu1604: '42' filegid@ubuntu1804: '42' filegid@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml index 88208c25d80..8bcb98d9fd1 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml @@ -41,6 +41,7 @@ template: filegid: '0' filegid@debian9: '42' filegid@debian10: '42' + filegid@debian11: '42' filegid@ubuntu1604: '42' filegid@ubuntu1804: '42' filegid@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index ca65dbc5af7..dabb489c0b6 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -46,6 +46,7 @@ template: filegid: '0' filegid@debian9: '42' filegid@debian10: '42' + filegid@debian11: '42' filegid@ubuntu1604: '42' filegid@ubuntu1804: '42' filegid@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml index f42ccef3ee5..036d9cdb16f 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml @@ -51,6 +51,7 @@ template: filegid: '0' filegid@debian9: '42' filegid@debian10: '42' + filegid@debian11: '42' filegid@ubuntu1604: '42' filegid@ubuntu1804: '42' filegid@ubuntu2004: '42' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml index 9fd8981485b..732bb15dfcc 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml @@ -42,6 +42,7 @@ template: filemode: '0000' filemode@debian9: '0640' filemode@debian10: '0640' + filemode@debian11: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index 70e474b280e..2d03c2e5125 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -44,6 +44,7 @@ template: filemode: '0000' filemode@debian9: '0640' filemode@debian10: '0640' + filemode@debian11: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml index 02404617c11..1d9c98378ea 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml @@ -51,6 +51,7 @@ template: filemode: '0000' filemode@debian9: '0640' filemode@debian10: '0640' + filemode@debian11: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index 8d1ca918377..daf81def878 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -58,6 +58,7 @@ template: filemode: '0000' filemode@debian9: '0640' filemode@debian10: '0640' + filemode@debian11: '0640' filemode@ubuntu1604: '0640' filemode@ubuntu1804: '0640' filemode@ubuntu2004: '0640' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index faacdc76de8..8e242cb4f5b 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Build and Test AIDE Database' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index d9024c63e80..d121604452c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 title: 'Install AIDE' diff --git a/products/debian11/CMakeLists.txt b/products/debian11/CMakeLists.txt new file mode 100644 index 00000000000..b98b58b3710 --- /dev/null +++ b/products/debian11/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd debian11; cmake ." That needs to error in a nice way. +if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("debian11") diff --git a/products/debian11/overlays/.gitkeep b/products/debian11/overlays/.gitkeep new file mode 100644 index 00000000000..e69de29bb2d diff --git a/products/debian11/product.yml b/products/debian11/product.yml new file mode 100644 index 00000000000..1b9d40833b2 --- /dev/null +++ b/products/debian11/product.yml @@ -0,0 +1,30 @@ +product: debian11 +full_name: Debian 11 +type: platform + +benchmark_root: "../../linux_os/guide" + +profiles_root: "./profiles" + +pkg_manager: "apt_get" + +init_system: "systemd" + +grub2_boot_path: "/boot/grub" + +cpes_root: "../../shared/applicability" +cpes: + - debian11: + name: "cpe:/o:debian:debian_linux:11" + title: "Debian Linux 11" + check_id: installed_OS_is_debian11 + +# Mapping of CPE platform to package +platform_package_overrides: + gdm: gdm3 + grub2: grub2-common + net-snmp: snmp + nss-pam-ldapd: libpam-ldap + pam: libpam-runtime + shadow: login + sssd: sssd-common diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile new file mode 100644 index 00000000000..600f1a6f713 --- /dev/null +++ b/products/debian11/profiles/anssi_np_nt28_average.profile @@ -0,0 +1,36 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level' + +description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security + stacks.' + +extends: anssi_np_nt28_minimal + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_ntp_installed + - package_ntpdate_removed + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 + - file_owner_logfiles_value=adm + - rsyslog_files_ownership + - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" + - ensure_logrotate_activated + - file_permissions_systemmap + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_fs_suid_dumpable + - sysctl_kernel_randomize_va_space diff --git a/products/debian11/profiles/anssi_np_nt28_high.profile b/products/debian11/profiles/anssi_np_nt28_high.profile new file mode 100644 index 00000000000..8e4760a5477 --- /dev/null +++ b/products/debian11/profiles/anssi_np_nt28_high.profile @@ -0,0 +1,11 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level' + +description: 'This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible + from unauthenticated or uncontroled networks.' + +extends: anssi_np_nt28_restrictive + +selections: + - grub2_enable_iommu_force diff --git a/products/debian11/profiles/anssi_np_nt28_minimal.profile b/products/debian11/profiles/anssi_np_nt28_minimal.profile new file mode 100644 index 00000000000..797aee747d7 --- /dev/null +++ b/products/debian11/profiles/anssi_np_nt28_minimal.profile @@ -0,0 +1,31 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Minimal Level' + +description: 'This profile contains items to be applied systematically.' + +selections: + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - package_telnetd_removed + - package_inetutils-telnetd_removed + - package_telnetd-ssl_removed + - package_nis_removed + - package_rsyslog_installed + - service_rsyslog_enabled + - package_syslogng_installed + - service_syslogng_enabled + - apt_conf_disallow_unauthenticated + - apt_sources_list_official + - file_permissions_etc_shadow + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_passwd + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_group + - file_owner_etc_group + - file_groupowner_etc_group diff --git a/products/debian11/profiles/anssi_np_nt28_restrictive.profile b/products/debian11/profiles/anssi_np_nt28_restrictive.profile new file mode 100644 index 00000000000..27e4ec396f9 --- /dev/null +++ b/products/debian11/profiles/anssi_np_nt28_restrictive.profile @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Profile for ANSSI DAT-NT28 Restrictive Level' + +description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.' + +extends: anssi_np_nt28_average + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_audit_installed + - package_cron_installed + - service_auditd_enabled + - service_ntp_enabled diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile new file mode 100644 index 00000000000..e1b2c718dfe --- /dev/null +++ b/products/debian11/profiles/standard.profile @@ -0,0 +1,59 @@ +documentation_complete: true + +title: 'Standard System Security Profile for Debian 11' + +description: |- + This profile contains rules to ensure standard security baseline + of a Debian 11 system. Regardless of your system's workload + all of these checks should pass. + +selections: + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_home + - package_audit_installed + - package_cron_installed + - package_ntp_installed + - package_rsyslog_installed + - package_telnetd_removed + - package_inetutils-telnetd_removed + - package_telnetd-ssl_removed + - package_nis_removed + - package_ntpdate_removed + - service_auditd_enabled + - service_cron_enabled + - service_ntp_enabled + - service_rsyslog_enabled + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 + - file_owner_logfiles_value=adm + - rsyslog_files_ownership + - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" + - ensure_logrotate_activated + - file_permissions_systemmap + - file_permissions_etc_shadow + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_passwd + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_group + - file_owner_etc_group + - file_groupowner_etc_group + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_fs_suid_dumpable + - sysctl_kernel_randomize_va_space diff --git a/products/debian11/transforms/constants.xslt b/products/debian11/transforms/constants.xslt new file mode 100644 index 00000000000..a47ff2592c0 --- /dev/null +++ b/products/debian11/transforms/constants.xslt @@ -0,0 +1,21 @@ + + + + +Debian 11 +Debian 11 +DEBIAN_11_STIG +DEBIAN-11 +debian11 + + +https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf + + + + + + + + + diff --git a/products/debian11/transforms/shorthand2xccdf.xslt b/products/debian11/transforms/shorthand2xccdf.xslt new file mode 100644 index 00000000000..cd8e8ed74d3 --- /dev/null +++ b/products/debian11/transforms/shorthand2xccdf.xslt @@ -0,0 +1,9 @@ + + + + + +unknown +unlinked-debian11-oval.xml + + diff --git a/products/debian11/transforms/table-srgmap.xslt b/products/debian11/transforms/table-srgmap.xslt new file mode 100644 index 00000000000..5798a48943b --- /dev/null +++ b/products/debian11/transforms/table-srgmap.xslt @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/products/debian11/transforms/table-style.xslt b/products/debian11/transforms/table-style.xslt new file mode 100644 index 00000000000..8b6caeab8cd --- /dev/null +++ b/products/debian11/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/debian11/transforms/xccdf-apply-overlay-stig.xslt b/products/debian11/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 00000000000..4789419b80a --- /dev/null +++ b/products/debian11/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-byref.xslt b/products/debian11/transforms/xccdf2table-byref.xslt new file mode 100644 index 00000000000..1cdb679c6fd --- /dev/null +++ b/products/debian11/transforms/xccdf2table-byref.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-cce.xslt b/products/debian11/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000000..f156a669566 --- /dev/null +++ b/products/debian11/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-profileanssirefs.xslt b/products/debian11/transforms/xccdf2table-profileanssirefs.xslt new file mode 100644 index 00000000000..5cde9c4cc85 --- /dev/null +++ b/products/debian11/transforms/xccdf2table-profileanssirefs.xslt @@ -0,0 +1,112 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rule Title + Description + Rationale + Variable Setting + ANSSI Best practice Mapping + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-profileccirefs.xslt b/products/debian11/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 00000000000..30419e92b28 --- /dev/null +++ b/products/debian11/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-profilecisrefs.xslt b/products/debian11/transforms/xccdf2table-profilecisrefs.xslt new file mode 100644 index 00000000000..07d321241fd --- /dev/null +++ b/products/debian11/transforms/xccdf2table-profilecisrefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-profilenistrefs.xslt b/products/debian11/transforms/xccdf2table-profilenistrefs.xslt new file mode 100644 index 00000000000..ea9f8b0da56 --- /dev/null +++ b/products/debian11/transforms/xccdf2table-profilenistrefs.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/debian11/transforms/xccdf2table-stig.xslt b/products/debian11/transforms/xccdf2table-stig.xslt new file mode 100644 index 00000000000..a71d8364d2c --- /dev/null +++ b/products/debian11/transforms/xccdf2table-stig.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/checks/oval/installed_OS_is_debian11.xml b/shared/checks/oval/installed_OS_is_debian11.xml new file mode 100644 index 00000000000..7a44d04848f --- /dev/null +++ b/shared/checks/oval/installed_OS_is_debian11.xml @@ -0,0 +1,27 @@ + + + + Debian Linux 11 + + multi_platform_all + + + The operating system installed on the system is Debian 11 + + + + + + + + + + + + + /etc/debian_version + ^11.[0-9]+$ + 1 + + + diff --git a/ssg/constants.py b/ssg/constants.py index fee8ef8c659..10ea1199c92 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -7,7 +7,7 @@ product_directories = [ 'chromium', - 'debian9', 'debian10', + 'debian9', 'debian10', 'debian11', 'example', 'fedora', 'firefox', @@ -157,6 +157,7 @@ "Chromium": "chromium", "Debian 9": "debian9", "Debian 10": "debian10", + "Debian 11": "debian11", "Example": "example", "Fedora": "fedora", "Firefox": "firefox", @@ -199,7 +200,7 @@ "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"] MULTI_PLATFORM_MAPPING = { - "multi_platform_debian": ["debian9", "debian10"], + "multi_platform_debian": ["debian9", "debian10", "debian11"], "multi_platform_example": ["example"], "multi_platform_fedora": ["fedora"], "multi_platform_opensuse": ["opensuse"], diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py index f1e7b127469..9b8a55196f5 100644 --- a/tests/unit/ssg-module/test_utils.py +++ b/tests/unit/ssg-module/test_utils.py @@ -19,7 +19,7 @@ def test_is_applicable(): assert not ssg.utils.is_applicable('rhosp13', 'rhel7') assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7') assert not ssg.utils.is_applicable('ol7', 'rhel7') - assert not ssg.utils.is_applicable('fedora,debian9,debian10', 'rhel7') + assert not ssg.utils.is_applicable('fedora,debian9,debian10,debian11', 'rhel7') def test_is_applicable_for_product(): diff --git a/utils/duplicated_prodtypes.py b/utils/duplicated_prodtypes.py index 7d54ebb918e..4cb2c16fef8 100755 --- a/utils/duplicated_prodtypes.py +++ b/utils/duplicated_prodtypes.py @@ -11,7 +11,7 @@ def _create_profile_cache(ssg_root): profile_cache = {} - product_list = ['debian9', 'debian10', 'fedora', 'ol7', 'opensuse', + product_list = ['debian9', 'debian10', 'debian11', 'fedora', 'ol7', 'opensuse', 'rhel7', 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'wrlinux'] diff --git a/utils/fix_file_ocilclause.py b/utils/fix_file_ocilclause.py index 82b8c1140f2..462d2b37c15 100755 --- a/utils/fix_file_ocilclause.py +++ b/utils/fix_file_ocilclause.py @@ -11,7 +11,7 @@ def _create_profile_cache(ssg_root): profile_cache = {} - product_list = ['debian9', 'debian10', 'fedora', 'ol7', 'opensuse', + product_list = ['debian9', 'debian10', 'debian11', 'fedora', 'ol7', 'opensuse', 'rhel7', 'sle12', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'wrlinux']