Edit

Release notes - Debian Linux

This article provides detailed information about the CIS Security Benchmarks for Debian Linux, including supported benchmarks, mismatched rules, and configurable parameters across all supported versions.

Supported benchmarks

Debian Linux Version Benchmark Title
Debian Linux 11 CIS Debian Linux 11 Benchmark 2.0.0 Level 1 + Level 2 - Server
Debian Linux 12 CIS Debian Linux 12 Benchmark 1.1.0 Level 1 + Level 2 - Server

CIS Debian Linux 11 Benchmark 2.0.0 Level 1 + Level 2 - Server

Mismatched rules

Note

The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.

  • None

Configurable parameters

Rule Parameter Default Value
Ensure /tmp is a separate partition mountPoint /tmp
Ensure nodev option set on /tmp partition mountPoint /tmp
requiredMountOptions nodev
Ensure nosuid option set on /tmp partition mountPoint /tmp
requiredMountOptions nosuid
Ensure noexec option set on /tmp partition mountPoint /tmp
requiredMountOptions noexec
Ensure /dev/shm is a separate partition mountPoint /dev/shm
Ensure nodev option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions nodev
Ensure nosuid option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions nosuid
Ensure noexec option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions noexec
Ensure separate partition exists for /home mountPoint /home
Ensure nodev option set on /home partition mountPoint /home
requiredMountOptions nodev
Ensure nosuid option set on /home partition mountPoint /home
requiredMountOptions nosuid
Ensure separate partition exists for /var mountPoint /var
Ensure nodev option set on /var partition mountPoint /var
requiredMountOptions nodev
Ensure nosuid option set on /var partition mountPoint /var
requiredMountOptions nosuid
Ensure separate partition exists for /var/tmp mountPoint /var/tmp
Ensure nodev option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions nodev
Ensure nosuid option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions nosuid
Ensure noexec option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions noexec
Ensure separate partition exists for /var/log mountPoint /var/log
Ensure nodev option set on /var/log partition mountPoint /var/log
requiredMountOptions nodev
Ensure nosuid option set on /var/log partition mountPoint /var/log
requiredMountOptions nosuid
Ensure noexec option set on /var/log partition mountPoint /var/log
requiredMountOptions noexec
Ensure separate partition exists for /var/log/audit mountPoint /var/log/audit
Ensure nodev option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions nodev
Ensure nosuid option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions nosuid
Ensure noexec option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions noexec
Ensure access to bootloader config is configured filename /boot/grub/grub.cfg
mask 0177
owner root
group root
Ensure access to /etc/issue is configured filename /etc/issue
mask 0133
owner root
group root
Ensure autofs services are not in use unitName autofs.service
expectedUnitFileState enabled
expectedActiveState active
packageName autofs
Ensure avahi daemon services are not in use unitNameAvahiDaemonService avahi-daemon.service
expectedUnitFileState enabled
expectedActiveState active
unitNameAvahiDaemonSocket avahi-daemon.socket
packageName avahi-daemon
Ensure dhcp server services are not in use unitNameIscDhcpServerService isc-dhcp-server.service
expectedUnitFileState enabled
expectedActiveState active
unitNameIscDhcpServer6Service isc-dhcp-server6.service
packageName isc-dhcp-server
Ensure dns server services are not in use serviceName named.service
expectedUnitFileState enabled
expectedActiveState active
packageName bind9
Ensure dnsmasq services are not in use unitName dnsmasq.service
expectedUnitFileState enabled
expectedActiveState active
packageName dnsmasq
Ensure ftp server services are not in use serviceName vsftpd.service
expectedUnitFileState enabled
expectedActiveState active
packageName vsftpd
Ensure ldap server services are not in use unitName slapd.service
expectedUnitFileState enabled
expectedActiveState active
packageName slapd
Ensure message access server services are not in use packageNameDovecotImapd dovecot-imapd
packageNameDovecotPop3d dovecot-pop3d
unitNameDovecotService dovecot.service
expectedUnitFileState enabled
expectedActiveState active
unitNameDovecotSocket dovecot.socket
Ensure network file system services are not in use unitName nfs-server.service
expectedUnitFileState enabled
expectedActiveState active
packageName nfs-kernel-server
Ensure nis server services are not in use unitName ypserv.service
expectedUnitFileState enabled
expectedActiveState active
packageName ypserv
Ensure print server services are not in use unitNameCupsService cups.service
expectedUnitFileState enabled
expectedActiveState active
unitNameCupsSocket cups.socket
packageName cups
Ensure rpcbind services are not in use unitNameRpcbindService rpcbind.service
expectedUnitFileState enabled
expectedActiveState active
unitNameRpcbindSocket rpcbind.socket
packageName rpcbind
Ensure rsync services are not in use unitName rsync.service
expectedUnitFileState enabled
expectedActiveState active
packageName rsync
Ensure samba file server services are not in use unitName smbd.service
expectedUnitFileState enabled
expectedActiveState active
packageName samba
Ensure snmp services are not in use unitName snmpd.service
expectedUnitFileState enabled
expectedActiveState active
packageName snmpd
Ensure tftp server services are not in use unitName tftpd-hpa.service
expectedUnitFileState enabled
expectedActiveState active
packageName tftpd-hpa
Ensure web proxy server services are not in use unitName squid.service
expectedUnitFileState enabled
expectedActiveState active
packageName squid
Ensure web server services are not in use unitNameApache2Service apache2.service
expectedUnitFileState enabled
expectedActiveState active
unitNameApache2Socket apache2.socket
packageNameApache2 apache2
unitNameNginxService nginx.service
packageNameNginx nginx
Ensure xinetd services are not in use unitName xinetd.service
expectedUnitFileState enabled
expectedActiveState active
packageName xinetd
Ensure telnet client is not installed packageName telnet
Ensure permissions on /etc/crontab are configured mask 0177
owner root
group root
Ensure permissions on /etc/cron.hourly are configured mask 0077
owner root
group root
Ensure permissions on /etc/cron.daily are configured mask 0077
owner root
group root
packageName cron
alternativePackageName cronie
Ensure permissions on /etc/cron.weekly are configured mask 0077
owner root
group root
Ensure permissions on /etc/cron.monthly are configured mask 0077
owner root
group root
alternativePackageName cronie
Ensure permissions on /etc/cron.d are configured mask 0077
owner root
group root
Ensure crontab is restricted to authorized users filenameEtcCronDeny /etc/cron.deny
mask 0137
owner root
group root
filenameEtcCronAllow /etc/cron.allow
Ensure at is restricted to authorized users mask 0137
owner root
group root|daemon
Ensure bluetooth services are not in use unitName bluetooth.service
expectedUnitFileState enabled
expectedActiveState active
packageName bluez
Ensure permissions on /etc/ssh/sshd_config are configured mask 0177
owner root
group root
Ensure sshd access is configured allowUsersValuePattern [^ \t]+
allowGroupsValuePattern [^ \t]+
denyUsersValuePattern [^ \t]+
denyGroupsValuePattern [^ \t]+
Ensure sshd Banner is configured bannerValue /[^ \t]+
Ensure sshd Ciphers are configured ciphersDisallowedValues 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,arcfour,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,rijndael-cbc@lysator.liu.se
Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured clientalivecountmaxValue [1-9][0-9]*m?
clientaliveintervalValue [1-9][0-9]*m?
Ensure sshd KexAlgorithms is configured kexalgorithmsDisallowedValues diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Ensure sshd LoginGraceTime is configured logingracetimeValue \b([1-9]|[1-5][0-9]|60)\b
Ensure sshd LogLevel is configured loglevelValue (VERBOSE|INFO)\b
Ensure sshd MACs are configured macsDisallowedValues hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
Ensure sshd MaxAuthTries is configured maxauthtriesValue [0-4]\b
Ensure sshd MaxSessions is configured maxsessionsValue ([1-9]|10)\b
Ensure sshd MaxStartups is configured maxstartupsValue (10\|[1-9])[^ \t](30\|[1-2][0-9]\|[1-9])[^ \t](60\|[1-5][0-9]\|[1-9])\b
Ensure password expiration is configured maxDays 365
minDays 1
Ensure minimum password age is configured minDays 1
Ensure password expiration warning days is configured warnDays 7
Ensure strong password hashing algorithm is configured hashAlgorithm YESCRYPT
fallbackHashAlgorithm SHA512
Ensure journald ForwardToSyslog is disabled forwardToSyslogRegex yes
Ensure journald Storage is configured storageRegex persistent
Ensure journald Compress is configured compressRegex yes
Ensure audit configuration files mode is configured directory /etc/audit/
filePatternConf *.conf
mask 0137
filePatternRules *.rules
Ensure audit configuration files owner is configured directory /etc/audit/
filePatternConf *.conf
owner root
filePatternRules *.rules
Ensure audit configuration files group owner is configured directory /etc/audit/
filePatternConf *.conf
group root
filePatternRules *.rules
Ensure audit tools mode is configured filenameSbinAuditctl /sbin/auditctl
mask 0022
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure audit tools owner is configured filenameSbinAuditctl /sbin/auditctl
owner root
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure audit tools group owner is configured filenameSbinAuditctl /sbin/auditctl
group root
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure permissions on /etc/passwd are configured mask 0133
owner root
group root
Ensure permissions on /etc/passwd- are configured mask 0133
owner root
group root
Ensure permissions on /etc/group are configured mask 0133
owner root
group root
Ensure permissions on /etc/group- are configured mask 0133
owner root
group root
Ensure permissions on /etc/shadow are configured mask 0137
owner root
group root|shadow
Ensure permissions on /etc/shadow- are configured mask 0137
owner root
group root|shadow
Ensure permissions on /etc/gshadow are configured mask 0137
owner root
group shadow|root
Ensure permissions on /etc/gshadow- are configured mask 0137
owner root
group shadow|root
Ensure permissions on /etc/shells are configured mask 0133
owner root
group root
Ensure permissions on /etc/security/opasswd are configured mask 0177
owner root
group root

CIS Debian Linux 12 Benchmark 1.1.0 Level 1 + Level 2 - Server

Mismatched rules

Note

The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.

  • Ensure only one logging system is in use
  • Ensure cryptographic mechanisms are used to protect the integrity of audit tools
  • Ensure world writable files and directories are secured

Configurable parameters

Rule Parameter Default Value
Ensure /tmp is a separate partition mountPoint /tmp
Ensure nodev option set on /tmp partition mountPoint /tmp
requiredMountOptions nodev
Ensure nosuid option set on /tmp partition mountPoint /tmp
requiredMountOptions nosuid
Ensure noexec option set on /tmp partition mountPoint /tmp
requiredMountOptions noexec
Ensure /dev/shm is a separate partition mountPoint /dev/shm
Ensure nodev option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions nodev
Ensure nosuid option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions nosuid
Ensure noexec option set on /dev/shm partition mountPoint /dev/shm
requiredMountOptions noexec
Ensure separate partition exists for /home mountPoint /home
Ensure nodev option set on /home partition mountPoint /home
requiredMountOptions nodev
Ensure nosuid option set on /home partition mountPoint /home
requiredMountOptions nosuid
Ensure separate partition exists for /var mountPoint /var
Ensure nodev option set on /var partition mountPoint /var
requiredMountOptions nodev
Ensure nosuid option set on /var partition mountPoint /var
requiredMountOptions nosuid
Ensure separate partition exists for /var/tmp mountPoint /var/tmp
Ensure nodev option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions nodev
Ensure nosuid option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions nosuid
Ensure noexec option set on /var/tmp partition mountPoint /var/tmp
requiredMountOptions noexec
Ensure separate partition exists for /var/log mountPoint /var/log
Ensure nodev option set on /var/log partition mountPoint /var/log
requiredMountOptions nodev
Ensure nosuid option set on /var/log partition mountPoint /var/log
requiredMountOptions nosuid
Ensure noexec option set on /var/log partition mountPoint /var/log
requiredMountOptions noexec
Ensure separate partition exists for /var/log/audit mountPoint /var/log/audit
Ensure nodev option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions nodev
Ensure nosuid option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions nosuid
Ensure noexec option set on /var/log/audit partition mountPoint /var/log/audit
requiredMountOptions noexec
Ensure access to bootloader config is configured filename /boot/grub/grub.cfg
mask 0177
owner root
group root
Ensure access to /etc/issue is configured filename /etc/issue
mask 0133
owner root
group root
Ensure autofs services are not in use unitName autofs.service
expectedUnitFileState enabled
expectedActiveState active
packageName autofs
Ensure avahi daemon services are not in use unitNameAvahiDaemonService avahi-daemon.service
expectedUnitFileState enabled
expectedActiveState active
unitNameAvahiDaemonSocket avahi-daemon.socket
packageName avahi-daemon
Ensure dhcp server services are not in use unitNameIscDhcpServerService isc-dhcp-server.service
expectedUnitFileState enabled
expectedActiveState active
unitNameIscDhcpServer6Service isc-dhcp-server6.service
packageName isc-dhcp-server
Ensure dns server services are not in use serviceName named.service
expectedUnitFileState enabled
expectedActiveState active
packageName bind9
Ensure dnsmasq services are not in use unitName dnsmasq.service
expectedUnitFileState enabled
expectedActiveState active
packageName dnsmasq
Ensure ftp server services are not in use serviceName vsftpd.service
expectedUnitFileState enabled
expectedActiveState active
packageName vsftpd
Ensure ldap server services are not in use unitName slapd.service
expectedUnitFileState enabled
expectedActiveState active
packageName slapd
Ensure message access server services are not in use packageNameDovecotImapd dovecot-imapd
packageNameDovecotPop3d dovecot-pop3d
unitNameDovecotService dovecot.service
expectedUnitFileState enabled
expectedActiveState active
unitNameDovecotSocket dovecot.socket
Ensure network file system services are not in use unitName nfs-server.service
expectedUnitFileState enabled
expectedActiveState active
packageName nfs-kernel-server
Ensure nis server services are not in use unitName ypserv.service
expectedUnitFileState enabled
expectedActiveState active
packageName ypserv
Ensure print server services are not in use unitNameCupsService cups.service
expectedUnitFileState enabled
expectedActiveState active
unitNameCupsSocket cups.socket
packageName cups
Ensure rpcbind services are not in use unitNameRpcbindService rpcbind.service
expectedUnitFileState enabled
expectedActiveState active
unitNameRpcbindSocket rpcbind.socket
packageName rpcbind
Ensure rsync services are not in use unitName rsync.service
expectedUnitFileState enabled
expectedActiveState active
packageName rsync
Ensure samba file server services are not in use unitName smbd.service
expectedUnitFileState enabled
expectedActiveState active
packageName samba
Ensure snmp services are not in use unitName snmpd.service
expectedUnitFileState enabled
expectedActiveState active
packageName snmpd
Ensure tftp server services are not in use unitName tftpd-hpa.service
expectedUnitFileState enabled
expectedActiveState active
packageName tftpd-hpa
Ensure web proxy server services are not in use unitName squid.service
expectedUnitFileState enabled
expectedActiveState active
packageName squid
Ensure web server services are not in use unitNameApache2Service apache2.service
expectedUnitFileState enabled
expectedActiveState active
unitNameApache2Socket apache2.socket
packageNameApache2 apache2
unitNameNginxService nginx.service
packageNameNginx nginx
Ensure xinetd services are not in use unitName xinetd.service
expectedUnitFileState enabled
expectedActiveState active
packageName xinetd
Ensure telnet client is not installed packageName telnet
Ensure permissions on /etc/crontab are configured mask 0177
owner root
group root
Ensure permissions on /etc/cron.hourly are configured mask 0077
owner root
group root
Ensure permissions on /etc/cron.daily are configured mask 0077
owner root
group root
packageName cron
alternativePackageName cronie
Ensure permissions on /etc/cron.weekly are configured mask 0077
owner root
group root
Ensure permissions on /etc/cron.monthly are configured mask 0077
owner root
group root
alternativePackageName cronie
Ensure permissions on /etc/cron.d are configured mask 0077
owner root
group root
Ensure crontab is restricted to authorized users filenameEtcCronAllow /etc/cron.allow
owner root
group root|crontab
filenameEtcCronDeny /etc/cron.deny
Ensure at is restricted to authorized users mask 0137
owner root
group root|daemon
Ensure bluetooth services are not in use unitName bluetooth.service
expectedUnitFileState enabled
expectedActiveState active
packageName bluez
Ensure permissions on /etc/ssh/sshd_config are configured mask 0177
owner root
group root
Ensure sshd access is configured allowUsersValuePattern [^ \t]+
allowGroupsValuePattern [^ \t]+
denyUsersValuePattern [^ \t]+
denyGroupsValuePattern [^ \t]+
Ensure sshd Banner is configured bannerExpectedValueT /[^ \t]+
bannerDisallowedValuesNone none
Ensure sshd Ciphers are configured ciphersDisallowedValues 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,arcfour,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,rijndael-cbc@lysator.liu.se
Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured clientalivecountmaxThreshold 0
clientaliveintervalThreshold 0
Ensure sshd KexAlgorithms is configured kexalgorithmsDisallowedValues diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Ensure sshd LoginGraceTime is configured logingracetimeThresholdValue60 60
logingracetimeThresholdValue0 0
Ensure sshd LogLevel is configured loglevelExpectedValue verbose,info
Ensure sshd MACs are configured macsDisallowedValues hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
Ensure sshd MaxAuthTries is configured maxauthtriesThreshold 4
Ensure sshd MaxSessions is configured maxsessionsThreshold 10
Ensure sshd MaxStartups is configured maxstartupsExpectedValue 10:30:60
Ensure password expiration is configured maxDays 365
minDays 1
Ensure minimum password days is configured minDays 1
Ensure password expiration warning days is configured warnDays 7
Ensure strong password hashing algorithm is configured hashAlgorithm YESCRYPT
fallbackHashAlgorithm SHA512
Ensure journald ForwardToSyslog is disabled forwardToSyslogRegex no
Ensure journald Compress is configured compressRegex yes
Ensure journald Storage is configured storageRegex persistent
Ensure journald is configured to send logs to rsyslog forwardToSyslogRegex yes
Ensure audit configuration files mode is configured directory /etc/audit/
filePatternConf *.conf
mask 0137
filePatternRules *.rules
Ensure audit configuration files owner is configured directory /etc/audit/
filePatternConf *.conf
owner root
filePatternRules *.rules
Ensure audit configuration files group owner is configured directory /etc/audit/
filePatternConf *.conf
group root
filePatternRules *.rules
Ensure audit tools mode is configured filenameSbinAuditctl /sbin/auditctl
mask 0022
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure audit tools owner is configured filenameSbinAuditctl /sbin/auditctl
owner root
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure audit tools group owner is configured filenameSbinAuditctl /sbin/auditctl
group root
filenameSbinAureport /sbin/aureport
filenameSbinAusearch /sbin/ausearch
filenameSbinAutrace /sbin/autrace
filenameSbinAuditd /sbin/auditd
filenameSbinAugenrules /sbin/augenrules
Ensure permissions on /etc/passwd are configured mask 0133
owner root
group root
Ensure permissions on /etc/passwd- are configured mask 0133
owner root
group root
Ensure permissions on /etc/group are configured mask 0133
owner root
group root
Ensure permissions on /etc/group- are configured mask 0133
owner root
group root
Ensure permissions on /etc/shadow are configured mask 0137
owner root
group root|shadow
Ensure permissions on /etc/shadow- are configured mask 0137
owner root
group root|shadow
Ensure permissions on /etc/gshadow are configured mask 0137
owner root
group shadow|root
Ensure permissions on /etc/gshadow- are configured mask 0137
owner root
group shadow|root
Ensure permissions on /etc/shells are configured mask 0133
owner root
group root
Ensure permissions on /etc/security/opasswd are configured mask 0177
owner root
group root