Description of problem:

When testing the CIS level 2 (server) benchmark on Debian 12, failures are reported for rules xccdf_org.ssgproject.content_rule_package_pam_runtime_installed and xccdf_org.ssgproject.content_rule_package_pam_modules_installed.
I believe that these failures stem from looking for the wrong package version, i.e., we inherit the Ubuntu version number, and we're looking for evr: 0:1.5.3-5.
However, version 1.5.2-6+deb12u1 is the latest available package version for Debian 12, for both libpam-modules and libpam-runtime. Moreover, the CIS benchmark itself mandates usage of version 1.5.2-6 or later.

SCAP Security Guide Version:

0.1.78

Operating System Version:

Ubuntu 25.04 running the oscap check, Debian Bookworm (slim) as the analysed system.

Steps to Reproduce:

0. docker run -v /var/run/docker.sock:/var/run/docker.sock -ti ubuntu:25.04
1. apt-get update && apt-get -y install docker.io openscap-scanner openscap-utils unzip wget curl
2. cd /tmp
3. wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.78/scap-security-guide-0.1.78.zip
4. unzip scap-security-guide-0.1.78.zip
5. docker pull debian:bookworm-slim
6. oscap-docker image debian:bookworm-slim xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --report debian12_cis_L2.html --results debian12_cis_L2.xml --oval-results --fetch-remote-resources /tmp/scap-security-guide-0.1.78/ssg-debian12-ds.xml

Actual Results:

Failures are reported for rules xccdf_org.ssgproject.content_rule_package_pam_runtime_installed and xccdf_org.ssgproject.content_rule_package_pam_modules_installed.

Expected Results:

Success for rules xccdf_org.ssgproject.content_rule_package_pam_runtime_installed and xccdf_org.ssgproject.content_rule_package_pam_modules_installed.

Additional Information/Debugging Steps:

docker run debian:bookworm-slim dpkg -l | grep pam
ii  libpam-modules:arm64    1.5.2-6+deb12u1        arm64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin      1.5.2-6+deb12u1        arm64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime          1.5.2-6+deb12u1        all          Runtime support for the PAM library
ii  libpam0g:arm64          1.5.2-6+deb12u1        arm64        Pluggable Authentication Modules library

See also https://packages.debian.org/bookworm/libpam-runtime

Attempted solution

I tried to modify bothlinux_os/guide/system/accounts/accounts-pam/package_pam_modules_installed/rule.yml and linux_os/guide/system/accounts/accounts-pam/package_pam_runtime_installed/rule.yml to add a line such as
evr@debian12: 1.5.2-6
However, building failed because it does not match the EVR format. If I add the 0: prefix, the audit is still not satisfied with the installed version, because the epoch prefix is not used in the Debian package.
So, in my local copy, I ended up modifying shared/templates/package_installed/template.py to allow epochless EVR.
I haven’t opened a PR for this yet, as I’m not very familiar with this repository and wanted to avoid potentially breaking anything. Additionally, there may be a more elegant solution.