Guide to the Secure Configuration of Debian 11
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash</code> option from the file <code>/etc/exports</co...Rule Low Severity -
Disable SSH Server If Possible
The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.Rule High Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Vendor Approved Time Servers
The list of vendor-approved time serversValue -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information o...Rule Medium Severity -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Ensure Chrony is only configured with the server directive
Check that Chrony only has time sources configured with theserverdirective.Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Remove Rsh Trust Files
The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...Rule High Severity -
SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...Group -
Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...Group -
Disable snmpd Service
Thesnmpdservice can be disabled with the following command:$ sudo systemctl mask --now snmpd.service
Rule Low Severity -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byrootgroup.Rule Medium Severity -
SNMP read-only community string
Specify the SNMP community string used for read-only access.Value -
SNMP read-write community string
Specify the SNMP community string used for read-write access.Value -
Ensure Default SNMP Password Is Not Used
Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of <code>public</code> and <code>private</code>. This profile configures new read-only community string to <co...Rule High Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
SSH session Idle time
Specify duration of allowed idle time.Value -
SSH Max authentication attempts
Specify the maximum number of authentication attempts per connection.Value -
SSH is required to be installed
Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 means that the policy doesn't care if OpenSSH server ...Value -
SSH Max Sessions Count
Specify the maximum number of open sessions permitted.Value -
SSH Max Keep Alive Count
Specify the maximum number of idle message counts before session is terminated.Value -
Install the OpenSSH Server Package
Theopenssh-serverpackage should be installed. Theopenssh-serverpackage can be installed with the following command:$ apt-get install openssh-server
Rule Medium Severity -
Remove the OpenSSH Server Package
Theopenssh-serverpackage should be removed. Theopenssh-serverpackage can be removed with the following command:$ apt-get remove openssh-server
Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH RekeyLimit - size
Specify the size component of the rekey limit.Value -
SSH Compression Setting
Specify the compression setting for SSH connections.Value -
SSH Privilege Separation Setting
Specify whether and how sshd separates privileges when handling incoming network connections.Value -
SSH LoginGraceTime setting
Configure parameters for how long the servers stays connected before the user has successfully logged inValue -
SSH MaxStartups setting
Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.Value -
Set SSH Client Alive Count Max to zero
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...Rule Medium Severity -
Set SSH Client Alive Count Max
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...Rule Medium Severity -
Disable Host-Based Authentication
SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organ...Rule Medium Severity -
Allow Only SSH Protocol 2
Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verified by ensuring that the following line appears: <p...Rule High Severity -
Disable Compression Or Set Compression to delayed
Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has ...Rule Medium Severity -
Disable SSH Access via Empty Passwords
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for <code>PermitEmptyPasswords<...Rule High Severity -
Disable GSSAPI Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows authentications based on GSSAPI. The appropriate c...Rule Medium Severity -
Disable Kerberos Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallows authentication validation through Kerberos. The ...Rule Medium Severity -
Disable PubkeyAuthentication Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms. To disable PubkeyAuthentication authentication, add or correct the following line in <code>/etc/ssh/sshd_...Rule Medium Severity -
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> files. <br> The default SSH configuration disables su...Rule Medium Severity -
Disable SSH root Login with a Password (Insecure)
To disable password-based root logins over SSH, add or correct the following line in/etc/ssh/sshd_config:PermitRootLogin prohibit-password
Rule Medium Severity -
Disable SSH TCP Forwarding
The <code>AllowTcpForwarding</code> parameter specifies whether TCP forwarding is permitted. To disable TCP forwarding, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <p...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules