Skip to content

Guide to the Secure Configuration of Debian 12

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify /boot/grub/grub.cfg User Ownership

    The file <code>/boot/grub/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pro...
    Rule Medium Severity
  • Verify /boot/grub/user.cfg User Ownership

    The file <code>/boot/grub/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properl...
    Rule Medium Severity
  • Verify /boot/grub/grub.cfg Permissions

    File permissions for <code>/boot/grub/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub/grub.cfg</code>, r...
    Rule Medium Severity
  • Verify /boot/grub/user.cfg Permissions

    File permissions for <code>/boot/grub/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub/user.cfg</code>, r...
    Rule Medium Severity
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaint...
    Rule High Severity
  • Verify the UEFI Boot Loader grub.cfg Group Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....
    Rule Medium Severity
  • Verify /boot/grub2/user.cfg Group Ownership

    The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To...
    Rule Medium Severity
  • Emulate Privileged Access Never (PAN)

    Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASI...
    Rule Medium Severity
  • Trigger a kernel BUG when data corruption is detected

    This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configurat...
    Rule Low Severity
  • Warn on W+X mappings found at boot

    Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to buil...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules