CIS Debian Linux 11 Server L1 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Debian Linux 11 Server L1 v1.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.40

Estimated Item Count: 317

File Details

Filename: CIS_Debian_Linux_11_v1.0.0_L1_Server.audit

Size: 943 kB

MD5: ca6c971f1c4f6376bab53f3f210a146b
SHA256: 951fbca01e0646d1e6db1fe0aa4d9c59366ba75b79c77c08422ab5c6050ff327

Audit Changelog

Ā 
Revision 1.40

Jun 17, 2024

Miscellaneous
  • Metadata updated.
Revision 1.39

May 15, 2024

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.38

Apr 22, 2024

Functional Update
  • 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.37

Apr 1, 2024

Miscellaneous
  • Variables updated.
Revision 1.36

Mar 18, 2024

Functional Update
  • 3.1.1 Ensure system is checked to determine if IPv6 is enabled
  • 5.2.2 Ensure permissions on SSH private host key files are configured
Added
  • 4.2.3 Ensure all logfiles have appropriate permissions and ownership
Removed
  • 4.2.3 Ensure all logfiles have appropriate access configured
Revision 1.35

Feb 8, 2024

Functional Update
  • 2.4 Ensure nonessential services are removed or masked
  • 3.1.1 Ensure system is checked to determine if IPv6 is enabled
  • 3.5.2.10 Ensure nftables rules are permanent - hook forward
  • 3.5.2.10 Ensure nftables rules are permanent - hook input
  • 3.5.2.10 Ensure nftables rules are permanent - hook output
  • 3.5.2.3 Ensure iptables are flushed with nftables
  • 3.5.2.7 Ensure nftables outbound and established connections are configured
  • 3.5.3.2.2 Ensure iptables loopback traffic is configured
  • 3.5.3.2.3 Ensure iptables outbound and established connections are configured
  • 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
  • 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
  • 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
  • 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
  • 4.2.1.6 Ensure journald log rotation is configured per site policy
Revision 1.34

Feb 1, 2024

Functional Update
  • 1.1.10 Disable USB Storage - blacklist
  • 1.1.10 Disable USB Storage - lsmod
  • 1.1.3.2 Ensure nodev option set on /var partition
  • 1.1.3.3 Ensure nosuid option set on /var partition
  • 1.1.4.2 Ensure noexec option set on /var/tmp partition
  • 1.1.4.3 Ensure nosuid option set on /var/tmp partition
  • 1.1.4.4 Ensure nodev option set on /var/tmp partition
  • 1.1.5.2 Ensure nodev option set on /var/log partition
  • 1.1.5.3 Ensure noexec option set on /var/log partition
  • 1.1.5.4 Ensure nosuid option set on /var/log partition
  • 1.1.6.2 Ensure noexec option set on /var/log/audit partition
  • 1.1.6.3 Ensure nodev option set on /var/log/audit partition
  • 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
  • 1.1.7.2 Ensure nodev option set on /home partition
  • 1.1.7.3 Ensure nosuid option set on /home partition
  • 1.1.8.1 Ensure nodev option set on /dev/shm partition
  • 1.1.8.2 Ensure noexec option set on /dev/shm partition
  • 1.1.8.3 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Disable Automounting
  • 1.5.1 Ensure address space layout randomization (ASLR) is enabled - config
  • 1.5.3 Ensure Automatic Error Reporting is not enabled
  • 1.5.4 Ensure core dumps are restricted - limits config
  • 1.5.4 Ensure core dumps are restricted - sysctl config
  • 1.8.4 Ensure GDM screen locks when the user is idle - idle-delay
  • 1.8.4 Ensure GDM screen locks when the user is idle - lock-delay
  • 1.8.5 Ensure GDM screen locks cannot be overridden - idle-delay
  • 1.8.5 Ensure GDM screen locks cannot be overridden - lock-delay
  • 1.9 Ensure updates, patches, and additional security software are installed
  • 2.1.2.2 Ensure chrony is running as user _chrony
  • 2.1.4.3 Ensure ntp is running as user ntp - user
  • 2.2.1 Ensure X Window System is not installed
  • 2.2.15 Ensure mail transfer agent is configured for local-only mode
  • 3.1.1 Ensure system is checked to determine if IPv6 is enabled
  • 3.1.2 Ensure wireless interfaces are disabled
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects' (sysctl.conf/sysctl.d)
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects' (sysctl.conf/sysctl.d)
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians' (sysctl.conf/sysctl.d)
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians' (sysctl.conf/sysctl.d)
  • 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d
  • 3.3.6 Ensure bogus ICMP responses are ignored - (sysctl.conf/sysctl.d)
  • 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d)
  • 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d)
  • 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra' (sysctl.conf/sysctl.d)
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra' (sysctl.conf/sysctl.d)
  • 3.5.2.10 Ensure nftables rules are permanent - hook forward
  • 3.5.2.10 Ensure nftables rules are permanent - hook input
  • 3.5.2.10 Ensure nftables rules are permanent - hook output
  • 3.5.2.6 Ensure nftables loopback traffic is configured - lo
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v4
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v6
  • 4.2.1.1.4 Ensure journald is not configured to receive logs from a remote client
  • 4.2.2.1 Ensure rsyslog is installed
  • 4.2.2.2 Ensure rsyslog service is enabled
  • 4.2.2.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.2.4 Ensure rsyslog default file permissions are configured
  • 4.2.2.5 Ensure logging is configured
  • 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled
  • 5.2.13 Ensure only strong Ciphers are used
  • 5.2.14 Ensure only strong MAC algorithms are used
  • 5.2.15 Ensure only strong Key Exchange algorithms are used
  • 5.2.17 Ensure SSH warning banner is configured
  • 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.19 Ensure SSH MaxStartups is configured
  • 5.2.20 Ensure SSH MaxSessions is set to 10 or less
  • 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
  • 5.2.22 Ensure SSH Idle Timeout Interval is configured
  • 5.2.4 Ensure SSH access is limited
  • 5.2.5 Ensure SSH LogLevel is appropriate
  • 5.2.6 Ensure SSH PAM is enabled
  • 5.2.7 Ensure SSH root login is disabled
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
  • 5.3.2 Ensure sudo commands use pty
  • 5.3.3 Ensure sudo log file exists
  • 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
  • 5.3.6 Ensure sudo authentication timeout is configured correctly
  • 5.3.7 Ensure access to the su command is restricted
  • 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
  • 5.5.1.1 Ensure minimum days between password changes is configured - users
  • 5.5.1.5 Ensure all users last password change date is in the past
  • 5.5.2 Ensure system accounts are secured
  • 5.5.4 Ensure default user umask is 027 or more restrictive - Default user umask
  • 5.5.4 Ensure default user umask is 027 or more restrictive - Restrictive system umask
  • 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
  • 6.2.2 Ensure /etc/shadow password fields are not empty
  • 6.2.4 Ensure shadow group is empty
  • 6.2.9 Ensure root PATH Integrity
Informational Update
  • 1.1.10 Disable USB Storage - blacklist
  • 1.1.10 Disable USB Storage - lsmod
  • 1.1.10 Disable USB Storage - modprobe
  • 2.1.2.2 Ensure chrony is running as user _chrony
  • 2.1.4.3 Ensure ntp is running as user ntp
  • 2.1.4.3 Ensure ntp is running as user ntp - RUNASUSER
  • 2.1.4.3 Ensure ntp is running as user ntp - user
Miscellaneous
  • References updated.
Added
  • 5.4.1 Ensure password creation requirements are configured
Removed
  • 5.4.1 Ensure password creation requirements are configured - 'dcredit'
  • 5.4.1 Ensure password creation requirements are configured - 'lcredit'
  • 5.4.1 Ensure password creation requirements are configured - 'minlen'
  • 5.4.1 Ensure password creation requirements are configured - 'ocredit'
  • 5.4.1 Ensure password creation requirements are configured - 'ucredit'
  • 5.4.1 Ensure password creation requirements are configured - retry
Revision 1.33

Jan 22, 2024

Functional Update
  • 5.2.22 Ensure SSH Idle Timeout Interval is configured
Miscellaneous
  • Metadata updated.
Revision 1.32

Jan 3, 2024

Functional Update
  • 2.2.13 Ensure SNMP Server is not installed
Revision 1.31

Dec 27, 2023

Functional Update
  • 4.2.1.1.1 Ensure systemd-journal-remote is installed
  • 4.2.1.1.2 Ensure systemd-journal-remote is configured
  • 4.2.1.1.3 Ensure systemd-journal-remote is enabled
  • 4.2.1.1.4 Ensure journald is not configured to receive logs from a remote client
  • 4.2.1.2 Ensure journald service is enabled
  • 4.2.1.3 Ensure journald is configured to compress large log files
  • 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
  • 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
  • 4.2.1.6 Ensure journald log rotation is configured per site policy
  • 4.2.1.7 Ensure journald default file permissions configured
  • 4.2.2.1 Ensure rsyslog is installed
  • 4.2.2.2 Ensure rsyslog service is enabled
  • 4.2.2.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.2.4 Ensure rsyslog default file permissions are configured
  • 4.2.2.5 Ensure logging is configured
  • 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client