Guide to the Secure Configuration of Debian 11
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable the IPv6 protocol
Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CONFIG_IPV6</co...Rule Medium Severity -
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And l...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern ptys (devpts) interface. The configuration that ...Rule Medium Severity -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The conf...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available a...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for...Rule Medium Severity -
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"></xccdf-1.2:sub> as the hash func...Rule Medium Severity -
Randomize the address of the kernel image (KASLR)
In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is map...Rule Medium Severity -
Specify module signing key to use
Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of...Rule Medium Severity -
Sign kernel modules with SHA-512
This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check th...Rule Medium Severity -
Enable poison without sanity check
Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This configuration is available from kernel 4.6. The configu...Rule Medium Severity -
Use zero for poisoning instead of debugging value
Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longe...Rule Medium Severity -
Remove the kernel mapping in user mode
This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This configuration is available from kernel 4.15, but may ...Rule High Severity -
Kernel panic oops
Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was used to build kernel is available at <code>/boot/co...Rule Medium Severity -
Kernel panic timeout
Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeout value greater than 0, the system will wait the ...Rule Medium Severity -
Disable support for /proc/kkcore
Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CON...Rule Low Severity -
Randomize the kernel memory sections
Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available from kernel 4.8, but may be available if backported b...Rule Medium Severity -
Avoid speculative indirect branches in kernel
Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern supp...Rule Medium Severity -
Enable seccomp to safely compute untrusted bytecode
This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process ...Rule Medium Severity -
Enable use of Berkeley Packet Filter with seccomp
Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used ...Rule Medium Severity -
Enable different security models
This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check th...Rule Medium Severity -
Enable Yama support
This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use o...Rule Medium Severity -
Enable SLUB debugging support
SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to build kernel is available at <code>/boot/config-*</cod...Rule Medium Severity -
Enable TCP/IP syncookie support
Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoi...Rule Medium Severity -
Unmap kernel when running in userspace (aka KAISER)
Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when...Rule Medium Severity -
Disable x86 vsyscall emulation
Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending pro...Rule Low Severity -
Ensure rsyslog is Installed
Rsyslog is installed by default. Thersyslogpackage can be installed with the following command:$ apt-get install rsyslog
Rule Medium Severity -
Enable rsyslog Service
The <code>rsyslog</code> service provides syslog-style logging by default on Debian 11. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo systemctl enable rsy...Rule Medium Severity -
Ensure Rsyslog Authenticates Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate User
The owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and ty...Rule Medium Severity -
systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sou...Group -
Enable systemd-journald Service
The <code>systemd-journald</code> service is an essential component of systemd. The <code>systemd-journald</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sy...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...Group -
Ensure logrotate is Installed
logrotate is installed by default. Thelogrotatepackage can be installed with the following command:$ apt-get install logrotate
Rule Medium Severity -
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the ...Group -
Ensure syslog-ng is Installed
syslog-ng can be installed in replacement of rsyslog. Thesyslog-ng-corepackage can be installed with the following command:$ apt-get install syslog-ng-core
Rule Medium Severity -
Enable syslog-ng Service
The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> service can be enabled with the following command: <pr...Rule Medium Severity -
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...Rule Unknown Severity -
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...Rule Unknown Severity -
Remote Log Server
Specify an URI or IP address of a remote host where the log messages will be sent and stored.Value -
Ensure Logs Sent To Remote Host
To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary...Rule Medium Severity -
Inspect and Activate Default Rules
View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...Group -
Verify ip6tables Enabled if Using IPv6
Theip6tablesservice can be enabled with the following command:$ sudo systemctl enable ip6tables.service
Rule Medium Severity -
Verify iptables Enabled
Theiptablesservice can be enabled with the following command:$ sudo systemctl enable iptables.service
Rule Medium Severity -
Set Default ip6tables Policy for Incoming Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/ip6tables</code>: <pre...Rule Medium Severity -
Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively pre...Group -
Set Default iptables Policy for Incoming Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/iptables</code>: <pre>...Rule Medium Severity -
Set Default iptables Policy for Forwarded Packets
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...Rule Medium Severity -
IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...Group -
Disable IPv6 Networking Support Automatic Loading
To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules