Skip to content

Guide to the Secure Configuration of Debian 11

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure SSH LoginGraceTime is configured

    The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...
    Rule Medium Severity
  • System Security Services Daemon (SSSD) - LDAP

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • Set LogLevel to INFO

    The INFO parameter specifices that record login and logout activity will be logged. <br> The default SSH configuration sets the log level to INFO. ...
    Rule Low Severity
  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...
    Rule Medium Severity
  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...
    Rule Medium Severity
  • Set SSH MaxSessions limit

    The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...
    Rule Medium Severity
  • Ensure SSH MaxStartups is configured

    The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Strengthen Firewall Configuration if Possible

    If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...
    Group
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD certificate_verification option

    Value of the certificate_verification option in the SSSD config.
    Value
  • SSSD memcache_timeout option

    Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.
    Value
  • SSSD ssh_known_hosts_timeout option

    Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.
    Value
  • Introduction

    The purpose of this guidance is to provide security configuration recommendations and baselines for the Debian 11 operating system. Recommended set...
    Group
  • General Principles

    The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...
    Group
  • Encrypt Transmitted Data Whenever Possible

    Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...
    Group
  • Least Privilege

    Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...
    Group
  • Minimize Software to Minimize Vulnerability

    The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Debian 11,the Package Manager (originally <a href="h...
    Group
  • Run Different Network Services on Separate Systems

    Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...
    Group
  • Configure Security Tools to Improve System Robustness

    Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules