Guide to the Secure Configuration of Debian 11
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenSC Smart Card Drivers
Choose the Smart Card Driver in use by your organization. <br>For DoD, choose the <code>cac</code> driver. <br>If your driver is not listed and you...Value -
Account Inactivity Timeout (seconds)
In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates afte...Value -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...Group -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...Group -
Disable XDMCP in GDM
XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. <a href="https://help.gnome.org/admin/gdm/stable/security.html....Rule High Severity -
GNOME Media Settings
GNOME media settings that apply to the graphical interface.Group -
GNOME Network Settings
GNOME network settings that apply to the graphical interface.Group -
GNOME Remote Access Settings
GNOME remote access settings that apply to the graphical interface.Group -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...Group -
Screensaver Inactivity timeout
Choose allowed duration (in seconds) of inactive graphical sessionsValue -
Screensaver Lock Delay
Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication promptValue -
GNOME System Settings
GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform a...Group -
SAP Specific Requirement
SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The follow...Group -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Group name dedicated to the use of sudo
Specify the name of the group that should own /usr/bin/sudo.Value -
Sudo - logfile value
Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log.Value -
Sudo - passwd_timeout value
Defines the number of minutes before the <code>sudo</code> password prompt times out. Defining 0 means no timeout. The default timeout value is 5 m...Value -
Sudo - timestamp_timeout value
Defines the number of minutes that can elapse before <code>sudo</code> will ask for a passwd again. If set to a value less than 0 the user's time s...Value -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This sho...Rule High Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.