Skip to content
Log In

Guide to the Secure Configuration of Debian 10

Rules, Groups, and Values defined within the XCCDF Benchmark

  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...
    Group
    Show

  • Disable Support for IPv6 Unless Needed

    Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively pre...
    Group
    Show

  • Disable IPv6 Networking Support Automatic Loading

    To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...
    Rule Medium Severity
    Show

  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually...
    Group
    Show

  • IPV6_AUTOCONF

    Toggle global IPv6 auto-configuration (only, if global forwarding is disabled)
    Value
    Show

  • Limit Network-Transmitted Configuration if Using Static IPv6 Addresses

    To limit the configuration information requested from other systems and accepted from the network on a system that uses statically-configured IPv6 addresses, add the following lines to <code>/etc/s...
    Group
    Show

  • Kernel Parameters Which Affect Networking

    The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.
    Group
    Show

  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.
    Group
    Show

  • net.ipv4.conf.all.accept_redirects

    Disable ICMP Redirect Acceptance
    Value
    Show

  • net.ipv4.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv4.conf.default.arp_filter

    Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...
    Value
    Show

  • net.ipv4.conf.default.arp_ignore

    Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...
    Value
    Show

  • net.ipv4.conf.all.forwarding

    Toggle IPv4 Forwarding
    Value
    Show

  • net.ipv4.conf.all.log_martians

    Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
    Value
    Show

  • net.ipv4.conf.all.rp_filter

    Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...
    Value
    Show

  • net.ipv4.conf.all.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.
    Value
    Show

  • net.ipv4.conf.all.shared_media

    Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...
    Value
    Show

  • net.ipv4.conf.default.accept_redirects

    Disable ICMP Redirect Acceptance?
    Value
    Show

  • net.ipv4.conf.default.accept_source_route

    Disable IP source routing?
    Value
    Show

  • net.ipv4.conf.default.log_martians

    Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
    Value
    Show

  • net.ipv4.conf.default.shared_media

    Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...
    Value
    Show

  • net.ipv4.icmp_echo_ignore_broadcasts

    Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
    Value
    Show

  • net.ipv4.icmp_ignore_bogus_error_responses

    Enable to prevent unnecessary logging
    Value
    Show

  • Verify ufw Enabled

    The ufw service can be enabled with the following command: 
    $ sudo systemctl enable ufw.service
    Rule Medium Severity
    Show

  • Disable Accepting Packets Routed Between Local Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</pre> To make sure t...
    Rule Medium Severity
    Show

  • Configure ARP filtering for All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.arp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_filter=<xccdf-1.2:sub idref="xccd...
    Rule Medium Severity
    Show

  • Configure Response Mode of ARP Requests for All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...
    Rule Medium Severity
    Show

  • Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.route_localnet</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0</pre> To make su...
    Rule Medium Severity
    Show

  • Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.shared_media=<xccdf-1.2:sub idref="...
    Rule Medium Severity
    Show

  • Configure Sending and Accepting Shared Media Redirects by Default

    To set the runtime status of the <code>net.ipv4.conf.default.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.shared_media=<xccdf-1.2:sub...
    Rule Medium Severity
    Show

  • Network Parameters for Hosts Only

    If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.
    Group
    Show

  • nftables

    <code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.</code><br><br> nftables is a su...
    Group
    Show

  • Uncommon Network Protocols

    The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences ca...
    Group
    Show

  • Nftables Base Chain Hooks

    The possible hooks which can be used to configure the base chain are: <code>ingress</code> (only in netdev family since Linux kernel 4.2, and inet family since Linux kernel 5.10): sees packets imm...
    Value
    Show

  • Nftables Chain Names

    The rules in nftables are attached to chains. Unlike in iptables, there are no predefined chains like INPUT, OUTPUT, etc. Instead, to filter packets at a particular processing step, a base chain ...
    Value
    Show

  • Nftables Base Chain Policies

    This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against). Currently there are 2 policies: <code>accept</code> this ve...
    Value
    Show

  • Nftables Base Chain Priorities

    Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prer...
    Value
    Show

  • Nftables Base Chain Types

    Base chains are those that are registered into the Netfilter hooks, i.e. these chains see packets flowing through the Linux TCP/IP stack. The possible chain types are: <code>filter</code>, which i...
    Value
    Show

  • Nftables Families

    Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking l...
    Value
    Show

  • Nftables Master configuration file

    The file which contains top level configuration for nftables service, and with which, the service is started.
    Value
    Show

  • Nftables Tables

    Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.
    Value
    Show

  • SuSEfirewall2

    The SuSEfirewall2 provides a managed firewall.
    Group
    Show

  • Uncomplicated Firewall (ufw)

    The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...
    Group
    Show

  • Disable RDS Support

    The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...
    Rule Low Severity
    Show

  • Disable TIPC Support

    The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the <code>tipc</code> kernel module...
    Rule Low Severity
    Show

  • Wireless Networking

    Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be include...
    Group
    Show

  • Disable Wireless Through Software Configuration

    If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless ...
    Group
    Show

  • Disable Unused Interfaces

    Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. <br><br> If the system does not require network communication...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules