Guide to the Secure Configuration of Debian 11
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be investigated. The a...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...Rule High Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP serv...Rule Medium Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. <br> If the account is asso...Rule High Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Restrict Serial Port Root Logins
To restrict root logins on serial ports, ensure lines of this form do not appear in/etc/securetty:ttyS0 ttyS1
Rule Medium Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissi...Group -
Maximum login attempts delay
Maximum time in seconds between fail login attempts before re-prompting.Value -
Configure Polyinstantiation of /tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...Rule Low Severity -
Configure Polyinstantiation of /var/tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...Rule Low Severity -
Ensure that User Home Directories are not Group-Writable or World-Readable
For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i> </pre> Ensure that the directory is not group-writable and that it is n...Rule Medium Severity -
Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-separated list of directories in the path. <br> ...Group -
Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:# ls -ld DIRand ensure that write permissions are disabled for group and other.Rule Medium Severity -
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to relative path traversal, such as <code>..</code> or ...Rule Unknown Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...Group -
Sensible umask
Enter default user umaskValue -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Include Local Events in Audit Logs
To configure Audit daemon to include local events in Audit logs, setlocal_eventstoyesin/etc/audit/auditd.conf. This is the default setting.Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
L1TF vulnerability mitigation
Defines the L1TF vulneratility mitigations to employ.Value -
Confidence level on Hardware Random Number Generator
Defines the level of trust on the hardware random number generators available in the system and the percentage of entropy to credit.Value -
Spec Store Bypass Mitigation
This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.Value -
Ensure SMAP is not disabled during boot
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default since Linux kernel 3.7. But it could be disabled t...Rule Medium Severity -
Disable merging of slabs with similar size
The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflo...Rule Medium Severity -
Enforce Spectre v2 mitigation
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch cho...Rule High Severity -
Protect Random-Number Entropy Pool
The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a reliable source to contribute to random-number entro...Group -
Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
For each solid-state drive on the system, run:# echo 0 > /sys/block/DRIVE/queue/add_random
Rule Medium Severity -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Key and certificate for kernel module signing
The private key and certificate to use when signing modules during kernel build process. On systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512 In the latter...Value -
Kernel panic timeout
The time, in seconds, to wait until a reboot occurs. If the value is0the system never reboots. If the value is less than0the system reboots immediately.Value -
Do not allow ACPI methods to be inserted/replaced at run time
This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build k...Rule Low Severity -
Disable kernel support for MISC binaries
Enabling <code>CONFIG_BINFMT_MISC</code> makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Py...Rule Medium Severity -
Enable support for BUG()
Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this...Rule Medium Severity -
Disable compatibility with brk()
Enabling compatiliby with <code>brk()</code> allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the cost of not being able to randomize the heap placem...Rule Medium Severity -
Disable the 32-bit vDSO
Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting <code>CONFIG_COMPAT_VDSO</code>...Rule Low Severity -
Enable checks on credential management
Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that th...Rule Low Severity -
Disable kernel debugfs
<code>debugfs</code> is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files. The configuration that was use...Rule Low Severity -
Enable checks on linked list manipulation
Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configurat...Rule Low Severity -
Enable checks on notifier call chains
Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. The config...Rule Low Severity -
Enable checks on scatter-gather (SG) table operations
Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The configuration that was used to build kernel is availab...Rule Low Severity -
Disable /dev/kmem virtual device support
Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CONFIG_DEVKMEM...Rule Low Severity -
Disable hibernation
Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on reboot. The ...Rule Medium Severity -
Disable IA32 emulation
Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.