| 1.1.1.4 Ensure mounting of hfs filesystems is disabled - modprobe | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.3 Ensure nodev option set on /tmp partition | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.4 Ensure nosuid option set on /tmp partition | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.21 Ensure sticky bit is set on all world-writable directories | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.5.2 Ensure bootloader password is set - password_pbkdf2 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.6.2 Ensure address space layout randomization (ASLR) is enabled | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.7.1.1 Ensure AppArmor is installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmor=1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - security=apparmor | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - profiles loaded | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 2.1.1.3 Ensure chrony is configured - ntp server | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.1.3 Ensure chrony is configured - package ntp | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.1.4 Ensure ntp is configured - RUNASUSER | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.5 Ensure DHCP Server is not installed - dhcpd | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.5 Ensure DHCP Server is not installed - isc-dhcp-server6 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.7 Ensure NFS is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.12 Ensure Samba is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.13 Ensure HTTP Proxy Server is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.15 Ensure mail transfer agent is configured for local-only mode - /etc/exim4/update-exim4.conf.conf | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.2.1 Ensure NIS Client is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv4.conf.all.accept_source_route = 0' | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route = 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.2 Ensure ICMP redirects are not accepted - files net.ipv6.conf.all.accept_redirects= 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects = 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects = 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.6 Ensure bogus ICMP responses are ignored - files net.ipv4.icmp_ignore_bogus_error_responses = 1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.8 Ensure TCP SYN Cookies is enabled - files net.ipv4.tcp_syncookies = 1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.6.1.2 Ensure iptables-persistent is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.1.4 Ensure loopback traffic is configured - deny in from 127.0.0.0/8 | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.6 Ensure loopback traffic is configured - v6 | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.8 Ensure default deny firewall policy - input | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.8 Ensure default deny firewall policy - output | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.2.1 Ensure default deny firewall policy - FORWARD | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.2.1 Ensure default deny firewall policy - INPUT | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.3.3 Ensure IPv6 outbound and established connections are configured | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 5.1.1 Ensure cron daemon is enabled and running - running | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 5.3.2 Ensure lockout for failed password attempts is configured - pam_tally2.so | CIS Debian Family Server L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.3.4 Ensure password hashing algorithm is SHA-512 | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.1.3 Ensure password expiration warning days is 7 or more - users | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.1.4 Ensure inactive password lock is 30 days or less - users | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.3 Ensure default group for the root account is GID 0 | CIS Debian Family Server L1 v1.0.0 | Unix | ACCESS CONTROL |
| 6.1.2 Ensure permissions on /etc/passwd are configured | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.7 Ensure permissions on /etc/shadow- are configured | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.8 Ensure permissions on /etc/gshadow are configured | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.9 Ensure permissions on /etc/gshadow- are configured | CIS Debian Family Server L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.13 Audit SUID executables | CIS Debian Family Server L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.10 Ensure root is the only UID 0 account | CIS Debian Family Server L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
