Merge pull request #13571 from a-skr/debian13-20250612

Mab879 · web-flow · commit 04b3394779a3 · 2025-06-13T10:16:10.000-05:00
Add Debian 13 profile for ANSSI BP 28 (enhanced)
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -55,4 +55,5 @@ template:
         servicename: chronyd
         servicename@ubuntu2204: chrony
         servicename@debian12: chrony
+        servicename@debian13: chrony
 {{%- endif %}}
diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml
@@ -44,7 +44,9 @@ template:
     name: service_enabled
     vars:
         servicename: ntpd
+        servicename@debian13: ntpsec
         packagename: ntp
+        packagename@debian13: ntpsec
 
 platform: package[ntp]
 
diff --git a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
@@ -34,3 +34,4 @@ template:
     vars:
         pkgname: pam_apparmor
         pkgname@debian12: libpam-apparmor
+        pkgname@debian13: libpam-apparmor
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -57,5 +57,6 @@ template:
         filemode: '0000'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
+        filemode@debian13: '0640'
         filemode@ubuntu2204: '0640'
         filemode@ubuntu2404: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -66,6 +66,7 @@ template:
         filemode: '0000'
         filemode@debian11: '0640'
         filemode@debian12: '0640'
+        filemode@debian13: '0640'
         filemode@sle12: '0640'
         filemode@sle15: '0640'
         filemode@ubuntu2204: '0640'
diff --git a/products/debian13/profiles/anssi_bp28_enhanced.profile b/products/debian13/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,75 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+      This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
+
+      ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+      ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+      A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+        https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+  - anssi:all:enhanced
+  - 'package_rsyslog_installed'
+  - 'service_rsyslog_enabled'
+  # PASS_MIN_LEN is handled by PAM on debian systems.
+  - '!accounts_password_minlen_login_defs'
+  # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
+  - 'package_pam_pwquality_installed'
+  # PAM honour login.defs file for algorithm
+  - 'set_password_hashing_algorithm_logindefs'
+  # Debian uses apparmor
+  - '!selinux_state'
+  - '!audit_rules_mac_modification'
+  - '!selinux_policytype'
+  - '!sebool_selinuxuser_execheap'
+  - '!sebool_deny_execmem'
+  - '!sebool_selinuxuser_execstack'
+  - '!sebool_secure_mode_insmod'
+  - '!sebool_ssh_sysadm_login'
+
+  # this rule is incompatible with R38
+  - '!file_groupownership_system_commands_dirs'
+
+  
+  # The following are MLS related rules (not part of ANSSI-BP-028)
+  - '!accounts_polyinstantiated_tmp'
+  - '!accounts_polyinstantiated_var_tmp'
+  - '!enable_pam_namespace'
+  # there is no tmp.mount unit on Debian 12.
+  - '!systemd_tmp_mount_enabled'
+  # this rule cannot handle /etc/chrony/chrony.conf path properly.
+  # chronyd_specify_remote_server still report wether chrony is configured.
+  - '!chronyd_configure_pool_and_server'
+
+  # Following rules once had a prodtype incompatible with the debian13 product
+  - '!accounts_passwords_pam_tally2_deny_root'
+  - '!ensure_redhat_gpgkey_installed'
+  - '!set_password_hashing_algorithm_systemauth'
+  - '!package_dnf-automatic_installed'
+  - '!accounts_passwords_pam_faillock_deny_root'
+  - '!dnf-automatic_security_updates_only'
+  - '!cracklib_accounts_password_pam_lcredit'
+  - '!dnf-automatic_apply_updates'
+  - '!cracklib_accounts_password_pam_ocredit'
+  - '!accounts_password_pam_unix_rounds_system_auth'
+  - '!timer_dnf-automatic_enabled'
+  - '!accounts_passwords_pam_tally2'
+  - '!cracklib_accounts_password_pam_ucredit'
+  - '!file_permissions_unauthorized_sgid'
+  - '!ensure_gpgcheck_local_packages'
+  - '!accounts_passwords_pam_tally2_unlock_time'
+  - '!enable_authselect'
+  - '!cracklib_accounts_password_pam_minlen'
+  - '!cracklib_accounts_password_pam_dcredit'
+  - '!ensure_gpgcheck_globally_activated'
+  - '!file_permissions_unauthorized_suid'
+  - '!ensure_gpgcheck_never_disabled'
+  - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
+  - '!package_dracut-fips-aesni_installed'
+  - '!audit_rules_file_deletion_events_renameat2'
+  - '!audit_rules_dac_modification_fchmodat2'
