Guide to the Secure Configuration of Debian 12
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Group Who Owns /etc/selinux Directory
To properly set the group owner of/etc/selinux, run the command:$ sudo chgrp root /etc/selinux
Rule Medium Severity -
Verify User Who Owns /etc/selinux Directory
To properly set the owner of/etc/selinux, run the command:$ sudo chown root /etc/selinux
Rule Medium Severity -
Verify Permissions On /etc/selinux Directory
To properly set the permissions of/etc/selinux, run the command:$ sudo chmod 0755 /etc/selinux
Rule Medium Severity -
Verify Group Who Owns /etc/sestatus.conf File
To properly set the group owner of/etc/sestatus.conf, run the command:$ sudo chgrp root /etc/sestatus.conf
Rule Medium Severity -
Verify User Who Owns /etc/sestatus.conf File
To properly set the owner of/etc/sestatus.conf, run the command:$ sudo chown root /etc/sestatus.conf
Rule Medium Severity -
Verify Permissions On /etc/sestatus.conf File
To properly set the permissions of/etc/sestatus.conf, run the command:$ sudo chmod 0644 /etc/sestatus.conf
Rule Medium Severity -
Configure the polyinstantiation_enabled SELinux Boolean
By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtain...Rule Unknown Severity -
Minimize Served Information
Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there i...Rule Unknown Severity -
Uninstall DHCP Server Package
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp</code> package can be removed with the fo...Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...Group -
Configure Firewalls to Protect the FTP Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic, ...Rule Unknown Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...Rule Medium Severity -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...Rule Medium Severity -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Verify Group Who Owns /etc/chrony.keys File
To properly set the group owner of/etc/chrony.keys, run the command:$ sudo chgrp root /etc/chrony.keys
Rule Medium Severity -
Verify User Who Owns /etc/chrony.keys File
To properly set the owner of/etc/chrony.keys, run the command:$ sudo chown root /etc/chrony.keys
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.