Guide to the Secure Configuration of Debian release 8 (Jessie)
with profile Common Profile for General-Purpose Debian Systems
https://fedorahosted.org/scap-security-guide
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP).
Profile Title | Common Profile for General-Purpose Debian Systems |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_common |
Revision History
Current version: 0.0.1
- draft (as of 2015-12-11)
Platforms
- cpe:/o:debianproject:debian:8
Table of Contents
Checklist
contains 16 rules |
Installationgroup |
contains 5 rules |
PartitioninggroupSeparating various locations of the file systems in different partitions allows a more restrictive segregation, distinctly from one location to another. Moreover, some native restrictions can be made by partitioning, such as no hard link between different filesystems, and reduce the corruption impact to the affected filesystem instead of the entire system. The last gain is to allow a differenciated usage of storage media, depending on the operational needs (speed, resilience, etc.). references: Filesystem Hierarchy Standard |
contains 5 rules |
Ensure /tmp Located On Separate Partitionrule
The
The identifiers: CCE-27173-4 references: SC-32, |
Ensure /var Located On Separate PartitionruleThe
Ensuring that identifiers: CCE-26404-4 references: SC-32, |
Ensure /var/log Located On Separate Partitionrule
System logs are stored in the
Placing identifiers: CCE-26967-0 references: AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx, |
Ensure /var/log/audit Located On Separate Partitionrule
Audit logs are stored in the
Placing identifiers: CCE-26971-2 references: AU-4, AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx, |
Ensure /home Located On Separate Partitionrule
If user home directories will be stored locally, create a separate partition
for
Ensuring that |
Systemgroup |
contains 6 rules |
Verify Permissions on Important Files and DirectoriesgroupPermissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. |
contains 6 rules |
Verify Permissions on Files with Local Account Information and CredentialsgroupThe default restrictive permissions for files which act as
important security databases such as |
contains 6 rules |
Verify Permissions on group Filerule
To properly set the permissions of # chmod 644/etc/groupRationale: The identifiers: CCE-26949-8 references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8, |
Verify User Who Owns group Filerule
To properly set the owner of # chown root/etc/groupRationale: The |
Verify Permissions on shadow Filerule
To properly set the permissions of # chmod 0640/etc/shadowRationale: The identifiers: CCE-27100-7 references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8, |
Verify User Who Owns shadow Filerule
To properly set the owner of # chown root:shadow/etc/shadowRationale: The identifiers: CCE-26795-5 references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8 |
Verify Permissions on passwd Filerule
To properly set the permissions of # chmod 0644/etc/passwdRationale: If the identifiers: CCE-26887-0 references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8, |
Verify User Who Owns passwd Filerule
To properly set the owner of # chown root/etc/passwdRationale: The identifiers: CCE-27138-7 references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8, |
Service managementgroupThe following sections contain information on security-relevant choices about software services that may be installed or blacklisted on the operating system. |
contains 5 rules |
Deprecated servicesgroupSome deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. |
contains 5 rules |
Uninstall the telnet serverruleThe telnet daemon should be uninstalled. Rationale:telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. identifiers: CCE-27165-0 references: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx
|
Uninstall the inet-based telnet serverruleThe inet-based telnet daemon should be uninstalled. Rationale:telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. identifiers: CCE-27165-0 references: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx
|
Uninstall the ssl compliant telnet serverruleThe telnet daemon, even with ssl support, should be uninstalled. Rationale:telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. identifiers: CCE-4330-7 references: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx
|
Uninstall the nis packageruleThe support for Yellowpages should not be installed unless it is required. Rationale:NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. identifiers: CCE-4348-9
|
Uninstall the ntpdate packagerulentpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. Rationale:ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. identifiers: CCE-4348-9
|