Guide to the Secure Configuration of Debian 12
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable hibernation
Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it ...Rule Medium Severity -
Disable IA32 emulation
Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at <code>/boot/con...Rule Medium Severity -
Disable the IPv6 protocol
Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check...Rule Medium Severity -
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot b...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern...Rule Medium Severity -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the ...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configur...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-...Rule Medium Severity -
Specify the hash to use when signing modules
This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_ha...Rule Medium Severity -
polyinstantiation_enabled SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
secure_mode_insmod SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
selinuxuser_execheap SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
selinuxuser_execstack SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
APT service configuration
The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient sec...Group -
Disable unauthenticated repositories in APT configuration
Unauthenticated repositories should not be used for updates.Rule Unknown Severity -
Ensure that official distribution repositories are used
Check that official Debian repositories, including security repository, are configured in apt.Rule Unknown Severity -
Avahi Server
The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows...Group -
Configure Avahi if Necessary
If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is <code>/et...Group -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...Group -
Install the cron service
The Cron service should be installed.Rule Medium Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Verify Root Has A Primary GID 0
Therootuser should have a primary group of 0.Rule High Severity -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...Group -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputatio...Group -
fapolicyd Must be Configured to Limit Access to Users Home Folders
fapolicyd needs be configured so that users cannot give access to their home folders to other users.Rule Medium Severity -
Configure vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is/etc/vsftpd.conf, if that file exists, or/etc/vsftpd/vsftpd.confif it does not.Group -
systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging ...Group -
Ensure AppArmor is installed
AppArmor provide Mandatory Access Controls.Rule Medium Severity -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo...Rule Medium Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...Group -
Maximum login attempts delay
Maximum time in seconds between fail login attempts before re-prompting.Value -
Maximum concurrent login sessions
Maximum number of concurrent sessions by a userValue -
Account Inactivity Timeout (seconds)
In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates afte...Value -
Interactive users initialization files
'A regular expression describing a list of file names for files that are sourced at login time for interactive users'Value -
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to re...Rule Unknown Severity -
Sensible umask
Enter default user umaskValue -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...Group -
Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs...Group -
net.ipv6.conf.all.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.all.router_solicitations
Accept all router solicitations?Value -
net.ipv6.conf.default.accept_ra_defrtr
Accept default router in router advertisements?Value -
net.ipv6.conf.default.accept_ra_pinfo
Accept prefix information in router advertisements?Value -
net.ipv6.conf.default.accept_ra_rtr_pref
Accept router preference in router advertisements?Value -
net.ipv6.conf.default.accept_redirects
Toggle ICMP Redirect Acceptance By DefaultValue -
net.ipv6.conf.default.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.default.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.default.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.default.router_solicitations
Accept all router solicitations by default?Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.