Definition of CIS Benchmark for Debian 13 for debian13

1.1.1.1: Ensure cramfs kernel module is not available (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

1.1.1.2: Ensure freevxfs kernel module is not available (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• kernel_module_freevxfs_disabled: Disable Mounting of freevxfs

1.1.1.3: Ensure hfs kernel module is not available (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• kernel_module_hfs_disabled: Disable Mounting of hfs

1.1.1.4: Ensure hfsplus kernel module is not available (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• kernel_module_hfsplus_disabled: Disable Mounting of hfsplus

1.1.1.5: Ensure jffs2 kernel module is not available (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• kernel_module_jffs2_disabled: Disable Mounting of jffs2

1.1.1.6: Ensure overlayfs kernel module is not available (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• kernel_module_overlayfs_disabled: Ensure overlayfs kernel module is not available

1.1.1.7: Ensure squashfs kernel module is not available (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

No rules selected

1.1.1.8: Ensure udf kernel module is not available (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• kernel_module_udf_disabled: Disable Mounting of udf

1.1.1.9: Ensure firewire-core kernel module is not available (Automated)

Description: None

• l1_server
• l2_workstation

Automated: yes

• kernel_module_firewire-core_disabled: Disable IEEE 1394 (FireWire) Support

1.1.1.10: Ensure usb-storage kernel module is not available (Automated)

Description: None

• l1_server
• l2_workstation

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

1.1.1.11: Ensure unused filesystems kernel modules are not available (Manual)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.1.2.1.1: Ensure /tmp is a separate partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

1.1.2.1.2: Ensure nodev option set on /tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp

1.1.2.1.3: Ensure nosuid option set on /tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_tmp_nosuid: Add nosuid Option to /tmp

1.1.2.1.4: Ensure noexec option set on /tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_tmp_noexec: Add noexec Option to /tmp

1.1.2.2.1: Ensure /dev/shm is tmpfs or a separate partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• partition_for_dev_shm: Ensure /dev/shm is configured

1.1.2.2.2: Ensure nodev option set on /dev/shm partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

1.1.2.2.3: Ensure nosuid option set on /dev/shm partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

1.1.2.2.4: Ensure noexec option set on /dev/shm partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

1.1.2.3.1: Ensure separate partition exists for /home (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

1.1.2.3.2: Ensure nodev option set on /home partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_home_nodev: Add nodev Option to /home

1.1.2.3.3: Ensure nosuid option set on /home partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_home_nosuid: Add nosuid Option to /home

1.1.2.4.1: Ensure separate partition exists for /var (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

1.1.2.4.2: Ensure nodev option set on /var partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_nodev: Add nodev Option to /var

1.1.2.4.3: Ensure nosuid option set on /var partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_nosuid: Add nosuid Option to /var

1.1.2.5.1: Ensure separate partition exists for /var/tmp (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

1.1.2.5.2: Ensure nodev option set on /var/tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

1.1.2.5.3: Ensure nosuid option set on /var/tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

1.1.2.5.4: Ensure noexec option set on /var/tmp partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

1.1.2.6.1: Ensure separate partition exists for /var/log (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

1.1.2.6.2: Ensure nodev option set on /var/log partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log

1.1.2.6.3: Ensure nosuid option set on /var/log partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_nosuid: Add nosuid Option to /var/log

1.1.2.6.4: Ensure noexec option set on /var/log partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_noexec: Add noexec Option to /var/log

1.1.2.7.1: Ensure separate partition exists for /var/log/audit (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

1.1.2.7.2: Ensure nodev option set on /var/log/audit partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

1.1.2.7.3: Ensure nosuid option set on /var/log/audit partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

1.1.2.7.4: Ensure noexec option set on /var/log/audit partition (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

1.2.1.1: Ensure the source.list and .source files use the Signed-By option (Manual)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.2.1.2: Ensure weak dependencies are configured (Automated)

Description: None

• l2_server
• l2_workstation

Automated: no

No rules selected

1.2.1.3: Ensure access to gpg key files are configured (Automated)

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.1.4: Ensure access to /etc/apt/trusted.gpg.d directory is configured

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.1.5: Ensure access to /etc/apt/auth.conf.d directory is configured (Automated)

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.1.6: Ensure access to files in the /etc/apt/auth.conf.d/ directory is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.2.1.7: Ensure access to /usr/share/keyrings directory is configured (Automated)

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.1.8: Ensure access to /etc/apt/sources.list.d directory is configured (Automated)

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.1.9: Ensure access to files in /etc/apt/sources.list.d are configured (Automated)

Description: None

• l1_server
• l2_server

Automated: no

No rules selected

1.2.2.1: Ensure updates, patches, and additional security software are installed (Manual)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.3.1.1: Ensure AppArmor is installed (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• package_apparmor-utils_installed: Ensure AppArmor Utils is installed
• package_apparmor_installed: Ensure AppArmor is installed

1.3.1.2: Ensure AppArmor is enabled in the bootloader configuration (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• grub2_enable_apparmor: Ensure AppArmor is enabled in the bootloader configuration

1.3.1.3: Ensure all AppArmor Profiles are enforcing (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• all_apparmor_profiles_enforced: Enforce all AppArmor Profiles

1.3.1.4: Ensure apparmor_restrict_unprivileged_unconfined is enabled (Automated)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.4.1: Ensure bootloader password is set (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

1.4.2: Ensure access to bootloader config is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• file_owner_grub2_cfg: Verify /boot/grub/grub.cfg User Ownership
• file_permissions_grub2_cfg: Verify /boot/grub/grub.cfg Permissions

1.5.1: Ensure fs.protected_hardlinks is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks

1.5.2: Ensure fs.protected_symlinks is configured (Automated)

Description: None

• l2_server
• l2_workstation

Automated: yes

• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

1.5.3: Ensure kernel.yama.ptrace_scope is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

1.5.4: Ensure fs.suid_dumpable is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs

1.5.5: Ensure kernel.dmesg_restrict is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

1.5.6: Ensure prelink is not installed (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• disable_prelink: Disable Prelinking

1.5.7: Ensure Automatic Error Reporting is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: no

No rules selected

1.5.8: Ensure kernel.kptr_restrict is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access

1.5.9: Ensure kernel.randomize_va_space is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

1.5.10: Ensure kernel.yama.ptrace_scope is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

1.5.11: Ensure core file size is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: no

• disable_users_coredumps: Disable Core Dumps for All Users

1.5.12: Ensure systemd-coredump ProcessSizeMax is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces

1.5.13: Ensure systemd-coredump Storage is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• coredump_disable_storage: Disable storing core dump

1.6.1: Ensure /etc/motd is configured (Automated)

Description: None

• l1_server
• l1_workstation

Automated: yes

• banner_etc_motd_cis: Ensure Message Of The Day Is Configured Properly
• cis_banner_text = cis