Guide to the Secure Configuration of Debian release 8 (Jessie)

with profile Common Profile for General-Purpose Debian Systems
The SCAP Security Guide Project
https://fedorahosted.org/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for Debian release 8 (Jessie) formatted in the eXtensible Configuration Checklist Description Format (XCCDF).

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP).
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile TitleCommon Profile for General-Purpose Debian Systems
Profile IDxccdf_org.ssgproject.content_profile_common

Revision History

Current version: 0.0.1

  • draft (as of 2015-12-11)

Platforms

  • cpe:/o:debianproject:debian:8

Table of Contents

  1. Installation
    1. Partitioning
  2. System
    1. Verify Permissions on Important Files and Directories
  3. Service management
    1. Deprecated services

Checklist

contains 16 rules

Installationgroup

contains 5 rules

Partitioninggroup

Separating various locations of the file systems in different partitions allows a more restrictive segregation, distinctly from one location to another. Moreover, some native restrictions can be made by partitioning, such as no hard link between different filesystems, and reduce the corruption impact to the affected filesystem instead of the entire system. The last gain is to allow a differenciated usage of storage media, depending on the operational needs (speed, resilience, etc.).

references:  Filesystem Hierarchy Standard

contains 5 rules

Ensure /tmp Located On Separate Partitionrule

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM (when non-ephemeral is needed) or use tmpfs if possible.

Rationale:

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

identifiers:  CCE-27173-4

references:  SC-32,

Ensure /var Located On Separate Partitionrule

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale:

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

identifiers:  CCE-26404-4

references:  SC-32,

Ensure /var/log Located On Separate Partitionrule

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale:

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

identifiers:  CCE-26967-0

references:  AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx,

Ensure /var/log/audit Located On Separate Partitionrule

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale:

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

identifiers:  CCE-26971-2

references:  AU-4, AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx,

Ensure /home Located On Separate Partitionrule

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale:

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

references:  SC-32, 1208,

Systemgroup

contains 6 rules

Verify Permissions on Important Files and Directoriesgroup

Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen.

contains 6 rules
contains 6 rules

Verify Permissions on group Filerule

To properly set the permissions of /etc/group, run the command:

# chmod 644/etc/group

Rationale:

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

identifiers:  CCE-26949-8

references:  AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8,

Verify User Who Owns group Filerule

To properly set the owner of /etc/group, run the command:

# chown root/etc/group

Rationale:

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

identifiers:  CCE-26933-2

references:  AC-6, Req-8,

Verify Permissions on shadow Filerule

To properly set the permissions of /etc/shadow, run the command:

# chmod 0640/etc/shadow

Rationale:

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

identifiers:  CCE-27100-7

references:  AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8,

Verify User Who Owns shadow Filerule

To properly set the owner of /etc/shadow, run the command:

# chown root:shadow/etc/shadow

Rationale:

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

identifiers:  CCE-26795-5

references:  AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8

Verify Permissions on passwd Filerule

To properly set the permissions of /etc/passwd, run the command:

# chmod 0644/etc/passwd

Rationale:

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

identifiers:  CCE-26887-0

references:  AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8,

Verify User Who Owns passwd Filerule

To properly set the owner of /etc/passwd, run the command:

# chown root/etc/passwd

Rationale:

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

identifiers:  CCE-27138-7

references:  AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8,

Service managementgroup

The following sections contain information on security-relevant choices about software services that may be installed or blacklisted on the operating system.

contains 5 rules

Deprecated servicesgroup

Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.

contains 5 rules

Uninstall the telnet serverrule

The telnet daemon should be uninstalled.

Rationale:

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.

identifiers:  CCE-27165-0

references:  AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation script:
# CAUTION: This remediation script will remove telnetd
#	   from the system, and may remove any packages
#	   that depend on telnetd. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

apt-get remove --purge telnetd

Uninstall the inet-based telnet serverrule

The inet-based telnet daemon should be uninstalled.

Rationale:

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.

identifiers:  CCE-27165-0

references:  AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation script:
# CAUTION: This remediation script will remove inetutils-telnetd
#	   from the system, and may remove any packages
#	   that depend on inetutils-telnetd. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

apt-get remove --purge inetutils-telnetd

Uninstall the ssl compliant telnet serverrule

The telnet daemon, even with ssl support, should be uninstalled.

Rationale:

telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used.

identifiers:  CCE-4330-7

references:  AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation script:
# CAUTION: This remediation script will remove telnetd-ssl
#	   from the system, and may remove any packages
#	   that depend on telnetd-ssl. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

apt-get remove --purge telnetd-ssl

Uninstall the nis packagerule

The support for Yellowpages should not be installed unless it is required.

Rationale:

NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used.

identifiers:  CCE-4348-9

Remediation script:
# CAUTION: This remediation script will remove nis
#	   from the system, and may remove any packages
#	   that depend on nis. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

apt-get remove --purge nis

Uninstall the ntpdate packagerule

ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.

Rationale:

ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.

identifiers:  CCE-4348-9

Remediation script:
# CAUTION: This remediation script will remove ntpdate
#	   from the system, and may remove any packages
#	   that depend on ntpdate. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

apt-get remove --purge ntpdate
SCAP security guide for Debian - release 1