Guide to the Secure Configuration of Debian 12
Rules, Groups, and Values defined within the XCCDF Benchmark
-
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories....Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...Rule Medium Severity -
Ensure that User Home Directories are not Group-Writable or World-Readable
For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i> </pre> Ensure that th...Rule Medium Severity -
Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-sep...Group -
Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:# ls -ld DIRand ensure that write permissions are disabled for group and other.Rule Medium Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...Group -
Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> ...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in login.defs
To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...Rule Medium Severity -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The prog...Group -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ apt-get install pam_apparmor
Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>...Rule Medium Severity -
Configure Microarchitectural Data Sampling mitigation
Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in vario...Rule Medium Severity -
Ensure SMAP is not disabled during boot
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default ...Rule Medium Severity -
Ensure SMEP is not disabled during boot
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be di...Rule Medium Severity -
Enable randomization of the page allocator
To enable randomization of the page allocator in the kernel, add the <code>page_alloc.shuffle=1</code> argument to the default GRUB 2 command line....Rule Medium Severity -
Enable Kernel Page-Table Isolation (KPTI)
To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. Conf...Rule Low Severity -
Configure the confidence in TPM for entropy
The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not cred...Rule Low Severity -
Verify /boot/grub/grub.cfg Group Ownership
The file <code>/boot/grub/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. ...Rule Medium Severity -
Verify /boot/grub/user.cfg Group Ownership
The file <code>/boot/grub/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.