Open in app

Sign in

Write

Sign in

CIS Benchmarks for Debian Linux 10 OS

Neova Solutions
5 min readApr 22, 2020

--

Why CIS Benchmark?

CIS Benchmarks are the security standards for defending IT systems and data against Cyberattacks. It offers prescriptive guidance for establishing secure baseline configuration.

Introduction

This document gives information with examples to establish a secure configuration for Debian Linux 10 system running on x64 and x86 platforms. It is required to perform all the operations as a root user so that you can access all the areas in the system, especially after Remediation has been performed.

So, here we can make changes into running system configuration to reduce attack surface:

  • Filesystem types
  • Services
  • Clients
  • Network protocol
  • System Maintenance

1. Filesystem Configuration

Directories in the system are protected and enabled to use mounting options by placing them on separate partitions. Here we can make partitions while installation or we can perform repartitioning if the system is installed.

1.1 Disable unused File systems:

Disabling unneeded file systems reduces the local attack surface of the system. So if the filesystem is not needed, it should be disabled.
E.g Ensure mounting of freevxfs filesystem is Disabled:

Description:

freevxfs file system is a free version of veritas type file system.

Audit:

Run the following command and verify the output is as Indicated:-

$modprobe -n -v freevxfs

o\p- install /bin/true

$lsmod | grep freevxfs

<No output>

Remediation:

Edit or create the file in the /etc/modprobe.d/ directory ending in .conf and add the following line,

Install freevxfs /bin/true

Run following command to unload freevxfs module,

$rmmode freevxfs

Similarly the same command is used for other files systems like iffs2, hfs etc.

1.2 Configure software updates:

In this distribution apt command is used for update and installation of software.

Description:

Repositories need to be configured to ensure they receive the latest updates.

Audit:

Run the following command and verify package repositories

$apt-cache policy

Remediation:

Configure package repositories acco. To site policy.

1.3 Configure sudo:

According to security policy sudo allows the user to execute commands as superuser.

Audit:

Run the following command and verify that sudo is installed,

$dpkg -s sudo

Remediation:

Install sudo using following command,

$apt install sudo

1.4 File System integrity checking:

AIDE is a file integrity checking tool, which detects unauthorised changes to configuration files.

Audit:

Verify AIDE is installed

$dpkg -s aide

Remediation:

Install AIDE using appropriate package manager

$apt install aide aide-common

1.5 Secure boot settings:

Here is the example on how to secure for boot settings.

Audit:

Perform following,

$grep ^root:[*\!]: /etc/shadow

Remediation:

Set a password for root user

$passwd root

2. Services

The best way to protect the system against unreported vulnerabilities is to disable services which are not required in the system. Using this we can prevent the exploitation of vulnerabilities.

2.1 Inetd services:

It is the super-server daemon which provides internet services and passes connection to configured services.

Audit:

Run the following command to verify,

$dpkg -s xinetd

Remediation:

Run the following command to remove xinetd

$apt purge xinetd

2.2 Special purpose services:

These Services are installed in the system and if any service is not required then it has to be diabled for security of the system..

Audit:

Ensure Dovecot is not enabled by using the following command,

$systemctl is-enabled dovecot

o/p- disabled

Remediation:

To disable dovecot,

$systemctl --now disable dovecot

2.3 Service clients:

Clients of the services are removed unless they are required which prevents the local attack against the services.

Audit:

Verify nis is not installed using following command,

$dpkg -s nis

Remediation:

Uninstall NIS using following command,

$apt purge nis

3. Network Configuration

Network configuration can be secured through Kernel parameters, access control list and Firewall settings.

3.1 Disable unused network protocols and devices:

It reduces attack surfaces of the system.

Audit:

Run the following command and verify no lines should be returned,

$grep "^\s*linux" /boot/grub/grub.cfg | grep -v "ipv6.disable=1"

Remediation: GRUB_CMDLINE_LINUX=”ipv6.disable=1"

$update-grub

3.2 Firewall Configuration:

Firewall provides defence against threats by refusing unauthorised connections.

3.3 Uncommon Network Protocols:

Uncommon network protocols if not needed then it can be disabled in the kernel.

4. Access, Authentication and Authorization

Providing or disabling access, authentication and authorization to system components leads towards a secure system and prevents from cyberattacks.

4.1 Configure Cron: Audit:

Based on system configuration run the command to verify Cron daemon is enabled,

$systemctl is-enabled cron

o/p- enabled

Remediation:

Run the appropriate command to enable cron,

$systemctl --now enable cron

4.2 SSH server configuration:

SSH is used to prevent session hijacking and sniffing of Sensitive data off the network. But, if remote access is not required then SSH Daemon can be removed.

4.3 Configure PAM:

PAM (pluggable authentication module) implements modular authentication module on UNIX.

PAM must be carefully installed to secure Authentication.

5. System Maintenance

System maintenance includes following settings to secure the system from attacks.

5.1 System file permissions:

This is used to secure files and Directories.

Audit:

Run the following command and verify both uid and gid are 0/root and access is 644,

$stat /etc/passwd

o/p- Access: ( 0644/-rw-r-r- ) uid: ( 0/ root ) gid: ( 0/ root )

Remediation:

Run commands to set permissions on /etc/passwd

$chown root:root /etc/passwd$chmod 644 /etc/passwd

5.2 User and group settings:

Using this we can secure groups and users.

Audit:

Verify that no o/p is returned using below command,

$awk -F: '( $2 == "" ) { print $1 " does not have a password " }' /etc/shadow

Remediation:

Lock the account using command mentioned below,

$passwd -l <username>

Conclusion

Secured configuration of the system can be achieved through CIS Benchmarks which leads to the safe and secured system.

Originally published at https://www.neovasolutions.com on April 22, 2020.

Connect with us:

  1. Linkedin: https://www.linkedin.com/company/neova-solutions/
  2. Instagram: https://www.instagram.com/neovasolutions/
  3. YouTube: https://www.youtube.com/@NeovaSolutions_

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Debian
Linux
Qa Automation

--

--

Neova Solutions
Neova Solutions

Written by Neova Solutions

2 Followers
2 Following

We transform ideas into beautiful products. Since 2007, we are empowering startups to build disruptive products that are feature-rich and robust.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams