Merge pull request ComplianceAsCode#11368 from a-skr/feature-debian12

ANSSI BP 028 profile for debian12

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 
 {{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
 

linux_os/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var

@@ -11,5 +11,5 @@ operator: equals
 interactive: true
 
 options:
-    default: [email protected]
+    default: change_me@localhost
     mil_sysadmin: [email protected]

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
 

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml

@@ -1,9 +1,16 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_debian
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
+{{% if 'debian' in product %}}
+- name: Ensure apparmor-utils is installed
+  package:
+    name: "apparmor-utils"
+    state: present
+{{% endif %}}
+
 - name: {{{ rule_title }}} - Ensure all AppArmor Profiles are reloaded
   ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
 

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # make sure apparmor-utils is installed for aa-complain and aa-enforce
 {{{ bash_package_install("apparmor-utils") }}}

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: debian12,sle12,sle15,ubuntu2004,ubuntu2204
 
 title:  'Enforce all AppArmor Profiles'
 
@@ -9,7 +9,7 @@ description: |-
     To set all profiles to enforce mode run the following command:
     <pre>$ sudo aa-enforce /etc/apparmor.d/*</pre>
     To list unconfined processes run the following command:
-    {{% if 'ubuntu' in product %}}
+    {{% if 'ubuntu' in product or 'debian' in product %}}
     <pre>$ sudo apparmor_status | grep processes</pre>
     {{% else %}}
     <pre>$ sudo aa-unconfined</pre>

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 # check-import = stdout
 
 # If apparmor or apparmor-utils are not installed, then this test fails.

linux_os/guide/system/apparmor/apparmor_configured/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_debian
 
 - name: Start apparmor.service
   systemd:

linux_os/guide/system/apparmor/apparmor_configured/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_ubuntu
 
 # Enable apparmor
 {{{ bash_service_command("enable", "apparmor") }}}

linux_os/guide/system/apparmor/apparmor_configured/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: debian12,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure AppArmor is Active and Configured'
 
@@ -62,3 +62,4 @@ template:
         packagename@ubuntu1604: apparmor
         packagename@ubuntu1804: apparmor
         packagename@ubuntu2004: apparmor
+        packagename@debian12: apparmor

linux_os/guide/system/apparmor/grub2_enable_apparmor/bash/shared.sh

@@ -1,9 +1,9 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{{ update_etc_default_grub_manually('apparmor', 'apparmor=1') }}}
 {{{ update_etc_default_grub_manually('security', 'security=apparmor') }}}
 
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 update-grub
 {{% else %}}
 grub2-mkconfig -o /boot/grub2/grub.cfg

linux_os/guide/system/apparmor/grub2_enable_apparmor/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ubuntu2004,ubuntu2204
+prodtype: debian12,ubuntu2004,ubuntu2204
 
 title: 'Ensure AppArmor is enabled in the bootloader configuration'
 

linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ubuntu2004,ubuntu2204
+prodtype: debian12,ubuntu2004,ubuntu2204
 
 title: 'Ensure AppArmor is installed'
 

linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15
+prodtype: debian12,sle12,sle15
 
 title: 'Install the pam_apparmor Package'
 
@@ -34,3 +34,4 @@ template:
     name: package_installed
     vars:
         pkgname: pam_apparmor
+        pkgname@debian12: libpam-apparmor

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml

@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # complexity = low
 # disruption = low
 # strategy = configure
 
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
 {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
 {{% else %}}
 {{% set auid_filters = "" %}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml

@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # complexity = low
 # disruption = low
 # strategy = configure
 
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
 {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
 {{% else %}}
 {{% set auid_filters = "" %}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml

@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # complexity = low
 # disruption = low
 # strategy = configure
 
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
 {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
 {{% else %}}
 {{% set auid_filters = "" %}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Traverse all of:
 #

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 # reboot =false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
 # reboot = true
 # strategy = restrict
 # complexity = low

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/var/run/utmp", "wa", "session") }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh

@@ -1,3 +1,3 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}

linux_os/guide/system/auditing/service_auditd_enabled/rule.yml

@@ -91,6 +91,7 @@ template:
         packagename: audit
         packagename@debian10: auditd
         packagename@debian11: auditd
+        packagename@debian12: auditd
         packagename@ubuntu1604: auditd
         packagename@ubuntu1804: auditd
         packagename@ubuntu2004: auditd

linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml

@@ -0,0 +1,61 @@
+# platform = multi_platform_debian
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "{{{ rule_title }}} - Ensure AIDE Is Installed"
+  ansible.builtin.apt:
+    name: aide
+    state: present
+
+- name: "{{{ rule_title }}} - Check if DB Path in /etc/aide/aide.conf Is Already Set"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    regexp: ^#?(\s*)(database=)(.*)$
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: database_replace
+
+- name: "{{{ rule_title }}} - Check if DB Out Path in /etc/aide/aide.conf Is Already Set"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    regexp: ^#?(\s*)(database_out=)(.*)$
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: database_out_replace
+
+- name: "{{{ rule_title }}} - Fix DB Path in Config File if Necessary"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    regexp: ^#?(\s*)(database)(\s*)=(\s*)(.*)$
+    line: \2\3=\4file:/var/lib/aide/aide.db
+    backrefs: true
+  when: database_replace.found > 0
+
+- name: "{{{ rule_title }}} - Fix DB Out Path in Config File if Necessary"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    regexp: ^#?(\s*)(database_out)(\s*)=(\s*)(.*)$
+    line: \2\3=\4file:/var/lib/aide/aide.db.new
+    backrefs: true
+  when: database_out_replace.found > 0
+
+- name: "{{{ rule_title }}} - Ensure the Default DB Path is Added"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    line: database=file:/var/lib/aide/aide.db
+    create: true
+  when: database_replace.found == 0
+
+- name: "{{{ rule_title }}} - Ensure the Default Out Path is Added"
+  ansible.builtin.lineinfile:
+    path: /etc/aide/aide.conf
+    line: database_out=file:/var/lib/aide/aide.db.new
+    create: true
+  when: database_out_replace.found == 0
+
+- name: "{{{ rule_title }}} - Build and Test AIDE Database"
+  ansible.builtin.command: /usr/sbin/aideinit -y -f

linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh

@@ -0,0 +1,20 @@
+# platform = multi_platform_debian
+
+{{{ bash_package_install("aide") }}}
+
+AIDE_CONFIG=/etc/aide/aide.conf
+DEFAULT_DB_PATH=/var/lib/aide/aide.db
+
+# Fix db path in the config file, if necessary
+if ! grep -q '^database=file:' ${AIDE_CONFIG}; then
+    # replace_or_append gets confused by 'database=file' as a key, so should not be used.
+    #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s'
+    echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG}
+fi
+
+# Fix db out path in the config file, if necessary
+if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then
+    echo "database_out=file:${DEFAULT_DB_PATH}.new" >> ${AIDE_CONFIG}
+fi
+
+/usr/sbin/aideinit -y -f