It’s been almost two years since Debian 11 was released, and since then the Linux community as well as Debian package maintainers have been busy shipping exciting new security features. There are literally too many to list in a blog post like this, so we’ll see if we can cover some of the most interesting new features you may have missed if you’re not reading through changelogs with a fine toothed comb.
Linux Kernel
One of the largest upgrades for security comes from the upgrade of the Linux kernel from 5.10 to 6.1.
CPU-Specific Changes
- Support for Intel’s Software Guard Extensions (SGX 1/2) systems allows applications to write data to secure enclaves that are hardware protected. This is ideal for storing sensitive data such as encryption or authorization keys. One particularly interesting use of this technology is encrypting VM memory space to prevent other system processes or VMs from being able to read the contents. See the Intel SGX page for more information.
- Improvements for use with AMD’s Secure Encryption Virtualization (SEV) system support encrypting virtualized guest registers so they cannot be read by the host (or other guests). See the AMD SEV Page for more information.
- Secure virtualization with new CPU support from AMD and Intel, protecting guest VMs from hypervisor-based attacks. AMD’s Secure Nested Paging (SEV-SNP) provides memory integrity protection, and Intel’s Trust Domain Extensions (TDX) provides both memory integrity and encryption.
- Indirect Branch Tracking on Intel’s latest CPUs. Indirect Branch Tracking (IBT) is a new Control-Flow Enforcement Technology (CET) method that provides hardware-based protection against jump/call oriented programming (JOP / COP) attacks.
- Straight-line speculation attack mitigation. Kernel level mitigation against the Spectre variant straight-line speculation CPU attack originally reported by ARM, but present in multiple CPUs.
Memory Access
- Support for randomizing the stack address offset in each syscall. See the Phoronix article for more information on enabling this feature.
- New Kernel Concurrency Sanitizer (KCSAN) for detecting data races using compile-time memory access instrumentation supported in both GCC and Clang. See the kernel.org documentation for more details.
- New Kernel Control Flow Integrity (KCFI) support. This new CFI implementation can more easily be enabled, hardening the kernel against attacks that modify kernel control flow. See this excellent LLWN.net article for a detailed look at how CFI protects the kernel.
Process Isolation
- New Landlock Linux Security Module allows process sandboxing by allowing processes to self-impose additional restrictions on top of those set at the system level. See the Landlock Linux Kernel Documentation for more information.
Filesystems
- Google’s fscrypt project for hardware-accelerated full disk encryption on f2fs and ext4 filesystems was merged
- The CIFS filesystem module no longer supports the weak LANMAN and NTLM protocols used by SMBv1.
- NTFS support is now built-in, eliminating the need for 3rd party user-space NTFS drivers
SELinux
- Improved SELinux performance with context caching
- A new data structure cuts in half the policy disk space
Encryption
- Support for ARIA-GCM as well as 256bit TLS hardware offload.
- Support for HCTR2, which is a length-preserving (plain text size == encrypted size) encryption method that works well with hardware acceleration in x86 and ARM processors.
- Better random number generation to not only improve cryptography but also increase performance.
OpenSSH 9.1
Perhaps the largest user-facing change in Debian 12 is the upgrade from OpenSSH 8.4 to the OpenSSH 9.1 release. This update introduces several security enhancements, including:
- Stronger default key exchange method and first key preference settings
- Removal of the legacy SCP protocol
- More secure execution of sshd
OpenSSH 9.1 uses the new ED25519 signatures by default instead of ECDSA. It also uses the Streamlined NTRU Prime + x25519 key exchange methods, making it less vulnerable to future quantum computer attacks. This new key exchange method includes a fallback to the well-tested x25519 default introduced in previous OpenSSH releases. Additionally, the update removes the insecure SCP protocol, which has caused several CVEs over the years. The scp command will now use the newer and more secure SFTP protocol under the hood, maintaining backward compatibility as long as both client and server run OpenSSH 8.7 or later releases.
OpenSSL 3
OpenSSL has been in development for the last three years and includes large-scale changes to the project structure that should make it easier to maintain and interface with.
One of the most exciting features in OpenSSL 3 is the built-in validated FIPS 140-2 module. The previous FIPS implementation was not built directly into the OpenSSL codebase and only worked with the now EOL OpenSSL 1.0.2.
OpenSSL 3 also uses the Linux kernel’s cryptographic APIs for some of its TLS operations. This results in improved performance and allows the use of hardware accelerator cards. This could be potentially interesting in the future to offload TLS work from web servers or load balancers.
Lastly, it wouldn’t be a new OpenSSL release without a large number of new supported algorithms:
- KDF algorithms SINGLE STEP and SSH
- MAC algorithms GMAC and KMAC
- KEM algorithm RSASVE and Cipher Algorithm AES-SIV
- New schema support for PKCS#7 and PKCS#12
- New PKCS signature verification algorithm support
Sudo 1.9.13
At first glance, you might think the upgrade from sudo 1.9.5 to 1.9.13 would be mostly bug fixes, but this upgrade packs a big security punch along with nearly 100 bug fixes.
- A new intercept feature allows you to intercept and block specified subcommands that could run through allowed commands like shells. See the sudo intercepting commands blog post for more information.
- If you’re not quite ready to block subcommands, but you want to know when they execute a new log_subcmds configuration option adds subcommand logging. See the sudo 1.9.8 blog post for more information.
- Users can now list the allowed commands for other users with a new list sudo command. To see if the user tsmith can run cnspec run sudo -U tsmith -l cnspec.
- A new log_passwords option can be disabled to prevent the logging of passwords to sudo logs.
- POSIX regular expressions are now supported in the sudoers file to replace unsafe * matches, which could allow users to execute commands not intended by administrators.
- Custom sudo prompts can be used when also using the sudo Kerberos module.
systemd 251
systemd, the heart of modern Linux systems, has a large impact on the overall security of hosts. Debian 12 upgrades systemd from 247 to 251, including several changes that make services more secure. Here are some of the key changes:
- Limited filesystem and network access: New systemd unit configuration options allow users to limit the filesystem and network access of services. This is particularly useful in limiting the attack surface if a service is compromised by attackers.
- Encrypted credentials: Credentials used by services at startup can now be encrypted and stored locally or within TPM2 chips using a systemd-creds command. These credentials are decrypted and made available to the service at startup but no longer need to be stored in configuration files that could be read by users.
- Numerous improvements to LUKS2 volume and partition support including the ability to unlocked LUKS2 volumes using TPM2 hardware or FIDO2 hardware and a new utility, systemd-cryptenroll, for enrolling tokens on LUKS volumes.
- Safe user data: For users sharing a system with multiple users, systemd-homed has been improved to keep user data safe between sessions. systemd-homed will now repeatedly attempt to unmount the user’s home directory on logout to prevent sensitive data from being accessible to the next user.
- Communication between systemd and TPM2 devices is now conducted using a bind key for improved security.
- Systemd-resolved will now continue to use DNS over TLS even if it has been restarted and will no longer hard fail if the nameserver is using an unrecognized protocol.
- Networkd now supports passing values to the Kernel netlabel modules via a new `NetLabel=` config option.
- VM bootstrap configuration data can now be passed to systemd without the need for cloud-init by passing data using the DMI type 11 field.
- The /etc/os-release spec now includes an optional SUPPORT_END field to expose distro EOL dates to tools like Mondoo. Thank you, systemd team!
- Resolvectl now includes information on where a host was resolved from and if the communication was encrypted.
Other Service Upgrades
Outside of the core system packages, many common services run on Debian have seen significant upgrades in the 12.0 release. If you’re running web, file, or database servers there are significant security upgrades waiting for you:
- PostgresSQL 13.11 -> 15.3
- MariaDB 10.5 -> 10.11
- Redis 6.0 -> 7.0
- Squid 4.13 -> 5.7
- Bind 9.16 -> 9.18
- postfix 3.5 -> 3.7
- Samba 4.13 -> 4.17
- Nginx 1.18 -> 1.22
- Samba 4.13 -> 4.17
- runc 1.0 -> 1.1
- containerd 1.4 -> 1.6
How to further secure your system with hardening settings and Mondoo's security platform
In addition to the security updates that come with Debian 12, there are further steps you can take to secure your system. One such step is applying hardening settings and ensuring that all critical packages are updated. You can use the open source cnspec tool from Mondoo and the Mondoo SaaS platform to scan and report on security best practices, package vulnerabilities, and CIS benchmarks. Mondoo is a hosted security platform that automates manual security processes for DevOps and security practitioners, helping users quickly find known vulnerabilities and misconfigurations.
How to scan your Debian 12 system using Mondoo's cnspec
To scan your Debian 12 system using Mondoo's cnspec tool, you will first need to install the cnspec package. You can do so by running the following command:
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
Once cnspec is installed, you can scan your system for misconfigurations. For instance, you can perform a local scan by running the following command:
cnspec scan
cnspec can scan a range of things, from cloud accounts to Kubernetes clusters, as well as SaaS services such as MS365 or Google Workspace.
When you run a local scan, cnspec will generate a report highlighting the security status of your system. The report includes the list of controls that passed and failed, with their associated scores.
How to perform advanced security scanning with the Mondoo platform and cnspec
If you authenticate cnspec with the Mondoo Platform, the tool can perform additional checks, such as scanning packages for CVEs, and CIS and BSI compliance policies. Results of the scan will be stored on the Mondoo Platform for analysis.
On the Mondoo platform console, you can view a high-level overview of the scan status of each policy and package vulnerability, as well as EOL data. For instance, you can check if the system is vulnerable to any known security threats, and see which packages need to be updated to ensure the best security practices.
Final Thoughts
If you're a sysadmin or security engineer, you know how tough it can be to keep up with all the security updates and patches required to protect your company's assets. But with the Mondoo platform, you can automate many of these tasks and stay on top of your security game. Plus, you'll have access to a community of like-minded professionals who can help you troubleshoot and share tips.
Don't waste any more time struggling with manual updates and outdated security protocols. Sign up for a free community account on Mondoo and see how easy security can be!
