diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
index c0fe0755138f..373841ddb177 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -33,6 +33,11 @@ done
{{{ bash_fix_audit_watch_rule("augenrules", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/netplan/", "wa", "audit_rules_networkconfig_modification") }}}
{{{ bash_fix_audit_watch_rule("augenrules", "/etc/netplan/", "wa", "audit_rules_networkconfig_modification") }}}
+{{% elif 'debian' in product -%}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
{{% else -%}}
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
{{{ bash_fix_audit_watch_rule("augenrules", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
index 33c52dc56496..9d3a113a76fe 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
@@ -1,3 +1,11 @@
+{{% if product in ['ubuntu2404'] %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/', '/etc/netplan/') %}}
+{{% elif 'ubuntu' in product or 'debian' in product %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/') %}}
+{{% else %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/sysconfig/network') %}}
+{{% endif %}}
+
{{{ oval_metadata("The network environment should not be modified by anything other than
@@ -8,10 +16,9 @@
-
-
-
-
+ {{% for path in paths %}}
+
+ {{% endfor %}}
@@ -19,10 +26,9 @@
-
-
-
-
+ {{% for path in paths %}}
+
+ {{% endfor %}}
@@ -30,76 +36,24 @@
-
-
-
-
- ^/etc/audit/rules\.d/.*\.rules$
- ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- ^/etc/audit/rules\.d/.*\.rules$
- ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- ^/etc/audit/rules\.d/.*\.rules$
- ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
+ {{% for path in paths %}}
+
+
-
+
^/etc/audit/rules\.d/.*\.rules$
- ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- /etc/audit/audit.rules
- ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- /etc/audit/audit.rules
- ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- /etc/audit/audit.rules
- ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ ^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
1
-
-
+
+
-
+
/etc/audit/audit.rules
- ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ ^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
1
+ {{% endfor %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml
deleted file mode 100644
index 38fc92f0a7cc..000000000000
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-{{% if product in ['ubuntu2404'] %}}
-{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/', '/etc/netplan/') %}}
-{{% else %}}
-{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/') %}}
-{{% endif %}}
-
-
-
- {{{ oval_metadata("The network environment should not be modified by anything other than
- administrator action. Any change to network parameters should be audited.", rule_title=rule_title) }}}
-
-
-
-
-
-
- {{% for path in paths %}}
-
- {{% endfor %}}
-
-
-
-
-
-
-
- {{% for path in paths %}}
-
- {{% endfor %}}
-
-
-
-
-
-
-
- {{% for path in paths %}}
-
-
-
-
- ^/etc/audit/rules\.d/.*\.rules$
- ^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
-
-
-
-
-
- /etc/audit/audit.rules
- ^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
- 1
-
- {{% endfor %}}
-
-
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
index 69b1eae5a846..4626ec550ce7 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
@@ -16,7 +16,7 @@ description: |-
{{% if product in ['ubuntu2404'] %}}
-w /etc/netplan/ -p wa -k audit_rules_networkconfig_modification
{{% endif %}}
- {{% if 'ubuntu' in product -%}}
+ {{% if 'ubuntu' in product or 'debian' in product -%}}
-w /etc/networks -p wa -k audit_rules_networkconfig_modification
-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
{{% else -%}}
@@ -31,7 +31,7 @@ description: |-
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
- {{% if 'ubuntu' in product -%}}
+ {{% if 'ubuntu' in product or 'debian' in product -%}}
-w /etc/networks -p wa -k audit_rules_networkconfig_modification
-w /etc/network/ -p wa -k audit_rules_networkconfig_modification
{{% else -%}}
@@ -76,7 +76,7 @@ ocil: |-
run the following command:
{{% if product in ['ubuntu2404'] -%}}
auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/networks|/etc/network/|/etc/netplan/)'
- {{% elif 'ubuntu' in product -%}}
+ {{% elif 'ubuntu' in product or 'debian' in product -%}}
auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/networks|/etc/network/)'
{{% else -%}}
auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
diff --git a/products/debian12/product.yml b/products/debian12/product.yml
index 3a6589be46be..f98d5a52706a 100644
--- a/products/debian12/product.yml
+++ b/products/debian12/product.yml
@@ -39,6 +39,7 @@ platform_package_overrides:
pam: libpam-runtime
shadow: login
sssd: sssd-common
+ audit: auditd
reference_uris:
cis: 'https://www.cisecurity.org/benchmark/debian_linux/'
diff --git a/products/debian13/product.yml b/products/debian13/product.yml
index 91ae2cbee93e..379b4d89eb02 100644
--- a/products/debian13/product.yml
+++ b/products/debian13/product.yml
@@ -39,3 +39,5 @@ platform_package_overrides:
pam: libpam-runtime
shadow: login
sssd: sssd-common
+ audit: auditd
+
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 3c3cf42a76b0..abda39ef1b19 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -4,13 +4,13 @@ aide_bin_path: /usr/sbin/aide
aide_conf_path: /etc/aide/aide.conf
audisp_conf_path: /etc/audit
audit_binaries:
- - /sbin/auditctl
- - /sbin/aureport
- - /sbin/ausearch
- - /sbin/autrace
- - /sbin/auditd
- - /sbin/audispd
- - /sbin/augenrules
+- /sbin/auditctl
+- /sbin/aureport
+- /sbin/ausearch
+- /sbin/autrace
+- /sbin/auditd
+- /sbin/audispd
+- /sbin/augenrules
audit_watches_style: legacy
auid: 1000
basic_properties_derived: true
@@ -49,6 +49,7 @@ pkg_manager: apt_get
pkg_system: dpkg
platform_package_overrides:
aarch64_arch: null
+ audit: auditd
gdm: gdm3
grub2: grub2-common
login_defs: login
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 148957c3a685..731b58418825 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -4,13 +4,13 @@ aide_bin_path: /usr/sbin/aide
aide_conf_path: /etc/aide/aide.conf
audisp_conf_path: /etc/audit
audit_binaries:
- - /sbin/auditctl
- - /sbin/aureport
- - /sbin/ausearch
- - /sbin/autrace
- - /sbin/auditd
- - /sbin/audispd
- - /sbin/augenrules
+- /sbin/auditctl
+- /sbin/aureport
+- /sbin/ausearch
+- /sbin/autrace
+- /sbin/auditd
+- /sbin/audispd
+- /sbin/augenrules
audit_watches_style: legacy
auid: 1000
basic_properties_derived: true
@@ -50,6 +50,7 @@ pkg_manager: apt_get
pkg_system: dpkg
platform_package_overrides:
aarch64_arch: null
+ audit: auditd
gdm: gdm3
grub2: grub2-common
login_defs: login