Guide to the Secure Configuration of Debian 8
with profile Profile for ANSSI DAT-NT28 Restrictive LevelThis profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Debian 8, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | Profile for ANSSI DAT-NT28 Restrictive Level |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive |
Revision History
Current version: 0.1.31
- draft (as of 2017-02-12)
Platforms
- cpe:/o:debianproject:debian:8
Table of Contents
Checklist
contains 35 rules | ||||||||||||||||
System Settings [ref]groupContains rules that check correct system settings. | ||||||||||||||||
contains 20 rules | ||||||||||||||||
File Permissions and Masks [ref]groupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
$ mount -t xfs | awk '{print $3}'For any systems that use a different local filesystem type, modify this command as appropriate. | ||||||||||||||||
contains 7 rules | ||||||||||||||||
Verify Permissions on Important Files and Directories [ref]groupPermissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. | ||||||||||||||||
contains 5 rules | ||||||||||||||||
Verify permissions on files containing sensitive informations about the system [ref]groupVarious files contains sensitive informations that can leads to specific weaknesses or give structural informations for local exploits. | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Verify that local System.map file (if exists) is readable only by root [ref]ruleFiles containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be read by any non-root user
To properly set the permissions of $ sudo chmod 0600 /boot/System.map-*To properly set the owner of /boot/System.map-* , run the command:
$ sudo chown root /boot/System.map-*Rationale: The references: NT28(R13) | ||||||||||||||||
Verify Permissions on Files with Local Account Information and Credentials [ref]groupThe default restrictive permissions for files which act as
important security databases such as | ||||||||||||||||
contains 4 rules | ||||||||||||||||
Verify Permissions and ownership on shadow File [ref]rule
To properly set the permissions of $ sudo chmod 0640 /etc/shadowTo properly set the owner of /etc/shadow , run the command:
$ sudo chown root /etc/shadowTo properly set the group owner of /etc/shadow , run the command:
$ sudo chgrp shadow /etc/shadowRationale: The references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, NT28(R36)
| ||||||||||||||||
Verify Permissions and ownership on gshadow File [ref]rule
To properly set the permissions of $ sudo chmod 0640 /etc/gshadowTo properly set the owner of /etc/gshadow , run the command:
$ sudo chown root /etc/gshadowTo properly set the group owner of /etc/gshadow , run the command:
$ sudo chgrp shadow /etc/gshadowRationale: The references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, NT28(R36)
| ||||||||||||||||
Verify Permissions and ownership on passwd File [ref]rule
To properly set the permissions of $ sudo chmod 0644 /etc/passwdTo properly set the owner of /etc/passwd , run the command:
$ sudo chown root /etc/passwdTo properly set the group owner of /etc/passwd , run the command:
$ sudo chgrp root /etc/passwdRationale: The references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||||||||||
Verify Permissions and ownership on group File [ref]rule
To properly set the permissions of $ sudo chmod 0644 /etc/passwdTo properly set the owner of /etc/passwd , run the command:
$ sudo chown root /etc/passwdTo properly set the group owner of /etc/passwd , run the command:
$ sudo chgrp root /etc/passwdRationale: The references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||||||||||
Restrict Programs from Dangerous Execution Patterns [ref]groupThe recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. | ||||||||||||||||
contains 2 rules | ||||||||||||||||
Disable Core Dumps [ref]groupA core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
| ||||||||||||||||
contains 1 rule | ||||||||||||||||
Disable Core Dumps for SUID programs [ref]rule
To set the runtime status of the $ sudo sysctl -w fs.suid_dumpable=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.suid_dumpable = 0Rationale: The core dump of a setuid program is more likely to contain wve data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | ||||||||||||||||
Enable ExecShield [ref]groupExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Enable Randomized Layout of Virtual Address Space [ref]rule
To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2Rationale: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | ||||||||||||||||
Hardening the filesystem [ref]groupHardening the filesystem and its usage is an efficient way to ensure an efficient separation of services, data and configurations while ensuring a more precise management of filesystem level access rights, enabling deactivation of some specific rights at the filesystem level. Moreover, the Linux Virtual file system support various hardening mechanisms that can be set using sysctl. | ||||||||||||||||
contains 7 rules | ||||||||||||||||
Partitioning [ref]groupSeparating various locations of the file systems in different partitions allows a more restrictive segregation, distinctly from one location to another. Moreover, some native restrictions can be made by partitioning, such as no hard link between different filesystems, and reduce the corruption impact to the affected filesystem instead of the entire system. The last gain is to allow a differenciated usage of storage media, depending on the operational needs (speed, resilience, etc.). references: Filesystem Hierarchy Standard | ||||||||||||||||
contains 5 rules | ||||||||||||||||
Ensure /tmp Located On Separate Partition [ref]rule
The
The | ||||||||||||||||
Ensure /var Located On Separate Partition [ref]ruleThe
Ensuring that | ||||||||||||||||
Ensure /var/log Located On Separate Partition [ref]rule
System logs are stored in the
Placing references: AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx, NT28(R12), NT28(R47) | ||||||||||||||||
Ensure /var/log/audit Located On Separate Partition [ref]rule
Audit logs are stored in the
Placing references: AU-4, AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx | ||||||||||||||||
Ensure /home Located On Separate Partition [ref]rule
If user home directories will be stored locally, create a separate partition
for
Ensuring that | ||||||||||||||||
filesystem rights management [ref]groupAdding filesystem specific hardening seriously limits various exploitation vectors based on filesystem invalid usage, such as invalid file types in invalid places (devices or setuid root files in external media, executable file in insecure filesystems, etc.). Some of these hardening require an efficient system partitioning. | ||||||||||||||||
contains 2 rules | ||||||||||||||||
Disallow creating symlinks to a file you not own [ref]rule
To set the runtime status of the $ sudo sysctl -w fs.protected_symlinks=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.protected_symlinks = 1Rationale: Disallowing such symlink mitigate vulnerabilities based on insecure file system
accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of
| ||||||||||||||||
Disallow creating symlinks to a file you not own [ref]rule
To set the runtime status of the $ sudo sysctl -w fs.protected_hardlinks=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.protected_hardlinks = 1Rationale: Disallowing such hardlink mitigate vulnerabilities based on insecure file system
accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of
| ||||||||||||||||
Configure Syslog [ref]groupThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
| ||||||||||||||||
contains 6 rules | ||||||||||||||||
Ensure Proper Configuration of Log Files [ref]group
The file auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.noticeSee the man page rsyslog.conf(5) for more information.
Note that the rsyslog daemon is configured to use traditional timestamping
to be understood by any log processing program. For high precision timestamping,
comment the following line in /etc/rsyslog.conf :
$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat | ||||||||||||||||
contains 3 rules | ||||||||||||||||
Ensure Log Files Are Owned By Appropriate User [ref]ruleThe owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chown root LOGFILERationale: The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. references: AC-6, SI-11, 1314, Req-10.5.1, Req-10.5.2, NT28(R46) | ||||||||||||||||
Ensure Log Files Are Owned By Appropriate Group [ref]ruleThe group-owner of all log files written by
$ ls -l LOGFILEIf the owner is not adm , run the following command to
correct this:
$ sudo chgrp adm LOGFILERationale: The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. references: AC-6, SI-11, 1314, Req-10.5.1, Req-10.5.2, NT28(R46) | ||||||||||||||||
Ensure System Log Files Have Correct Permissions [ref]ruleThe file permissions for all log files written by
$ ls -l LOGFILEIf the permissions are not 640 or more restrictive, run the following command to correct this: $ sudo chmod 0640 LOGFILERationale: Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. references: SI-11, 1314, Req-10.5.1, Req-10.5.2, 5.1.4, NT28(R36) | ||||||||||||||||
Ensure All Logs are Rotated by logrotate [ref]groupEdit the file /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ /var/log/boot.log /var/log/cron {Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf .
All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the
configuration file used by the logrotate program to maintain all
log files written by syslog . By default, it rotates logs weekly and
stores four archival copies of each log. These settings can be
modified by editing /etc/logrotate.conf , but the defaults are
sufficient for purposes of this guide.
Note that logrotate is run nightly by the cron job
/etc/cron.daily/logrotate . If particularly active logs need to be
rotated more often than once a day, some other mechanism must be
used. | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Ensure Logrotate Runs Periodically [ref]ruleThe # rotate log files frequency dailyRationale: Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. | ||||||||||||||||
Ensure rsyslog is Installed [ref]rule
Rsyslog is installed by default.
The # apt-get install rsyslogRationale: The rsyslog package provides the rsyslog daemon, which provides system logging services. Remediation Shell script: (show)
| ||||||||||||||||
Enable rsyslog Service [ref]ruleThe $ sudo chkconfig --level 2345 rsyslog onRationale: The
| ||||||||||||||||
Services [ref]group
The best protection against vulnerable software is running less software. This section describes how to review
the software which Debian 8 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Debian 8 system and provides guidance about which
ones can be safely disabled.
| ||||||||||||||||
contains 15 rules | ||||||||||||||||
Deprecated services [ref]groupSome deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. | ||||||||||||||||
contains 5 rules | ||||||||||||||||
Uninstall the telnet server [ref]ruleThe telnet daemon should be uninstalled. Rationale:telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. identifiers: CCE- references: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx, NT007(R03)
| ||||||||||||||||
Uninstall the inet-based telnet server [ref]ruleThe inet-based telnet daemon should be uninstalled. Rationale:telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. identifiers: CCE- references: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx, NT007(R03)
| ||||||||||||||||
Uninstall the ssl compliant telnet server [ref]ruleThe telnet daemon, even with ssl support, should be uninstalled. Rationale:telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. identifiers: CCE- references: AC-17(8), CM-7, NT007(R02)
| ||||||||||||||||
Uninstall the nis package [ref]ruleThe support for Yellowpages should not be installed unless it is required. Rationale:NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. identifiers: CCE-
| ||||||||||||||||
Uninstall the ntpdate package [ref]rulentpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. Rationale:ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. identifiers: CCE-
| ||||||||||||||||
Generic required services [ref]groupSome services need to be deployed in order to ensure basic verifications and reporting on GNU/Linux operating systems. Each of these service take part in the administrability of the system. | ||||||||||||||||
contains 5 rules | ||||||||||||||||
install the auditd service [ref]ruleThe auditd service should be installed. Rationale:The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. identifiers: CCE- references: NT28(R50)
| ||||||||||||||||
Enable the auditd service [ref]ruleThe auditd service should be enabled. Rationale:The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy. identifiers: CCE- references: NT28(R50), AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), IR-5, 347, 157, 172, 880, 1353, 1462, 1487, 1115, 1454, 067, 158, 831, 1190, 1312, 1263, 130, 120, 1589, Req-10
| ||||||||||||||||
Install the cron service [ref]ruleThe Cron service should be installed. Rationale:The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. Remediation Shell script: (show)
| ||||||||||||||||
Install the ntp service [ref]ruleThe ntpd service should be installed. Rationale:Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. identifiers: CCE- references: AU-8(1), 160, Req-10.4, NT012(R03)
| ||||||||||||||||
Enable the ntpd service [ref]ruleThe ntpd service should be enabled. Rationale:Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. identifiers: CCE- references: AU-8(1), 160, Req-10.4, NT012(R03)
| ||||||||||||||||
SSH Server [ref]groupThe SSH protocol is recommended for remote access (remote login and secure remote file transfer).
SSH provides both confidentiality and integrity for exchanged data but needs to be configured properly in term of: | ||||||||||||||||
contains 5 rules | ||||||||||||||||
Configure OpenSSH Server if deployed [ref]groupIf the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file | ||||||||||||||||
contains 5 rules | ||||||||||||||||
Allow Only SSH Protocol 2 [ref]ruleOnly SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2Rationale: SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. identifiers: CCE- references: AC-17(7), IA-5(1)(c), NT007(R1) | ||||||||||||||||
Set SSH Idle Timeout Interval [ref]ruleSSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
ClientAliveInterval intervalThe timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. Rationale: Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. | ||||||||||||||||
Set SSH Client Alive Count [ref]ruleTo ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax 0Rationale:
This ensures a user login will be terminated as soon as the | ||||||||||||||||
Disable SSH Root Login [ref]ruleThe root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin noRationale: Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. identifiers: CCE- references: AC-3, AC-6(2), IA-2(1), NT007(R21) | ||||||||||||||||
Disable SSH Access via Empty Passwords [ref]ruleTo explicitly disallow remote login from accounts with
empty passwords, add or correct the following line in
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. Rationale: Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. identifiers: CCE- references: AC-3, NT007(R17) |