ComplianceAsCode · Mab879 · Oct 30, 2023 · Oct 18, 2023 · Oct 18, 2023 · Oct 27, 2023
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -76,6 +76,7 @@ option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be b
 option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
 option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -294,6 +295,7 @@ message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}")
 message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
 message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
 message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
+message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}")
 message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
 message(STATUS "EKS: ${SSG_PRODUCT_EKS}")
 message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
@@ -372,6 +374,9 @@ endif()
 if(SSG_PRODUCT_DEBIAN11)
     add_subdirectory("products/debian11" "debian11")
 endif()
+if(SSG_PRODUCT_DEBIAN12)
+    add_subdirectory("products/debian12" "debian12")
+endif()
 if(SSG_PRODUCT_EXAMPLE)
     add_subdirectory("products/example" "example")
 endif()

diff --git a/build_product b/build_product
@@ -312,6 +312,7 @@ all_cmake_products=(
 	CHROMIUM
 	DEBIAN10
 	DEBIAN11
+	DEBIAN12
 	EXAMPLE
 	EKS
 	FEDORA

diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian11,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
+prodtype: debian10,debian11,debian12,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204
 
 title: 'Disable unauthenticated repositories in APT configuration'
 

diff --git a/linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian12.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="apt_sources_list_official" version="1">
+    {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}}
+    <criteria comment="Match sources.list distribution repositories usage" operator="AND">
+      <criterion comment="Check /etc/apt/sources(.d/.+).list file for base" test_ref="test_apt_sources_list_base_official" />
+      <criterion comment="Check /etc/apt/sources(.d/.+).list file for security" test_ref="test_apt_sources_list_security_official" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Checks usage of official distribution base repositories"
+  id="test_apt_sources_list_base_official" version="1">
+    <ind:object object_ref="obj_apt_sources_list_base_official" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_apt_sources_list_base_official" version="1">
+    <ind:filepath operation="pattern match">^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$</ind:filepath>
+    <ind:pattern operation="pattern match">^deb[\s]+http://[a-z\.]+\.debian\.org/debian[/]?[\s]+bookworm[\s]+main</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Checks usage of official distribution security repositories"
+  id="test_apt_sources_list_security_official" version="1">
+    <ind:object object_ref="obj_apt_sources_list_security_official" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_apt_sources_list_security_official" version="1">
+    <ind:filepath operation="pattern match">^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$</ind:filepath>
+    <ind:pattern operation="pattern match">^deb[\s]+http://security\.debian\.org/debian-security[/]?[\s]+bookworm-security[\s]+main</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian11
+prodtype: debian10,debian11,debian12
 
 title: 'Ensure that official distribution repositories are used'
 

diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian11,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: debian10,debian11,debian12,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Uninstall net-snmp Package'
 

diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,openembedded,rhel7,rhel8,rhel9,sle12,sle15
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,openembedded,rhel7,rhel8,rhel9,sle12,sle15
 
 title: 'Disable snmpd Service'
 

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian11,fedora,ol7,ol8,rhel7,rhel8
+prodtype: debian10,debian11,debian12,fedora,ol7,ol8,rhel7,rhel8
 
 title: 'Ensure Default SNMP Password Is Not Used'
 

diff --git a/...ditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/...ditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20
 
 title: 'Ensure auditd Collects File Deletion Events by User'
 

diff --git a/...nfigure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/...nfigure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 
 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)'
 

diff --git a/...e_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/...e_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - creat'
 

diff --git a/...les/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/...les/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
 

diff --git a/...re_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/...re_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - open'
 

diff --git a/...t_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/...t_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
 

diff --git a/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - openat'
 

diff --git a/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Unsuccessful Access Attempts to Files - truncate'
 

diff --git a/...td_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/...td_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading'
 

diff --git a/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/...igure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module'
 

diff --git a/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/...figure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module'
 

diff --git a/...nfigure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/...nfigure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
 

diff --git a/...stem/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/...stem/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
+prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
 
 title: 'Record Attempts to Alter Logon and Logout Events'
 

diff --git a/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 
 title: 'Record Attempts to Alter Logon and Logout Events - faillock'
 

diff --git a/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Attempts to Alter Logon and Logout Events - lastlog'
 

diff --git a/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Attempts to Alter Logon and Logout Events - tallylog'
 

diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -65,3 +65,4 @@ template:
         pkgname@ubuntu2204: auditd
         pkgname@debian10: auditd
         pkgname@debian11: auditd
+        pkgname@debian12: auditd
diff --git a/...ystem/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/...ystem/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
@@ -2,32 +2,24 @@ documentation_complete: true
 
 title: 'Ensure Log Files Are Owned By Appropriate Group'
 
-description: |-
-    The group-owner of all log files written by
-    <tt>rsyslog</tt> should be
-{{% if 'debian' in product or 'ubuntu' in product %}}
-    <tt>adm</tt>.
+{{% if "ubuntu" in product or "debian" in product %}}
+    {{% set target_group="adm" %}}
 {{% else %}}
-    <tt>root</tt>.
+    {{% set target_group="root" %}}
 {{% endif %}}
+
+description: |-
+    The group-owner of all log files written by
+    <tt>rsyslog</tt> should be <tt>{{{ target_group }}}</tt>.
     These log files are determined by the second part of each Rule line in
     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
     For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
     run the following command to inspect the file's group owner:
     <pre>$ ls -l <i>LOGFILE</i></pre>
-    If the owner is not
-    {{% if 'debian' in product or 'ubuntu' in product %}}
-    <tt>adm</tt>,
-    {{% else %}}
-    <tt>root</tt>,
-    {{% endif %}}
+    If the owner is not <tt>{{{ target_group }}}</tt>,
     run the following command to
     correct this:
-{{% if 'debian' in product or 'ubuntu' in product %}}
-    <pre>$ sudo chgrp adm <i>LOGFILE</i></pre>
-{{% else %}}
-    <pre>$ sudo chgrp root <i>LOGFILE</i></pre>
-{{% endif %}}
+    <pre>$ sudo chgrp {{{ target_group }}} <i>LOGFILE</i></pre>
 
 rationale: |-
     The log files generated by rsyslog contain valuable information regarding system
@@ -65,11 +57,7 @@ ocil_clause: 'the group-owner is not correct'
 
 ocil: |-
     The group-owner of all log files written by <tt>rsyslog</tt> should be
-    {{% if 'debian' in product or 'ubuntu' in product %}}
-    <tt>adm</tt>.
-    {{% else %}}
-    <tt>root</tt>.
-    {{% endif %}}
+    <tt>{{{ target_group }}}</tt>.
     These log files are determined by the second part of each Rule line in
     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
     To see the group-owner of a given log file, run the following command:
@@ -79,9 +67,4 @@ template:
   name: rsyslog_logfiles_attributes_modify
   vars:
     attribute: groupowner
-    value: root
-    value@debian10: adm
-    value@debian11: adm
-    value@ubuntu1604: adm
-    value@ubuntu2004: adm
-    value@ubuntu2204: adm
+    value: {{{ target_group }}}
diff --git a/...ons/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/...ons/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -55,6 +55,7 @@ template:
         gid_or_name: '0'
         gid_or_name@debian10: '42'
         gid_or_name@debian11: '42'
+        gid_or_name@debian12: '42'
         gid_or_name@ubuntu1604: '42'
         gid_or_name@ubuntu1804: '42'
         gid_or_name@ubuntu2004: '42'

diff --git a/...ermissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/...ermissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -56,10 +56,8 @@ template:
     name: file_groupowner
     vars:
         filepath: /etc/gshadow
+{{% if "ubuntu" in product or "debian" in product %}}
+        gid_or_name: '42'
+{{% else %}}
         gid_or_name: '0'
-        gid_or_name@debian10: '42'
-        gid_or_name@debian11: '42'
-        gid_or_name@ubuntu1604: '42'
-        gid_or_name@ubuntu1804: '42'
-        gid_or_name@ubuntu2004: '42'
-        gid_or_name@ubuntu2204: '42'
+{{% endif %}}
diff --git a/...ns/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/...ns/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -57,6 +57,7 @@ template:
         filemode: '0000'
         filemode@debian10: '0640'
         filemode@debian11: '0640'
+        filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'

diff --git a/...ons/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/...ons/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -60,6 +60,7 @@ template:
         filemode: '0000'
         filemode@debian10: '0640'
         filemode@debian11: '0640'
+        filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'

diff --git a/...rmissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/...rmissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -64,6 +64,7 @@ template:
         filemode: '0000'
         filemode@debian10: '0640'
         filemode@debian11: '0640'
+        filemode@debian12: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'

diff --git a/...ermissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/...ermissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -74,6 +74,7 @@ template:
         filemode: '0000'
         filemode@debian10: '0640'
         filemode@debian11: '0640'
+        filemode@debian12: '0640'
         filemode@sle12: '0640'
         filemode@sle15: '0640'
         filemode@ubuntu1604: '0640'

diff --git a/...x_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/...x_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,debian10,debian11,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Build and Test AIDE Database'
 

diff --git a/...s/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/...s/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,fedora,ol7,ol8,ol9,openembedded,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,openembedded,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Install AIDE'
 

diff --git a/products/debian12/CMakeLists.txt b/products/debian12/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd debian11; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("debian12")
diff --git a/products/debian12/overlays/.gitkeep b/products/debian12/overlays/.gitkeep