Skip to content

Guide to the Secure Configuration of Debian 12

Rules, Groups, and Values defined within the XCCDF Benchmark

  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...
    Group
  • Disable Support for IPv6 Unless Needed

    Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 ad...
    Group
  • Disable IPv6 Networking Support Automatic Loading

    To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/di...
    Rule Medium Severity
  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another f...
    Rule Medium Severity
  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or a...
    Rule Medium Severity
  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from ...
    Group
  • net.ipv6.conf.all.accept_ra_defrtr

    Accept default router in router advertisements?
    Value
  • net.ipv6.conf.all.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
  • net.ipv6.conf.all.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
  • net.ipv6.conf.all.accept_redirects

    Toggle ICMP Redirect Acceptance
    Value
  • net.ipv6.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...
    Value
  • net.ipv6.conf.all.autoconf

    Enable auto configuration on IPv6 interfaces
    Value
  • Kernel Parameters Which Affect Networking

    The <code>sysctl</code> utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking...
    Group
  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against cert...
    Group
  • net.ipv4.conf.all.accept_redirects

    Disable ICMP Redirect Acceptance
    Value
  • net.ipv4.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...
    Value
  • net.ipv4.conf.default.arp_filter

    Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for ea...
    Value
  • net.ipv4.conf.default.arp_ignore

    Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configure...
    Value
  • net.ipv4.conf.all.rp_filter

    Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination I...
    Value
  • net.ipv4.conf.all.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure...
    Value
  • net.ipv4.conf.all.shared_media

    Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be ...
    Value
  • net.ipv4.conf.default.accept_redirects

    Disable ICMP Redirect Acceptance?
    Value
  • net.ipv4.conf.default.accept_source_route

    Disable IP source routing?
    Value
  • Uncomplicated Firewall (ufw)

    The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the ip...
    Group
  • Uncommon Network Protocols

    The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code ...
    Group
  • Disable TIPC Support

    The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the sys...
    Rule Low Severity
  • Verify Permissions on System.map Files

    The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and...
    Rule Low Severity
  • Ensure No World-Writable Files Exist

    It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific a...
    Rule Medium Severity
  • Enable Kernel Parameter to Enforce DAC on Hardlinks

    To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protecte...
    Rule Medium Severity
  • Enable Kernel Parameter to Enforce DAC on Symlinks

    To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected...
    Rule Medium Severity
  • Verify Permissions on Files with Local Account Information and Credentials

    The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>gro...
    Group
  • Verify Group Who Owns Backup group File

    To properly set the group owner of /etc/group-, run the command:
    $ sudo chgrp root /etc/group-
    Rule Medium Severity
  • Verify Group Who Owns Backup gshadow File

    To properly set the group owner of /etc/gshadow-, run the command:
    $ sudo chgrp shadow /etc/gshadow-
    Rule Medium Severity
  • Verify Group Who Owns Backup passwd File

    To properly set the group owner of /etc/passwd-, run the command:
    $ sudo chgrp root /etc/passwd-
    Rule Medium Severity
  • Verify User Who Owns Backup shadow File

    To properly set the group owner of /etc/shadow-, run the command:
    $ sudo chgrp shadow /etc/shadow-
    Rule Medium Severity
  • Verify that System Executables Have Root Ownership

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sb...
    Rule Medium Severity
  • Verify that Shared Library Files Have Root Ownership

    System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by ...
    Rule Medium Severity
  • Verify that System Executables Have Restrictive Permissions

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sb...
    Rule Medium Severity
  • Verify that Shared Library Files Have Restrictive Permissions

    System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by ...
    Rule Medium Severity
  • Restrict Partition Mount Options

    System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...
    Group
  • SELinux policy

    Type of policy in use. Possible values are: <br>targeted - Only targeted network daemons are protected. <br>strict - Full SELinux protection. <br>m...
    Value
  • SELinux state

    enforcing - SELinux security policy is enforced. <br>permissive - SELinux prints warnings instead of enforcing. <br>disabled - SELinux is fully dis...
    Value
  • Ensure SELinux is Not Disabled

    The SELinux state should be set to <code>enforcing</code> or <code>permissive</code> at system boot time. In the file <code>/etc/selinux/config</co...
    Rule High Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...
    Group
  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity
  • Uninstall the nis package

    The support for Yellowpages should not be installed unless it is required.
    Rule Low Severity
  • Uninstall the ntpdate package

    ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.
    Rule Low Severity
  • Uninstall the ssl compliant telnet server

    The telnet daemon, even with ssl support, should be uninstalled.
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules