diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml
index cf67161e388..3a86771d616 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot = false
# strategy = configure
# complexity = low
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
index a6bc6cb1654..743d477751d 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
diff --git a/linux_os/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var b/linux_os/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var
index 233caffa3d2..876e4784d26 100644
--- a/linux_os/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var
+++ b/linux_os/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var
@@ -11,5 +11,5 @@ operator: equals
interactive: true
options:
- default: system.administrator@mail.mil
+ default: change_me@localhost
mil_sysadmin: system.administrator@mail.mil
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
index c47506b429b..be6b3672f5b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
index 3cfe760fb62..e777ce8fe61 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
index bed135a4d98..1e571bcbf7a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml
index 6d1e1cf7143..da221c3d2e1 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/ansible/shared.yml
@@ -1,9 +1,16 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_debian
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
+{{% if 'debian' in product %}}
+- name: Ensure apparmor-utils is installed
+ package:
+ name: "apparmor-utils"
+ state: present
+{{% endif %}}
+
- name: {{{ rule_title }}} - Ensure all AppArmor Profiles are reloaded
ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
index 1508009496c..34c275fbc41 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# make sure apparmor-utils is installed for aa-complain and aa-enforce
{{{ bash_package_install("apparmor-utils") }}}
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml
index 0852f7d4a00..5ab7daffd70 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: debian12,sle12,sle15,ubuntu2004,ubuntu2204
title: 'Enforce all AppArmor Profiles'
@@ -9,7 +9,7 @@ description: |-
To set all profiles to enforce mode run the following command:
$ sudo aa-enforce /etc/apparmor.d/*
To list unconfined processes run the following command:
- {{% if 'ubuntu' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product %}}
$ sudo apparmor_status | grep processes
{{% else %}}
$ sudo aa-unconfined
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
index 72cf148d5cf..afa39dfb0c7 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
# check-import = stdout
# If apparmor or apparmor-utils are not installed, then this test fails.
diff --git a/linux_os/guide/system/apparmor/apparmor_configured/ansible/shared.yml b/linux_os/guide/system/apparmor/apparmor_configured/ansible/shared.yml
index d616ac3494c..f1485385a61 100644
--- a/linux_os/guide/system/apparmor/apparmor_configured/ansible/shared.yml
+++ b/linux_os/guide/system/apparmor/apparmor_configured/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_debian
- name: Start apparmor.service
systemd:
diff --git a/linux_os/guide/system/apparmor/apparmor_configured/bash/shared.sh b/linux_os/guide/system/apparmor/apparmor_configured/bash/shared.sh
index dfb64c370f3..12ff1051144 100644
--- a/linux_os/guide/system/apparmor/apparmor_configured/bash/shared.sh
+++ b/linux_os/guide/system/apparmor/apparmor_configured/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_ubuntu
# Enable apparmor
{{{ bash_service_command("enable", "apparmor") }}}
diff --git a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
index ca3d275e284..6eacc6f2b70 100644
--- a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
+++ b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: debian12,sle12,sle15,ubuntu2004,ubuntu2204
title: 'Ensure AppArmor is Active and Configured'
@@ -62,3 +62,4 @@ template:
packagename@ubuntu1604: apparmor
packagename@ubuntu1804: apparmor
packagename@ubuntu2004: apparmor
+ packagename@debian12: apparmor
diff --git a/linux_os/guide/system/apparmor/grub2_enable_apparmor/bash/shared.sh b/linux_os/guide/system/apparmor/grub2_enable_apparmor/bash/shared.sh
index bea5e269dac..be4262ca521 100644
--- a/linux_os/guide/system/apparmor/grub2_enable_apparmor/bash/shared.sh
+++ b/linux_os/guide/system/apparmor/grub2_enable_apparmor/bash/shared.sh
@@ -1,9 +1,9 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
{{{ update_etc_default_grub_manually('apparmor', 'apparmor=1') }}}
{{{ update_etc_default_grub_manually('security', 'security=apparmor') }}}
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
update-grub
{{% else %}}
grub2-mkconfig -o /boot/grub2/grub.cfg
diff --git a/linux_os/guide/system/apparmor/grub2_enable_apparmor/rule.yml b/linux_os/guide/system/apparmor/grub2_enable_apparmor/rule.yml
index 2403f19cc60..4ab0a909c12 100644
--- a/linux_os/guide/system/apparmor/grub2_enable_apparmor/rule.yml
+++ b/linux_os/guide/system/apparmor/grub2_enable_apparmor/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ubuntu2004,ubuntu2204
+prodtype: debian12,ubuntu2004,ubuntu2204
title: 'Ensure AppArmor is enabled in the bootloader configuration'
diff --git a/linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml
index acb301cc6b7..8e79e57ec9f 100644
--- a/linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml
+++ b/linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ubuntu2004,ubuntu2204
+prodtype: debian12,ubuntu2004,ubuntu2204
title: 'Ensure AppArmor is installed'
diff --git a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
index 06f09bb69ab..0245ba39269 100644
--- a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
+++ b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15
+prodtype: debian12,sle12,sle15
title: 'Install the pam_apparmor Package'
@@ -34,3 +34,4 @@ template:
name: package_installed
vars:
pkgname: pam_apparmor
+ pkgname@debian12: libpam-apparmor
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
index 956f72cf9de..2e008b37e19 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian
# reboot = false
# complexity = low
# disruption = low
# strategy = configure
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
{{% else %}}
{{% set auid_filters = "" %}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
index ced862e88a8..9349085f7ca 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = false
# complexity = low
# disruption = low
# strategy = configure
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
{{% else %}}
{{% set auid_filters = "" %}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
index ac24d2e2dc5..73a9f1dff21 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu,multi_platform_debian
# reboot = false
# complexity = low
# disruption = low
# strategy = configure
-{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product or 'debian' in product %}}
{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
{{% else %}}
{{% set auid_filters = "" %}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 033465f0aef..8f259127ba7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot = false
# strategy = configure
# complexity = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
index ba84abfc915..b570780759a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Traverse all of:
#
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
index ac5c84c8753..5eaed26cbd1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot =false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
index 7e22f270f21..06bbeb9fb42 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
index 7f2f4e2981f..58be87f4b54 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh
index caf49d4f841..bd42cc0f1b7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/var/run/utmp", "wa", "session") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
index 1c9e46c28ac..027623091b8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh
index b7f44ab38d4..24b4da6b694 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
{{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
index f0783ec4f7b..c511ede45d2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh
index 4983b503ee8..0899dcdeddf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
index ec299598535..d6bd884f017 100644
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -91,6 +91,7 @@ template:
packagename: audit
packagename@debian10: auditd
packagename@debian11: auditd
+ packagename@debian12: auditd
packagename@ubuntu1604: auditd
packagename@ubuntu1804: auditd
packagename@ubuntu2004: auditd
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml
new file mode 100644
index 00000000000..5e46651fd48
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/debian.yml
@@ -0,0 +1,61 @@
+# platform = multi_platform_debian
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "{{{ rule_title }}} - Ensure AIDE Is Installed"
+ ansible.builtin.apt:
+ name: aide
+ state: present
+
+- name: "{{{ rule_title }}} - Check if DB Path in /etc/aide/aide.conf Is Already Set"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ regexp: ^#?(\s*)(database=)(.*)$
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: database_replace
+
+- name: "{{{ rule_title }}} - Check if DB Out Path in /etc/aide/aide.conf Is Already Set"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ regexp: ^#?(\s*)(database_out=)(.*)$
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: database_out_replace
+
+- name: "{{{ rule_title }}} - Fix DB Path in Config File if Necessary"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ regexp: ^#?(\s*)(database)(\s*)=(\s*)(.*)$
+ line: \2\3=\4file:/var/lib/aide/aide.db
+ backrefs: true
+ when: database_replace.found > 0
+
+- name: "{{{ rule_title }}} - Fix DB Out Path in Config File if Necessary"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ regexp: ^#?(\s*)(database_out)(\s*)=(\s*)(.*)$
+ line: \2\3=\4file:/var/lib/aide/aide.db.new
+ backrefs: true
+ when: database_out_replace.found > 0
+
+- name: "{{{ rule_title }}} - Ensure the Default DB Path is Added"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ line: database=file:/var/lib/aide/aide.db
+ create: true
+ when: database_replace.found == 0
+
+- name: "{{{ rule_title }}} - Ensure the Default Out Path is Added"
+ ansible.builtin.lineinfile:
+ path: /etc/aide/aide.conf
+ line: database_out=file:/var/lib/aide/aide.db.new
+ create: true
+ when: database_out_replace.found == 0
+
+- name: "{{{ rule_title }}} - Build and Test AIDE Database"
+ ansible.builtin.command: /usr/sbin/aideinit -y -f
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh
new file mode 100644
index 00000000000..52028f8e064
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/bash/debian.sh
@@ -0,0 +1,20 @@
+# platform = multi_platform_debian
+
+{{{ bash_package_install("aide") }}}
+
+AIDE_CONFIG=/etc/aide/aide.conf
+DEFAULT_DB_PATH=/var/lib/aide/aide.db
+
+# Fix db path in the config file, if necessary
+if ! grep -q '^database=file:' ${AIDE_CONFIG}; then
+ # replace_or_append gets confused by 'database=file' as a key, so should not be used.
+ #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s'
+ echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG}
+fi
+
+# Fix db out path in the config file, if necessary
+if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then
+ echo "database_out=file:${DEFAULT_DB_PATH}.new" >> ${AIDE_CONFIG}
+fi
+
+/usr/sbin/aideinit -y -f
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml
new file mode 100644
index 00000000000..80c21bef0d4
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/debian.xml
@@ -0,0 +1,104 @@
+
+
+ {{{ oval_metadata("The aide database must be initialized.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/aide/aide.conf
+ ^@@define[\s]DBDIR[\s]+(/.*)$
+ 1
+
+
+
+
+ /etc/aide/aide.conf
+ ^database=file:(?:@@{DBDIR}/)?([a-z./]+)$
+
+ 1
+
+
+
+
+
+
+ /
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/aide/aide.conf
+ ^database_out=file:@@{DBDIR}/([a-z.]+)$
+
+ 1
+
+
+
+
+
+
+
+ /etc/aide/aide.conf
+ ^database_out=file:([a-z./]+)$
+
+ 1
+
+
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
index 2ccae747bac..d4beaad7e4f 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -6,13 +6,13 @@ title: 'Build and Test AIDE Database'
description: |-
Run the following command to generate a new database:
- {{% if 'ubuntu' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product %}}
$ sudo aideinit
{{% else %}}
$ sudo {{{ aide_bin_path }}} --init
{{% endif %}}
By default, the database will be written to the file
- {{% if 'ubuntu' in product or 'sle' in product %}}
+ {{% if 'ubuntu' in product or 'sle' in product or 'debian' in product %}}
/var/lib/aide/aide.db.new.
{{% else %}}
/var/lib/aide/aide.db.new.gz.
@@ -21,7 +21,7 @@ description: |-
{{{ aide_bin_path }}}
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
- {{% if 'ubuntu' in product or 'sle' in product %}}
+ {{% if 'ubuntu' in product or 'sle' in product or 'debian' in product %}}
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
{{% else %}}
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
diff --git a/linux_os/guide/system/software/prefer_64bit_os/oval/shared.xml b/linux_os/guide/system/software/prefer_64bit_os/oval/shared.xml
index cf31005f80a..ca33be89228 100644
--- a/linux_os/guide/system/software/prefer_64bit_os/oval/shared.xml
+++ b/linux_os/guide/system/software/prefer_64bit_os/oval/shared.xml
@@ -61,7 +61,7 @@
1
- ^(x86_64|aarch64|ppc64le|s390x)$
+ ^(x86_64|aarch64|ppc64le|s390x|.*-amd64)$
diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
new file mode 100644
index 00000000000..b1c650c4ca3
--- /dev/null
+++ b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:enhanced
+ - package_rsyslog_installed
+ - service_rsyslog_enabled
+ # PASS_MIN_LEN is handled by PAM on debian systems.
+ - '!accounts_password_minlen_login_defs'
+ # Debian uses apparmor
+ - '!selinux_state'
+ - '!audit_rules_mac_modification'
+ - apparmor_configured
+ - all_apparmor_profiles_enforced
+ - grub2_enable_apparmor
+ - package_apparmor_installed
+ - package_pam_apparmor_installed
+ # The following are MLS related rules (not part of ANSSI-BP-028)
+ - '!accounts_polyinstantiated_tmp'
+ - '!accounts_polyinstantiated_var_tmp'
diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
new file mode 100644
index 00000000000..a24b8244aed
--- /dev/null
+++ b/products/debian12/profiles/anssi_bp28_high.profile
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (high)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:high
+ - package_rsyslog_installed
+ - service_rsyslog_enabled
+ # PASS_MIN_LEN is handled by PAM on debian systems.
+ - '!accounts_password_minlen_login_defs'
+ # Debian uses apparmor
+ - '!selinux_state'
+ - '!audit_rules_mac_modification'
+ - apparmor_configured
+ - all_apparmor_profiles_enforced
+ - grub2_enable_apparmor
+ - package_apparmor_installed
+ - package_pam_apparmor_installed
+ # The following are MLS related rules (not part of ANSSI-BP-028)
+ - '!accounts_polyinstantiated_tmp'
+ - '!accounts_polyinstantiated_var_tmp'
diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
new file mode 100644
index 00000000000..4e9d3744382
--- /dev/null
+++ b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+# selinux_state: not applicable
+# postfix_client_configure_mail_alias: not applicable. should be exim
+# grub2_l1tf_argument debian kernels are not vulnerable, but switching from
+# conditional cache flush to force mode prevent protection disabling.
+
+selections:
+ - anssi:all:intermediary
+ # PASS_MIN_LEN is handled by PAM on debian systems.
+ - '!accounts_password_minlen_login_defs'
+ # Debian uses apparmor
+ - '!selinux_state'
+ # The following are MLS related rules (not part of ANSSI-BP-028)
+ - '!accounts_polyinstantiated_tmp'
+ - '!accounts_polyinstantiated_var_tmp'
diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile
new file mode 100644
index 00000000000..004fc77ef68
--- /dev/null
+++ b/products/debian12/profiles/anssi_bp28_minimal.profile
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:minimal
+ # PASS_MIN_LEN is handled by PAM on debian systems.
+ - '!accounts_password_minlen_login_defs'
+
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index d72ff21b634..8764314bd98 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1250,7 +1250,7 @@ Part of the grub2_bootloader_argument template.
#}}
{{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value) -%}}
-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
- name: Check {{{ arg_name }}} argument exists
command: grep '^\s*GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=' /etc/default/grub
failed_when: False
@@ -1261,7 +1261,7 @@ Part of the grub2_bootloader_argument template.
failed_when: False
register: linecheck
-- name: Add watch rule for {{{ path }}} in /etc/audit/audit.rules
+- name: Add {{{ arg_name }}} argument
ansible.builtin.lineinfile:
line: 'GRUB_CMDLINE_LINUX="{{{ arg_name_value }}} "'
state: present
@@ -1273,7 +1273,7 @@ Part of the grub2_bootloader_argument template.
- name: Replace existing {{{ arg_name }}} argument
replace:
path: /etc/default/grub
- regexp: '{{{ arg_name }}}=\w+'
+ regexp: '{{{ arg_name }}}=[a-zA-Z0-9,]+'
replace: '{{{ arg_name_value }}}'
when: argcheck.rc == 0 and linecheck.rc == 0
@@ -1289,6 +1289,9 @@ Part of the grub2_bootloader_argument template.
{{% if product in ['sle12', 'sle15'] %}}
- name: Update grub defaults and the bootloader menu
command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+{{% elif 'debian' in product %}}
+- name: Update grub defaults and the bootloader menu
+ command: /usr/sbin/update-grub
{{% else %}}
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
@@ -1305,7 +1308,7 @@ Part of the grub2_bootloader_argument_absent template.
#}}
{{%- macro ansible_grub2_bootloader_argument_absent(arg_name) -%}}
-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
- name: Check {{{ arg_name }}} argument exists
command: grep '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' /etc/default/grub
failed_when: False
@@ -1323,6 +1326,9 @@ Part of the grub2_bootloader_argument_absent template.
{{% if product in ['sle12', 'sle15'] %}}
- name: Update grub defaults and the bootloader menu
command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+{{% elif 'debian' in product %}}
+- name: Update grub defaults and the bootloader menu
+ command: /usr/sbin/update-grub
{{% else %}}
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7653fffe4ca..f9a53949989 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1769,7 +1769,7 @@ Part of the grub2_bootloader_argument template.
#}}
{{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
-{{% if 'ubuntu' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['rhel7', 'ol7', 'sle12', 'sle15'] %}}
{{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}}
{{% endif -%}}
{{{ grub_command("add", arg_name_value) }}}
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index dc30ff3d3d9..5a686b0b2fa 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index 9b57c6656c5..daee7021078 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template
index 34d9b1bb71e..33b29b97797 100644
--- a/shared/templates/audit_rules_file_deletion_events/ansible.template
+++ b/shared/templates/audit_rules_file_deletion_events/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
index e7158afa986..b3eab4edbb4 100644
--- a/shared/templates/audit_rules_file_deletion_events/bash.template
+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template
index 1c31678d6ed..e62981561a2 100644
--- a/shared/templates/audit_rules_login_events/ansible.template
+++ b/shared/templates/audit_rules_login_events/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
index 129e4c2d639..e3c55b43aa2 100644
--- a/shared/templates/audit_rules_login_events/bash.template
+++ b/shared/templates/audit_rules_login_events/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
index 18d7dbd5351..9beb6553712 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = low
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
index ff9a4f5e321..b18223c98a9 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
index bebe5ccbcdc..a573b6a1b7d 100644
--- a/shared/templates/grub2_bootloader_argument/ansible.template
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
# reboot = true
# strategy = restrict
# complexity = medium
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index 965f4d38ec3..7a7ba6899e1 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
{{#
See the OVAL template for more comments.
Product-specific categorization should be synced across all template content types
diff --git a/shared/templates/package_installed/bash.template b/shared/templates/package_installed/bash.template
index 473feef5c2f..65c48d381a0 100644
--- a/shared/templates/package_installed/bash.template
+++ b/shared/templates/package_installed/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
# reboot = false
# strategy = enable
# complexity = low
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
index 290fc0c2bd3..7f73e3de46c 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
@@ -10,16 +10,21 @@
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
+# note: on debian operating systems, /bin/sh is a symlink that point to /bin/dash shell. Dash lacks the pipefail option, so the
+# set -o pipefail
+# line should be escaped.
- name: '{{{ rule_title }}} - Get IncludeConfig directive'
ansible.builtin.shell: |
- set -o pipefail
+ {{%- if not 'debian' in product %}}
+ set -o pipefail{{% endif %}}
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
register: rsyslog_old_inc
changed_when: False
- name: '{{{ rule_title }}} - Get include files directives'
ansible.builtin.shell: |
- set -o pipefail
+ {{%- if not 'debian' in product %}}
+ set -o pipefail{{% endif %}}
awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true
register: rsyslog_new_inc
changed_when: False
@@ -41,7 +46,8 @@
- name: '{{{ rule_title }}} - Extract log files old format'
ansible.builtin.shell: |
- set -o pipefail
+ {{%- if not 'debian' in product %}}
+ set -o pipefail{{% endif %}}
grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
awk '{print $NF}' | \
sed -e 's/^-//' || true
@@ -51,7 +57,8 @@
- name: '{{{ rule_title }}} - Extract log files new format'
ansible.builtin.shell: |
- set -o pipefail
+ {{%- if not 'debian' in product %}}
+ set -o pipefail{{% endif %}}
grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index 37f8a7c20dc..d66b3320638 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
# reboot = true
# strategy = disable
# complexity = low