Debian13 cis profile#14764
Open
israel-villar wants to merge 61 commits into
Open
Conversation
- Align control IDs with CIS benchmark - Add /etc/cron.yearly control (2.4.1.7) - Update titles from 'permissions' to 'access' - Fix crontab access control (2.4.1.9) - Remove incorrect cron_allow reference in 2.4.1.2
- Change 1.2.1.2-1.2.1.9 from manual to pending (CIS marks them Automated but no SSG rules exist for Debian yet) - Fix levels for 1.2.1.2 (l1→l2 server/workstation) and remove incorrect l1_workstation from 1.2.1.3-1.2.1.5, 1.2.1.7-1.2.1.9 - Add service_apport_disabled rule to 1.5.7 (was automated with no rules) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add 2.1.16 and renumber 2.1.16→2.1.17 through 2.1.22→2.1.23
- Fix 2.2.5 change openldap-clients package to ldap-utils
- Add 3.2.2, renumber 3.2.2→3.2.3 and move 3.2.3→3.2.6
Correct the OVAL feed URL to use the Debian 13 (trixie) feed instead of the Debian 12 (bookworm) one, and align profile metadata versions with the CIS Debian 13 Benchmark v1.0.0. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add 'if: github.repository == ComplianceAsCode/content' to container jobs that don't test Debian 13, so they don't run on fork branches. The validate-debian job in gate.yaml is kept active as it builds debian11/12/13 and is relevant to ongoing work. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sshd_enable_warning_banner does not apply to Debian, so it is absent from the Debian data stream. The conflicts reference to that rule caused oscap to call xccdf_policy_is_item_selected with a non-existent ID, triggering an assertion failure and aborting the scan. Exclude the conflicts block for Debian products as well as Ubuntu. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extends cis_level1_server excluding AIDE rules (package_aide_installed, aide_build_database, aide_periodic_checking_systemd_timer) which are not used in ULPGC servers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var: variable for kernel.apparmor_restrict_unprivileged_unconfined sysctl, default value 1 - cis_level1_server_ulpgc.profile for debian12: mirrors the debian13 variant, extending cis_level1_server and excluding AIDE rules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Enable SCE content build for Debian 11/12/13 in CMakeLists.txt
- Fix all_apparmor_profiles_enforced SCE script:
- Add fallback XCCDF_RESULT_PASS/FAIL values for environments where
the engine does not export them (e.g. noexec /tmp + missing
oscap-run-sce-script on Debian with OpenSCAP 1.4.x)
- Guard aa-status output with grep -oE '^[0-9]+$' and ${var:-0} to
prevent bash arithmetic errors when output is empty or non-numeric
- Add 2>/dev/null to suppress spurious stderr from aa-status
- Add debian13 to platform list
- Apply same aa-status robustness fixes to
all_apparmor_profiles_in_enforce_complain_mode SCE script
- Extend bash/shared.sh and test scenarios to use
find/aa-enforce|aa-complain per-file (ubuntu/debian workaround for
apparmor-utils issue ComplianceAsCode#411) instead of glob aa-enforce/aa-complain
- Add debian13 packagename override in apparmor_configured rule.yml
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
debian13 is already covered by multi_platform_debian. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Debian stores the GRUB2 password in /boot/grub/grub.cfg using the password_pbkdf2 format, not in /boot/grub2/user.cfg like RHEL. - Add oval/debian.xml for grub2_uefi_password (same approach as ubuntu.xml/sle.xml: check grub.cfg for password_pbkdf2 and set superusers directives) - Set grub2_uefi_boot_path to /boot/grub for debian-like systems (excluding Ubuntu which already has its own override) - Update product stability snapshots for debian12 and debian13 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add service_kea_dhcp4_server_disabled, service_kea_dhcp6_server_disabled, and service_kea_dhcp_ddns_server_disabled rules to cover the CIS case where the kea package cannot be removed due to dependencies but its services must be disabled. Maps all three to control 2.1.3 alongside package_kea_removed, following the same pattern as Debian 12. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13 the DNS server package is bind9, not bind. Add pkgname@debian13 and packagename@debian13 overrides following the same pattern used for Ubuntu. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add debian13 product-scoped overrides and Jinja conditionals for rules where Debian 13 uses different package or service names than the default: - avahi: avahi-daemon (not avahi) - openldap: slapd (not openldap-servers) - dovecot: dovecot-core (not dovecot) - nfs: nfs-kernel-server packagename for OVAL check - rsync: rsync service and package (not rsyncd/rsync-daemon) - samba: smbd service (not smb) - snmp: snmpd (not net-snmp) - tftp: tftpd-hpa (not tftp-server) - httpd: apache2 (not httpd) - xserver: xserver-common (not xorg-x11-server-common) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13 the rsh client package is rsh-client, not rsh. Add pkgname@debian13 override and update Jinja conditionals to match the same pattern used for Ubuntu. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13 the chrony service is named chrony, not chronyd. The enabled counterpart already had this override; add it to the disabled rule for consistency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13 the GDM package is gdm3, not gdm. Add pkgname@debian13 override and update Jinja conditionals to match the same pattern used for Ubuntu. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Split the generic set_ufw_default_rule into three dedicated rules (ufw_default_incoming_rule, ufw_default_outgoing_rule, ufw_disabled_routed) so each CIS Debian 13 control (4.1.3/4.1.4/4.1.5) maps to its own check and bash remediation. Each rule uses grep -E instead of grep -oP to avoid PCRE dependency on Debian. The routed rule uses 'ufw default deny routed' since 'disabled' is not a valid ufw default policy argument. Also extend check_ufw_active SCE and add bash remediation (unmask + enable service + ufw --force enable) for Debian 13 coverage of CIS 4.1.2. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add notes to 5.3.1.x package controls clarifying that automated check covers installation only; latest version requires manual check - Fix bash platform comments to include multi_platform_debian for pam_unix_enabled, pam_faillock_enabled, pam_pwhistory_enabled, pam_pwquality_enabled, and pam_unix_no_remember rules - Add oval/debian.xml for pam_pwquality_enabled (was Ubuntu-only) - Add oval/debian.xml and bash/debian.sh for pam_pwhistory_remember using pam-auth-update approach instead of direct PAM file editing - Add bash/debian.sh for pam_pwhistory_use_authtok using pam-auth-update - Add bash/debian.sh for pam_unix_authtok using pam-auth-update - Add var_password_pam_maxsequence=3 to control 5.3.3.2.5 - Add cis_debian13 selector to var_password_hashing_algorithm_pam (yescrypt|sha512) and update 5.3.3.4.3 to accept both algorithms Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add the NIST-standardized ML-KEM-768 hybrid post-quantum key exchange algorithm to the cis_debian13 KEX selector, placing it first as the preferred algorithm. Debian 13 ships OpenSSH 9.9+ which supports it. The older sntrup761x25519-sha512@openssh.com remains as fallback. Satisfies CIS Debian 13 5.1.13 (post-quantum KEX requirement). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SCE scripts fail with 'Unexpected error' on systems where /tmp is mounted noexec (required by CIS 1.1.2.4), because OpenSCAP extracts SCE scripts to /tmp before executing them. Replace with OVAL checks that read configuration files and sysfs directly. - all_apparmor_profiles_enforced: read /sys/kernel/security/apparmor/profiles, compare total profile count against enforce-mode count - check_ufw_active: match ENABLED=yes in /etc/ufw/ufw.conf - ufw_default_incoming_rule: match DEFAULT_INPUT_POLICY="DROP|REJECT" in /etc/default/ufw - ufw_disabled_routed: match DEFAULT_FORWARD_POLICY="DROP|REJECT" in /etc/default/ufw Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CIS Debian 13 section 5.3 accepts either SHA512 or YESCRYPT as valid password hashing algorithms. Add a cis_debian13 option to var_password_hashing_algorithm (YESCRYPT|SHA512) and use it in the control file instead of the fixed yescrypt value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… error With check_existence="all_exist", a missing symlink returns 0 items and OpenSCAP reports the test as error instead of fail. OpenSCAP only triggers remediation on fail, so the symlink was never created across repeated runs. Change to at_least_one_exists so a missing symlink produces fail, which allows the bash remediation to run and create the symlink. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch sysctl_remediate_drop_in_file to false so all sysctl remediations write to /etc/sysctl.conf instead of individual drop-in files in /etc/sysctl.d/. The drop-in approach left /etc/sysctl.conf uncreated, making the 99-sysctl.conf symlink dangling and breaking the sysctl_conf_symlink_etc_sysctl_d OVAL check. Also fix the sysctl_conf_symlink_etc_sysctl_d rule: - bash: create /etc/sysctl.conf if absent before creating the symlink - oval: use path+filename instead of filepath in symlink_object so that a missing symlink returns an empty set (fail) rather than a collect error Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
unix:symlink_object with filepath returns error (not does_not_exist) for dangling symlinks (target missing), which blocked remediation. Replace with unix:file_test using follow_symlinks=false and type="symbolic link": - file doesn't exist -> does_not_exist -> fail -> remediation runs - file is not a symlink -> type mismatch -> fail -> remediation runs - file is a symlink -> pass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
unix:FileBehaviors does not have a follow_symlinks attribute. Remove it. unix:file_object uses lstat() by default so symlinks are already reported as type "symbolic link" without any special behavior needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The rule previously had no automated remediation. Add: - var_sshd_allow_groups.var: string variable with default "users" for the AllowGroups sshd parameter - bash/shared.sh: remediation using bash_sshd_remediation to insert AllowGroups into /etc/ssh/sshd_config - Remove the "no automated remediation" warning from rule.yml - Set var_sshd_allow_groups=users in the CIS Debian 13 control file Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…file The upstream sshd_limit_user_access rule cannot be auto-remediated because AllowGroups values are site-specific. Instead of modifying the upstream rule, add a new ULPGC-specific rule: - var_sshd_allow_groups.var: string variable, default "users" - sshd_set_allow_groups: uses sshd_lineinfile template to check and set AllowGroups in /etc/ssh/sshd_config - Add rule + var_sshd_allow_groups=users only to cis_level1_server_ulpgc - Revert changes to sshd_limit_user_access (restore warning, no bash) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…Debian 13 On Debian 13, the network stack resets net.ipv4.conf.*.log_martians to 0 after systemd-sysctl.service has applied the hardened values at boot. Creating a systemd drop-in that adds After=network.target ensures the sysctl settings are applied in their final state. New rule sysctl_apply_after_network: - OVAL: checks for After=network.target in any .conf under /etc/systemd/system/systemd-sysctl.service.d/ - Bash: creates cac_hardening.conf with [Unit]\nAfter=network.target and runs systemctl daemon-reload - Added to CIS Debian 13 controls 3.3.1.16 and 3.3.1.17 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…network.target network.target is reached before networking backends (systemd-networkd, NetworkManager via Netplan, ifupdown) finish bringing up interfaces. The kernel resets net.ipv4.conf.all.log_martians to 0 when interfaces are initialized, which happens after network.target but before network-online.target. Switching to After=network-online.target + Wants=network-online.target ensures systemd-sysctl runs after all managed interfaces are fully online, regardless of the networking backend (ifupdown, systemd-networkd, Netplan). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Incorporate note from ComplianceAsCode upstream explaining that the CIS recommendation for enforcing AppArmor profiles does not adequately address force-complain/unconfined profiles and may break applications. References upstream CIS Workbench ticket for context. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add components_root: "../../components" consistent with upstream and other Debian-family products - Remove duplicate reference_uris block with the generic CIS URL, keeping only the Debian-specific benchmark URL Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Making systemd-sysctl.service depend on network-online.target via After=/Wants= creates an ordering cycle on Debian 13: network-online.target → networking.service → sysinit.target → systemd-sysctl.service → network-online.target systemd breaks the cycle by dropping networking.service and systemd-sysctl.service from the boot transaction, so sysctl parameters are never applied at boot — worse than the original problem. Remove the rule and its mappings in CIS controls 3.3.1.16/3.3.1.17. The standard sysctl rules plus sysctl_conf_symlink_etc_sysctl_d are sufficient; the log_martians all/default values are not reset by interface bring-up in the way per-interface values can be. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13, the kernel resets network sysctl values when interfaces come up, overriding the early-boot configuration applied by systemd-sysctl.service. This causes hardened values such as net.ipv4.conf.all.log_martians to revert to 0 at runtime. Add a rule that creates and enables a systemd oneshot service (sysctl-reapply-network.service) with DefaultDependencies=no and After=networking.service. The service runs sysctl --system after network interfaces are up, ensuring hardened values persist. Using DefaultDependencies=no avoids the ordering cycle that broke boot when systemd-sysctl.service itself was made to depend on network-online.target. Map the rule to CIS controls 3.3.1.16 and 3.3.1.17 alongside the corresponding sysctl value rules, with notes explaining the rationale. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add missing rule-to-component mappings required by components_root in
products/debian13/product.yml. Without these mappings the build fails
with "isn't mapped to any component" errors.
- apt.yml: apt_disable_weak_dependencies, directory/file owner/group/
permissions rules for apt GPG keys, sources.list.d, trusted.gpg.d,
auth.conf.d, and usr/share/keyrings
- apparmor.yml: sysctl_kernel_apparmor_restrict_unprivileged_unconfined
- kea.yml: service_kea_dhcp{4,6,_ddns}_server_disabled
- kernel.yml: sysctl_conf_symlink_etc_sysctl_d, sysctl_reapply_after_network
- openssh.yml: sshd_set_allow_groups
- syslog-ng.yml: syslogng_filecreatemode, syslogng_nolisten
- ufw.yml: ufw_default_incoming_rule, ufw_default_outgoing_rule,
ufw_disabled_routed
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Debian 13 (like Debian 12), libpam-pwquality is installed by default and pam_pwquality.so is already active in /etc/pam.d/common-password. Calling pam-auth-update is unnecessary and causes the first remediation pass to fail: pam-auth-update resolves the conflict between cac_pwquality and the standard pwquality pam-config by removing pam_pwquality.so from common-password, causing the pwquality OVAL checks to return notapplicable and preventing the parameter values from being written to pwquality.conf. Remove debian13 from the ubuntu2404 condition so Debian 13 is treated like Debian 12 — write values directly to pwquality.conf without calling pam-auth-update. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e on Debian On Debian (12 and 13), libpam-pwquality is installed by default and pam_pwquality.so is already active in /etc/pam.d/common-password. Calling pam-auth-update via bash_pam_pwquality_enable() creates a cac_pwquality pam-config that conflicts with the standard pwquality config, causing pam-auth-update to remove pam_pwquality.so from common-password. This makes all accounts_password_pam_* OVAL checks fail because they extend the accounts_password_pam_pwquality definition which checks for pam_pwquality.so in common-password. Extend the condition that uses bash_ensure_pam_module_configuration (direct PAM file edit, no pam-auth-update) to include all Debian products, consistent with the fix applied to the accounts_password bash template in the previous commit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…1.3.1 CIS Debian 13 benchmark (6.1.3.1) requires: - /var/log/messages: group root|adm, max permissions 0640 - /var/log/apt/ files: max permissions 0644 (perm_mask 0133) - Other log files: max permissions 0640 Three rules were too strict for Debian: - file_groupowner_var_log_messages: extend ubuntu2404 condition to include 'debian' in product so the rule accepts group adm|root instead of requiring GID 0 (root only). - file_permissions_var_log_messages: extend condition to include 'debian' in product so the rule checks for 0640 instead of 0600. - permissions_local_var_log: add excluded_files@debian13 to skip history.log*, eipp.log.xz* (apt files, CIS allows 0644) and [bw]tmp/lastlog (different ownership rules); add recursive@debian13 to check subdirectories including /var/log/apt/. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
israel-villar
requested review from
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
|
Hi @israel-villar. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Collaborator
|
Please split the PR into multiple PRs. This one is too difficult to review, not only it introduces a large volume of changes but combines multiple unrelated things into a single PR. Smaller PRs will be easier to get trough. |
Author
|
Thanks for the feedback. I'll split this PR into smaller ones organized by CIS Benchmark sections and subsections, so each PR covers a coherent area of the benchmark independently: Bug fixes (standalone, no new product required):
New rules by CIS section:
Existing rule modifications (per section):
Product integration:
I'll open the bug fix PRs first as they are self-contained. The product integration PRs will follow once the new rules are reviewed. Thanks. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.
Add CIS Benchmark v1.0.0 profile for Debian GNU/Linux 13 (Trixie)
Description:
Add new product
debian13(Debian GNU/Linux 13 "Trixie") with full CIS Benchmark v1.0.0 support, including product skeleton, OVAL feed configuration, and component mappings.Add
controls/cis_debian13.ymlwith 343 controls covering CIS Debian Linux 13 Benchmark v1.0.0 sections 1–7 (Initial Setup, Services, Network Configuration, Logging and Auditing, Access/Authentication/Authorization, System Maintenance, and Server-specific policies).Add 11 profiles for
debian13:cis_level1_server,cis_level1_workstation,cis_level2_server,cis_level2_workstation, four ANSSI BP28 profiles (minimal/intermediary/enhanced/high), and astandardprofile. A site-specificcis_level1_server_ulpgcprofile is also included (excludes AIDE rules, adds syslog-ng and local AllowGroups customization).Add 37 new rules required by the CIS Debian 13 benchmark that did not previously exist:
/etc/apt/sources.list.d/,/etc/apt/auth.conf.d/,/etc/apt/trusted.gpg.d/,/usr/share/keyrings/, and individual GPG key files (CIS 1.3.x).service_kea_dhcp4_server_disabled,service_kea_dhcp6_server_disabled,service_kea_dhcp_ddns_server_disabled(CIS 2.1.3).package_syslogng_installed,service_syslogng_enabled,syslogng_nolisten,syslogng_filecreatemode(CIS 6.2.x).ufw_default_incoming_rule,ufw_default_outgoing_rule,ufw_disabled_routed(CIS 4.1.x); OVAL replaces earlier SCE checks so rules work with/tmp noexec.sysctl_conf_symlink_etc_sysctl_densures/etc/sysctl.d/99-sysctl.confis the expected symlink sosystemd-sysctlpicks up/etc/sysctl.confat boot;sysctl_reapply_after_networkinstalls a systemd oneshot service that re-applies sysctl settings after network interfaces come up (Debian kernel resets them on NIC up).sysctl_kernel_apparmor_restrict_unprivileged_unconfined(CIS 1.3.1.3).sshd_set_allow_groupsfor group-based SSH access control.Modify 72 existing rules to add Debian 13 applicability: package name overrides (
pkgname@debian13), service name overrides (servicename@debian13), platform guards extended to covermulti_platform_debian, and product-specific variable values (chrony, GDM, rsh, bind, openldap, avahi, NTP, etc.).Fix
accounts_password_pam_pwquality_enabledBash remediation for all Debian products: extend the SLE condition to Debian so thatbash_ensure_pam_module_configurationis used (direct PAM file edit) instead ofbash_pam_pwquality_enable(). The latter creates acac_pwqualitypam-config withConflicts: pwqualityand callspam-auth-update, which removes the activepam_pwquality.soentry from/etc/pam.d/common-password, causing all downstreamaccounts_password_pam_*OVAL checks to fail.Fix
accounts_passwordBash template: removedebian13from theubuntu2404guard that calledbash_pam_pwquality_enable()for pam_pwquality parameter rules (was inadvertently re-added in a previous commit).Fix log file permission rules for Debian to align with CIS Debian 13 section 6.1.3.1:
file_groupowner_var_log_messages: extendubuntu2404condition to include'debian' in productso the rule accepts groupadm|rootinstead of requiring GID 0.file_permissions_var_log_messages: extend condition to include'debian' in productso the rule checks for0640instead of0600.permissions_local_var_log: addexcluded_files@debian13to skip APT log files that CIS allows at0644, plus[bw]tmp/lastlog; addrecursive@debian13: 'true'to check/var/log/apt/subdirectory.Fix
sshd_enable_warning_banner_netcrash on Debian: the rule hadconflicts: sshd_enable_warning_bannerwhich caused OpenSCAP to assert-fail whensshd_enable_warning_banneris not present in the Debian data stream. Extend the exclusion condition to cover Debian products.Replace SCE checks with OVAL for
all_apparmor_profiles_enforced,check_ufw_active,ufw_default_incoming_rule,ufw_disabled_routed: SCE scripts fail silently when/tmphasnoexec(required by CIS 1.1.2.4).Fix
syslogng_filecreatemodeOVAL: replace shell arithmetic with a direct regex match for the file creation mode value.Update 8 component files (
apparmor.yml,apt.yml,crypto-policies.yml,kea.yml,kernel.yml,openssh.yml,syslog-ng.yml,ufw.yml) to map Debian 13 CIS rules to the correct component.Configure
sysctl_remediate_drop_in_file: falsefordebian13so all sysctl remediations write to/etc/sysctl.confrather than individual drop-in files, ensuring thesysctl_conf_symlinkapproach works correctly.Rationale:
Debian GNU/Linux 13 ("Trixie") is the current stable Debian release and requires a CIS Benchmark profile for organizations that need compliance scanning and automated remediation on this platform.
The CIS Debian Linux 13 Benchmark v1.0.0 was published on 2025-12-16. This implementation covers all Level 1 and Level 2 controls across server and workstation configurations.
Several Debian-specific behaviors required fixes beyond the new product addition: the sysctl persistence problem (kernel resets values on NIC up), the PAM update mechanism (
pam-auth-updatewith conflicting config destructively removes active modules), and log file ownership conventions (admgroup) differ from RHEL defaults in the shared rules.The
sysctl_conf_symlink+sysctl_reapply_after_networkpair is needed because Debian'ssystemd-sysctldoes not automatically process/etc/sysctl.confunless the symlink exists, and because network sysctl values are overwritten by the kernel when interfaces are brought up.Review Hints:
Build the product:
Key files to review:
products/debian13/product.yml— product configuration and OVAL feed URL (points to Trixie)controls/cis_debian13.yml— 343-control mapping for CIS Debian 13 v1.0.0products/debian13/profiles/cis_level1_server.profile— main Level 1 server profilelinux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh— PAM pwquality fixshared/templates/accounts_password/bash.template— template guard fixlinux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/— new sysctl symlink rulelinux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/— new sysctl reapply rulelinux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml— log permission fixScan a real Debian 13 system (two remediation passes are required on a clean VM because the first pass installs
libpam-pwqualityand the second pass configures the parameters — this is an OpenSCAP CPE session limitation, not a bug in the content):Review approach: The branch has many commits. The most meaningful ones to review in sequence are: product skeleton → control file → profiles → new rules (apt/kea/syslogng/ufw/sysctl) → existing rule modifications → bug fixes (last 3 commits:
9a4d724f7d,fb093610bc,1d47c1dc35).Debian 13 OVAL feed: The product uses
https://www.debian.org/security/oval/oval-definitions-trixie.xmlas the OVAL vulnerability feed.No existing test scenarios were modified. New rules that use standard templates (
file_permissions,file_groupowner,service_disabled,package_removed,sysctl) inherit template-level tests.