Skip to content

Guide to the Secure Configuration of Debian 11

Rules, Groups, and Values defined within the XCCDF Benchmark

  • zarafa_setrlimit SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • zebra_write_config SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • zoneminder_anon_write SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • zoneminder_run_sudo SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Debian 11 install...
    Group
  • Apport Service

    The Apport service provides debugging and crash reporting features on Ubuntu distributions.
    Group
  • APT service configuration

    The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient sec...
    Group
  • Disable unauthenticated repositories in APT configuration

    Unauthenticated repositories should not be used for updates.
    Rule Unknown Severity
  • Ensure that official distribution repositories are used

    Check that official Debian repositories, including security repository, are configured in apt.
    Rule Unknown Severity
  • Avahi Server

    The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows...
    Group
  • Configure Avahi if Necessary

    If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is <code>/et...
    Group
  • Disable Avahi Publishing

    To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[pu...
    Rule Low Severity
  • Disable Avahi Server if Possible

    Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability t...
    Group
  • Base Services

    This section addresses the base services that are installed on a Debian 11 default installation which are not covered in other sections. Some of th...
    Group
  • Cron and At Daemons

    The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...
    Group
  • Install the cron service

    The Cron service should be installed.
    Rule Medium Severity
  • Enable cron Service

    The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...
    Rule Medium Severity
  • Restrict at and cron to Authorized Users if Necessary

    The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...
    Group
  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...
    Group
  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules