Skip to content

Guide to the Secure Configuration of Debian 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Enable poison without sanity check

    Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This config...
    Rule Medium Severity
  • Use zero for poisoning instead of debugging value

    Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...
    Rule Medium Severity
  • Remove the kernel mapping in user mode

    This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...
    Rule High Severity
  • Kernel panic oops

    Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was u...
    Rule Medium Severity
  • Kernel panic timeout

    Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeo...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules