Guide to the Secure Configuration of Debian 12
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Set number of Password Hashing Rounds - password-auth
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...Rule Medium Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...Rule High Severity -
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...Rule Low Severity -
Configure Polyinstantiation of /tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...Rule Low Severity -
Configure Polyinstantiation of /var/tmp Directories
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local i...Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i>...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner ...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories....Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...Rule Medium Severity -
Ensure that User Home Directories are not Group-Writable or World-Readable
For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i> </pre> Ensure that th...Rule Medium Severity -
Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-sep...Group -
Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:# ls -ld DIRand ensure that write permissions are disabled for group and other.Rule Medium Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...Group -
Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> ...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in login.defs
To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...Rule Medium Severity -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The prog...Group -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ apt-get install pam_apparmor
Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>...Rule Medium Severity -
Configure Microarchitectural Data Sampling mitigation
Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in vario...Rule Medium Severity -
Ensure SMAP is not disabled during boot
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default ...Rule Medium Severity -
Ensure SMEP is not disabled during boot
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be di...Rule Medium Severity -
Enable randomization of the page allocator
To enable randomization of the page allocator in the kernel, add the <code>page_alloc.shuffle=1</code> argument to the default GRUB 2 command line....Rule Medium Severity -
Enable Kernel Page-Table Isolation (KPTI)
To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. Conf...Rule Low Severity -
Configure the confidence in TPM for entropy
The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not cred...Rule Low Severity -
Verify /boot/grub/grub.cfg Group Ownership
The file <code>/boot/grub/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. ...Rule Medium Severity -
Verify /boot/grub/user.cfg Group Ownership
The file <code>/boot/grub/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To ...Rule Medium Severity -
Verify /boot/grub/grub.cfg User Ownership
The file <code>/boot/grub/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pro...Rule Medium Severity -
Verify /boot/grub/user.cfg User Ownership
The file <code>/boot/grub/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properl...Rule Medium Severity -
Verify /boot/grub/grub.cfg Permissions
File permissions for <code>/boot/grub/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub/grub.cfg</code>, r...Rule Medium Severity -
Verify /boot/grub/user.cfg Permissions
File permissions for <code>/boot/grub/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub/user.cfg</code>, r...Rule Medium Severity -
Set Boot Loader Password in grub2
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaint...Rule High Severity -
Verify the UEFI Boot Loader grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....Rule Medium Severity -
Verify /boot/grub2/user.cfg Group Ownership
The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To...Rule Medium Severity -
Emulate Privileged Access Never (PAN)
Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASI...Rule Medium Severity -
Trigger a kernel BUG when data corruption is detected
This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configurat...Rule Low Severity -
Warn on W+X mappings found at boot
Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to buil...Rule Medium Severity -
Configure Low Address Space To Protect From User Allocation
This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, bu...Rule Medium Severity -
Harden common str/mem functions against buffer overflows
Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuratio...Rule Medium Severity -
Harden memory copies between kernel and userspace
This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by...Rule High Severity -
Do not allow usercopy whitelist violations to fallback to object size
This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, ...Rule High Severity -
Disable vsyscall emulation
The kernel traps and emulates calls into the fixed vsyscall address mapping. This configuration is available from kernel 5.3, but may be available ...Rule Medium Severity -
Disable vsyscall mapping
This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspac...Rule Medium Severity -
Disable vsyscall emulate execution only
The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5...Rule Medium Severity -
Disable the LDT (local descriptor table)
Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to ru...Rule Medium Severity -
Enable poison of pages after freeing
Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if...Rule Medium Severity -
Perform full reference count validation
Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.