Skip to content
Log In

Guide to the Secure Configuration of Debian 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Install and Protect LDAP Certificate Files

    Create the PKI directory for LDAP certificates if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tls/ldap $ sudo chmod 755 /etc/pki/tls/ldap</pre> Us...
    Group
    Show

  • Configure Postfix if Necessary

    Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf.
    Group
    Show

  • Configure Postfix Resource Usage to Limit Denial of Service Attacks

    Edit <code>/etc/postfix/main.cf</code>. Edit the following lines to configure the amount of system resources Postfix can consume: <pre>default_process_limit = 100 smtpd_client_connection_count_limi...
    Group
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
    Show

  • The Postfix package is installed

    A mail server is required for sending emails. The postfix package can be installed with the following command: 
    $ apt-get install postfix
    Rule Medium Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • Postfix Network Interfaces

    The setting for inet_interfaces in /etc/postfix/main.cf
    Value
    Show

  • Postfix relayhost

    Specify the host all outbound email should be routed into.
    Value
    Show

  • Postfix Root Mail Alias

    Specify an email address (string) for a root mail alias.
    Value
    Show

  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...
    Rule Medium Severity
    Show

  • Configure System to Forward All Mail From Postmaster to The Root Account

    Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...
    Rule Medium Severity
    Show

  • Configure System to Forward All Mail through a specific host

    Set up a relay host that will act as a gateway for all outbound email. Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>relayhost</code> line appears: <pre>re...
    Rule Medium Severity
    Show

  • Configure Operating System to Protect Mail Server

    The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software.
    Group
    Show

  • Configure SSL Certificates for Use with SMTP AUTH

    If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from...
    Group
    Show

  • Ensure Security of Postfix SSL Certificate

    Create the PKI directory for mail certificates, if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/mail $ sudo chown root:root /etc/pki/tls/mail $ sudo chmod 755 /etc/pki/tls/mail</pre> U...
    Group
    Show

  • Control Mail Relaying

    Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient env...
    Group
    Show

  • Enact SMTP Recipient Restrictions

    To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#dan...
    Group
    Show

  • Enact SMTP Relay Restrictions

    To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#dan...
    Group
    Show

  • Use TLS for SMTP AUTH

    Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authen...
    Group
    Show

  • Configure Trusted Networks and Hosts

    Edit <code>/etc/postfix/main.cf</code>, and configure the contents of the <code>mynetworks</code> variable in one of the following ways: <ul> <li>If any system in the subnet containing the MTA may ...
    Group
    Show

  • Require SMTP AUTH Before Relaying from Untrusted Clients

    SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not...
    Group
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.
    Group
    Show

  • Disable netfs if Possible

    To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre> If the command did not re...
    Group
    Show

  • Disable Network File Systems (netfs)

    The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be di...
    Rule Unknown Severity
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, and many listen for network connections. If they ar...
    Group
    Show

  • Configure All Systems which Use NFS

    The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers.
    Group
    Show

  • Make Each System a Client or a Server, not Both

    If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and secur...
    Group
    Show

  • Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)

    Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. Howeve...
    Group
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...
    Group
    Show

  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,nodev,nosuid</code> to the list of mount options in co...
    Group
    Show

  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
    Show

  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash</code> option from the file <code>/etc/exports</co...
    Rule Low Severity
    Show

  • Configure the Exports File Restrictively

    Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <code>exports(5)</code> manpage for more information...
    Group
    Show

  • Export Filesystems Read-Only if Possible

    If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack ...
    Group
    Show

  • Use Access Lists to Enforce Authorization Restrictions

    When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that export. If no hosts are specified on an export line...
    Group
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
    Show

  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
    Show

  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
    Show

  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...
    Rule Medium Severity
    Show

  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
    Show

  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information o...
    Rule Medium Severity
    Show

  • Enable the NTP Daemon

    The ntp service can be enabled with the following command: 
    $ sudo systemctl enable ntp.service
    Rule High Severity
    Show

  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
    Show

  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...
    Group
    Show

  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules