Guide to the Secure Configuration of Debian 11
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre> If the command did not re...Group -
The Postfix package is installed
A mail server is required for sending emails. Thepostfixpackage can be installed with the following command:$ apt-get install postfix
Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Postfix relayhost
Specify the host all outbound email should be routed into.Value -
Postfix Root Mail Alias
Specify an email address (string) for a root mail alias.Value -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...Rule Medium Severity -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Configure System to Forward All Mail through a specific host
Set up a relay host that will act as a gateway for all outbound email. Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>relayhost</code> line appears: <pre>re...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...Group -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.Group -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash</code> option from the file <code>/etc/exports</co...Rule Low Severity -
Disable SSH Server If Possible
The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.Rule High Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information o...Rule Medium Severity -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Ensure Chrony is only configured with the server directive
Check that Chrony only has time sources configured with theserverdirective.Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.