From 4111456d82fed25c8013a0d5b8fce4c153f0a083 Mon Sep 17 00:00:00 2001
From: Israel Villar Boillos <israel.villar@ulpgc.es>
Date: Fri, 5 Jun 2026 22:30:36 +0100
Subject: [PATCH] Add Debian 13 support to NTP/chrony rules

- chronyd_run_as_chrony_user: add bash/debian.sh that sets the chrony
  user to _chrony (Debian uses _chrony, not chrony); extend OVAL
  condition from ubuntu-only to all Debian products to check
  /etc/chrony/chrony.conf.
- service_chronyd_disabled: extend the service_disabled_guard_var
  condition from ubuntu-only to all Debian products. Remove now-dead
  servicename@ubuntu2204 and servicename@debian12 overrides from the
  service_disabled branch (those products now use service_disabled_guard_var).
- service_timesyncd_disabled: extend service_disabled_guard_var condition
  to all Debian products.
- service_timesyncd_configured: fix platform from package[systemd] to
  package[systemd-timesyncd] (the timesyncd package is split on Debian).
- package_timesyncd_installed: extend package_installed_guard_var
  condition from ubuntu-only to all Debian products.
- chronyd_configure_pool_and_server: fix OVAL and Ansible regexps to
  allow options after the server/pool address (e.g. "iburst", "maxpoll");
  add two test scenarios covering pool/server entries with options.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../chronyd_configure_pool_and_server/ansible/shared.yml    | 4 ++--
 .../ntp/chronyd_configure_pool_and_server/oval/shared.xml   | 4 ++--
 .../tests/pool_with_options.pass.sh                         | 6 ++++++
 .../tests/server_with_options.pass.sh                       | 6 ++++++
 .../services/ntp/chronyd_run_as_chrony_user/bash/debian.sh  | 3 +++
 .../services/ntp/chronyd_run_as_chrony_user/oval/shared.xml | 2 +-
 .../guide/services/ntp/package_timesyncd_installed/rule.yml | 2 +-
 .../guide/services/ntp/service_chronyd_disabled/rule.yml    | 4 +---
 .../services/ntp/service_timesyncd_configured/rule.yml      | 2 +-
 .../guide/services/ntp/service_timesyncd_disabled/rule.yml  | 2 +-
 10 files changed, 24 insertions(+), 11 deletions(-)
 create mode 100644 linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh
 create mode 100644 linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh
 create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh

diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
index 54f7f2e53b9d..3b925a5a1632 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
@@ -9,7 +9,7 @@
 - name: {{{ rule_title }}} - Add missing / update wrong records for remote time servers
   ansible.builtin.lineinfile:
     path: {{{ chrony_conf_path }}}
-    regexp: '^\s*\bserver\b\s*\b{{ item }}\b$'
+    regexp: '^\s*\bserver\b\s*\b{{ item }}\b'
     state: present
     line: 'server {{ item }}'
     create: true
@@ -19,7 +19,7 @@
 - name: {{{ rule_title }}} - Add missing / update wrong records for remote time pools
   ansible.builtin.lineinfile:
     path: {{{ chrony_conf_path }}}
-    regexp: '^\s*\bpool\b\s*\b{{ item }}\b$'
+    regexp: '^\s*\bpool\b\s*\b{{ item }}\b'
     state: present
     line: 'pool {{ item }}'
     create: true
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
index 46caf86dd361..6512a93ae74d 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
@@ -16,7 +16,7 @@
           <split delimiter=",">
               <variable_component var_ref="var_multiple_time_servers" />
           </split>
-          <literal_component>$</literal_component>
+          <literal_component>([[:space:]].*)?$</literal_component>
       </concat>
   </local_variable>
 
@@ -29,7 +29,7 @@
           <split delimiter=",">
               <variable_component var_ref="var_multiple_time_pools" />
           </split>
-          <literal_component>$</literal_component>
+          <literal_component>([[:space:]].*)?$</literal_component>
       </concat>
   </local_variable>
 
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh
new file mode 100644
index 000000000000..0f455decb98f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_multiple_time_servers=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org,var_multiple_time_pools=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org
+
+echo "" > {{{ chrony_conf_path }}}
+echo "pool 2.debian.pool.ntp.org iburst" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh
new file mode 100644
index 000000000000..9a3729eadd8b
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_multiple_time_servers=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org,var_multiple_time_pools=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org
+
+echo "" > {{{ chrony_conf_path }}}
+echo "server 2.debian.pool.ntp.org iburst maxpoll 10" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh
new file mode 100644
index 000000000000..84f0c626d920
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_debian
+
+{{{ bash_replace_or_append(chrony_conf_path, '^user', '_chrony', '%s %s', cce_identifiers=cce_identifiers) }}}
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
index 88b20cd2f9b0..ff4295d60ca3 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
@@ -29,7 +29,7 @@
   </ind:textfilecontent54_object>
 
 </def-group>
-{{%- elif 'ubuntu' in product -%}}
+{{%- elif 'ubuntu' in product or 'debian' in product -%}}
 {{{ oval_check_config_file(path='/etc/chrony/chrony.conf', prefix_regex='^[ \\t]*', parameter='user', separator_regex='[[:space:]]', value='_chrony', missing_parameter_pass=true, missing_config_file_fail=false, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
 {{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u[\s]*chrony.*["]?', missing_parameter_pass=ok_by_default, missing_config_file_fail=true, rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
index a1546145887b..fd82653ed4a6 100644
--- a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
@@ -19,7 +19,7 @@ references:
     nist-csf: PR.PT-1
     pcidss: Req-10.4
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: package_installed_guard_var
     vars:
diff --git a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
index 1f12127a45a1..8e88e19d2fad 100644
--- a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
@@ -13,7 +13,7 @@ severity: medium
 
 platform: package[chrony]
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: service_disabled_guard_var
     vars:
@@ -27,6 +27,4 @@ template:
     vars:
         packagename: chrony
         servicename: chronyd
-        servicename@ubuntu2204: chrony
-        servicename@debian12: chrony
 {{%- endif %}}
diff --git a/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
index 3b9c304b952d..4188ef4bf010 100644
--- a/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
+++ b/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
@@ -19,7 +19,7 @@ rationale: |-
 
 severity: medium
 
-platform: package[systemd]
+platform: package[systemd-timesyncd]
 
 identifiers:
     cce@sle12: CCE-92374-8
diff --git a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
index 7b0676b077ce..b6a0845d4dbe 100644
--- a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
@@ -17,7 +17,7 @@ severity: medium
 
 platform: package[systemd-timesyncd]
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: service_disabled_guard_var
     vars: