Merge pull request #11592 from a-skr/feature-refactor-prodtype-debian12

update debian12 anssi bp28 minimal profile
ComplianceAsCode · May 21, 2024 · 0a1ba93 · 0a1ba93
2 parents 6b51053 + f44e383
commit 0a1ba93
Show file tree

Hide file tree

Showing 75 changed files with 924 additions and 2,722 deletions.
diff --git a/...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh b/...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}}

diff --git a/...e_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh b/...e_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/modprobe", "x", "modules") }}}

diff --git a/...gure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh b/...gure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/rmmod", "x", "modules") }}}

diff --git a/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/...d_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 

diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -36,6 +36,7 @@ template:
     name: package_removed
     vars:
         pkgname: ypbind
+        pkgname@debian12: ypbind-mt
 
 {{% if product in ["rhel9"] %}}
 warnings:

diff --git a/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -1,21 +1,69 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
 
-{{% if product in [ "sle12", "sle15" ] %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "ubuntu" in product or "debian" in product %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
+{{% set group='password' %}}
+{{% set control='\[success=[A-Za-z0-9].*\]' %}}
+{{% set module='pam_unix.so' %}}
+{{% set option='remember' %}}
+{{% set value='{{ var_password_pam_unix_remember }}' %}}
+{{% elif product in [ "sle12", "sle15" ] %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
 {{% else %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
+{{% set pam_file='/etc/pam.d/system-auth' %}}
 {{% endif %}}
 
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "ubuntu" in product or "debian" in product %}}
+
+# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
+# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
+# Here we adapt the code to allow using regex on the control field.
+
+- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: result_pam_module_{{{ option }}}_option_present
+
+- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    backrefs: true
+    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
+    line: \1 {{{ option }}}={{{ value }}}
+    state: present
+  register: result_pam_{{{ option }}}_add
+  when:
+    - result_pam_module_{{{ option }}}_option_present.found == 0
 
-{{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
+- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    backrefs: true
+    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
+    line: \1\2={{{ value }}} \3
+  register: result_pam_{{{ option }}}_edit
+  when:
+    - result_pam_module_{{{ option }}}_option_present.found > 0
+
+
+{{% else %}}
+
+{{{ ansible_pam_pwhistory_enable(pam_file,
                                  'requisite',
                                  '^password.*requisite.*pam_pwquality\.so') }}}
 
-{{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
+{{{ ansible_pam_pwhistory_parameter_value(pam_file,
                                           'remember',
                                           '{{ var_password_pam_unix_remember }}') }}}
+
+{{% endif %}}
diff --git a/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml b/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -1,12 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
 
-{{% if product in [ "sle12", "sle15" ] %}}
+{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "debian" in product or "ubuntu" in product %}}
+
+{{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
+
+{{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
                               'requisite',
@@ -15,3 +21,6 @@
 {{{ bash_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
                                        'remember',
                                        "$var_password_pam_unix_remember") }}}
+
+{{% endif %}}
+
diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh