Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Debian 12

Rules, Groups, and Values defined within the XCCDF Benchmark

  • remember

    The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from...
    Value
    Show

  • Disallow Configuration to Bypass Password Requirements for Privilege Escalation

    Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/...
    Rule Medium Severity
    Show

  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
    Show

  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...
    Group
    Show

  • fail_deny

    Number of failed login attempts before account lockout
    Value
    Show

  • faillock directory

    The directory where the user files with the failure records are kept
    Value
    Show

  • fail_interval

    Interval for counting failed login attempts before account lockout
    Value
    Show

  • fail_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
    Show

  • tally2_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
    Show

  • tally2

    Number of failed login attempts
    Value
    Show

  • Account Lockouts Must Be Logged

    PAM faillock locks an account due to excessive password failures, this event must be logged.
    Rule Medium Severity
    Show

  • minimum password age

    Minimum age of password in days
    Value
    Show

  • minimum password length

    Minimum number of characters in password
    Value
    Show

  • warning days before password expires

    The number of days' warning given before a password expires.
    Value
    Show

  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
    Show

  • Set Password Warning Age

    To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...
    Rule Medium Severity
    Show

  • Include Local Events in Audit Logs

    To configure Audit daemon to include local events in Audit logs, set <code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf<...
    Rule Medium Severity
    Show

  • Ensure AppArmor is enabled in the bootloader configuration

    Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommenda...
    Rule Medium Severity
    Show

  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
    Show

  • L1TF vulnerability mitigation

    Defines the L1TF vulneratility mitigations to employ.
    Value
    Show

  • MDS vulnerability mitigation

    Defines the MDS vulneratility mitigation to employ.
    Value
    Show

  • Confidence level on Hardware Random Number Generator

    Defines the level of trust on the hardware random number generators available in the system and the percentage of entropy to credit.
    Value
    Show

  • Spec Store Bypass Mitigation

    This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.
    Value
    Show

  • Disable Recovery Booting

    Debian 12 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_RECOVERY</code>...
    Rule Medium Severity
    Show

  • IOMMU configuration directive

    On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical u...
    Rule Unknown Severity
    Show

  • Configure L1 Terminal Fault mitigations

    L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Ca...
    Rule High Severity
    Show

  • Force kernel panic on uncorrected MCEs

    A Machine Check Exception is an error generated by the CPU itdetects an error in itself, memory or I/O devices. These errors may be corrected and g...
    Rule Medium Severity
    Show

  • Disable merging of slabs with similar size

    The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs se...
    Rule Medium Severity
    Show

  • Configure Speculative Store Bypass Mitigation

    Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In...
    Rule Medium Severity
    Show

  • Enforce Spectre v2 mitigation

    Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor int...
    Rule High Severity
    Show

  • Ensure debug-shell service is not enabled during boot

    systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
    Show

  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
    Show

  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
    Show

  • Ensure logrotate is Installed

    logrotate is installed by default. The <code>logrotate</code> package can be installed with the following command: <pre> $ apt-get install logrotat...
    Rule Medium Severity
    Show

  • Ensure Logrotate Runs Periodically

    The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate....
    Rule Medium Severity
    Show

  • Configure rsyslogd to Accept Remote Messages If Acting as a Log Server

    By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon t...
    Group
    Show

  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The <code>syslog-ng-core</code> package can be installed with the following command: <pre> $ ...
    Rule Medium Severity
    Show

  • Enable syslog-ng Service

    The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> serv...
    Rule Medium Severity
    Show

  • Enable rsyslog to Accept Messages via TCP, if Acting As Log Server

    The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central l...
    Rule Unknown Severity
    Show

  • Enable rsyslog to Accept Messages via UDP, if Acting As Log Server

    The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central l...
    Rule Unknown Severity
    Show

  • Remote Log Server

    Specify an URI or IP address of a remote host where the log messages will be sent and stored.
    Value
    Show

  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...
    Group
    Show

  • IPSec Support

    Support for Internet Protocol Security (IPsec) is provided with Libreswan.
    Group
    Show

  • iptables and ip6tables

    A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default...
    Group
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

  • Verify iptables Enabled

    The iptables service can be enabled with the following command: 
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
    Show

  • Set Default ip6tables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...
    Rule Medium Severity
    Show

  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <co...
    Group
    Show

  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Forwarded Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interf...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules