Detections
Analytics

CIS Debian Linux 13 v1.0.0 L2 Workstation

Audit Details

Name: CIS Debian Linux 13 v1.0.0 L2 Workstation

Updated: 1/27/2026

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 85

File Details

Filename: CIS_Debian_Linux_13_v1.0.0_L2_Workstation.audit

Size: 397 kB

MD5: 122e70cf7350552ff9f2327322df339b
SHA256: 11e3cc7a2853ff5f4acfc0e3c6d7e18d9a3f3f4ca221094715fddd856950a7b7

Audit Items

DescriptionCategories
1.1.1.6 Ensure overlay kernel module is not available

CONFIGURATION MANAGEMENT

1.1.1.7 Ensure squashfs kernel module is not available

CONFIGURATION MANAGEMENT

1.1.1.8 Ensure udf kernel module is not available

CONFIGURATION MANAGEMENT

1.1.1.9 Ensure firewire-core kernel module is not available

CONFIGURATION MANAGEMENT

1.1.1.10 Ensure usb-storage kernel module is not available

IDENTIFICATION AND AUTHENTICATION

1.1.2.3.1 Ensure separate partition exists for /home

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

1.1.2.4.1 Ensure separate partition exists for /var

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

1.1.2.5.1 Ensure separate partition exists for /var/tmp

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

1.1.2.6.1 Ensure separate partition exists for /var/log

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

1.1.2.7.1 Ensure separate partition exists for /var/log/audit

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

1.2.1.2 Ensure weak dependencies are configured

CONFIGURATION MANAGEMENT

1.3.1.3 Ensure all AppArmor Profiles are enforcing

ACCESS CONTROL, MEDIA PROTECTION

1.5.2 Ensure fs.protected_symlinks is configured

ACCESS CONTROL

1.7.6 Ensure GDM automatic mounting of removable media is disabled

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

1.7.7 Ensure GDM disabling automatic mounting of removable media is not overridden

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

1.7.11 Ensure Xwayland is configured

CONFIGURATION MANAGEMENT

2.1.1 Ensure autofs services are not in use

MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.1.2 Ensure avahi daemon services are not in use

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.11 Ensure print server services are not in use

CONFIGURATION MANAGEMENT

3.1.3 Ensure bluetooth services are not in use

CONFIGURATION MANAGEMENT

4.1.4 Ensure ufw outgoing default is configured

CONFIGURATION MANAGEMENT

5.2.4 Ensure users must provide password for escalation

ACCESS CONTROL

5.3.3.1.3 Ensure password failed attempts lockout includes root account

ACCESS CONTROL

5.4.1.2 Ensure minimum password days is configured

IDENTIFICATION AND AUTHENTICATION

5.4.3.1 Ensure nologin is not listed in /etc/shells

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

6.1.2.9 Ensure rsyslog-gnutls is installed

AUDIT AND ACCOUNTABILITY

6.1.2.10 Ensure rsyslog forwarding uses gtls

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.1.2.11 Ensure rsyslog CA certificates are configured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.2.1.1 Ensure auditd packages are installed

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

6.2.1.2 Ensure auditd service is enabled and active

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

6.2.1.3 Ensure auditing for processes that start prior to auditd is enabled

AUDIT AND ACCOUNTABILITY

6.2.1.4 Ensure audit_backlog_limit is configured

AUDIT AND ACCOUNTABILITY

6.2.2.1 Ensure audit log storage size is configured

AUDIT AND ACCOUNTABILITY

6.2.2.2 Ensure audit logs are not automatically deleted

AUDIT AND ACCOUNTABILITY

6.2.2.3 Ensure system is disabled when audit logs are full

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

6.2.2.4 Ensure system warns when audit logs are low on space

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

6.2.3.1 Ensure modification of the /etc/sudoers file is collected

AUDIT AND ACCOUNTABILITY

6.2.3.2 Ensure actions as another user are always logged

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

6.2.3.3 Ensure events that modify the sudo log file are collected

AUDIT AND ACCOUNTABILITY

6.2.3.4 Ensure events that modify date and time information are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.5 Ensure events that modify sethostname and setdomainname are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.6 Ensure events that modify /etc/issue and /etc/issue.net are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.7 Ensure events that modify /etc/hosts and /etc/hostname are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.8 Ensure events that modify the system's network environment are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.9 Ensure events that modify /etc/NetworkManager directory are collected

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

6.2.3.10 Ensure use of privileged commands are collected

AUDIT AND ACCOUNTABILITY

6.2.3.11 Ensure unsuccessful file access attempts are collected

AUDIT AND ACCOUNTABILITY

6.2.3.12 Ensure events that modify /etc/group information are collected

AUDIT AND ACCOUNTABILITY

6.2.3.13 Ensure events that modify /etc/passwd information are collected

AUDIT AND ACCOUNTABILITY

6.2.3.14 Ensure events that modify /etc/shadow and /etc/gshadow are collected

AUDIT AND ACCOUNTABILITY