Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Debian 11

Rules, Groups, and Values defined within the XCCDF Benchmark

  • virt_use_usb SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • virt_use_xserver SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • webadm_manage_user_files SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • webadm_read_user_files SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • wine_mmap_zero_ignore SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xdm_bind_vnc_tcp_port SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xdm_exec_bootloader SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xdm_sysadm_login SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xdm_write_home SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xen_use_nfs SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xend_run_blktap SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xend_run_qemu SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xguest_connect_network SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xguest_exec_content SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xguest_mount_media SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xguest_use_bluetooth SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xserver_clients_write_xshm SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xserver_execmem SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • xserver_object_manager SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • zabbix_can_network SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • zarafa_setrlimit SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • zebra_write_config SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • zoneminder_anon_write SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • zoneminder_run_sudo SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
    Show

  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Debian 11 install...
    Group
    Show

  • Apport Service

    The Apport service provides debugging and crash reporting features on Ubuntu distributions.
    Group
    Show

  • APT service configuration

    The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient sec...
    Group
    Show

  • Disable unauthenticated repositories in APT configuration

    Unauthenticated repositories should not be used for updates.
    Rule Unknown Severity
    Show

  • Ensure that official distribution repositories are used

    Check that official Debian repositories, including security repository, are configured in apt.
    Rule Unknown Severity
    Show

  • Avahi Server

    The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows...
    Group
    Show

  • Configure Avahi if Necessary

    If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is <code>/et...
    Group
    Show

  • Disable Avahi Publishing

    To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[pu...
    Rule Low Severity
    Show

  • Disable Avahi Server if Possible

    Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability t...
    Group
    Show

  • Base Services

    This section addresses the base services that are installed on a Debian 11 default installation which are not covered in other sections. Some of th...
    Group
    Show

  • Cron and At Daemons

    The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...
    Group
    Show

  • Install the cron service

    The Cron service should be installed.
    Rule Medium Severity
    Show

  • Enable cron Service

    The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...
    Rule Medium Severity
    Show

  • Restrict at and cron to Authorized Users if Necessary

    The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...
    Group
    Show

  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...
    Group
    Show

  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity
    Show

  • Uninstall the nis package

    The support for Yellowpages should not be installed unless it is required.
    Rule Low Severity
    Show

  • Uninstall the ntpdate package

    ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.
    Rule Low Severity
    Show

  • Uninstall the ssl compliant telnet server

    The telnet daemon, even with ssl support, should be uninstalled.
    Rule High Severity
    Show

  • Uninstall the telnet server

    The telnet daemon should be uninstalled.
    Rule High Severity
    Show

  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
    Show

  • Configure DHCP Client if Necessary

    If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus ...
    Group
    Show

  • Docker Service

    The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation fe...
    Group
    Show

  • Configure SSL Certificates for Use with SMTP AUTH

    If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it ma...
    Group
    Show

  • Minimize the DHCP-Configured Options

    Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtain...
    Rule Unknown Severity
    Show

  • Configure DHCP Server

    If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-upd...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules