| 1.1.1.2 Ensure mounting of jffs2 filesystems is disabled - lsmod | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.2 Ensure /tmp is configured - mount | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.10 Ensure noexec option set on /var/tmp partition | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.17 Ensure noexec option set on /dev/shm partition | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.1.18 Ensure nodev option set on removable media partitions | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.1.21 Ensure sticky bit is set on all world-writable directories | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.2 Ensure bootloader password is set - password_pbkdf2 | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.5.1 Ensure core dumps are restricted - limits.conf limits.d | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.2 Ensure XD/NX support is enabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.3 Ensure address space layout randomization (ASLR) is enabled - sysctl | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.4 Ensure prelink is disabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 1.6.1.1 Ensure SELinux is enabled in the bootloader configuration - security=selinux | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.1.1 Ensure SELinux is enabled in the bootloader configuration - selinux = 1 | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.1.2 Ensure the SELinux state is enforcing - /etc/selinux/config | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.2.1 Ensure AppArmor is enabled in the bootloader configuration - apparmor=1 | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.7.1.3 Ensure remote login warning banner is configured properly | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.7.1.5 Ensure permissions on /etc/issue are configured | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.7.1.6 Ensure permissions on /etc/issue.net are configured | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.1.1 Ensure audit log storage size is configured | CIS Debian 9 Server L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.1.2 Ensure system is disabled when audit logs are full - space_left_action | CIS Debian 9 Server L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.1.3 Ensure audit logs are not automatically deleted | CIS Debian 9 Server L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.5 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd | CIS Debian 9 Server L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.6 Ensure events that modify the system's network environment are collected - /etc/issue | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/apparmor.d | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.8 Ensure login and logout events are collected - auditctl tallylog | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.8 Ensure login and logout events are collected - tallylog | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure session initiation information is collected - auditctl /var/run/utmp | CIS Debian 9 Server L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl chmod fchmod fchmodat | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl setxattr x64 | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected - EPERM | CIS Debian 9 Server L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.13 Ensure successful file system mounts are collected - auditctl mount x64 | CIS Debian 9 Server L2 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.17 Ensure kernel module loading and unloading is collected - auditctl init_module | CIS Debian 9 Server L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.2.6 Ensure SSH X11 forwarding is disabled | CIS Debian 9 Server L2 v1.0.1 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.1 Ensure password creation requirements are configured - lcredit | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1 Ensure password creation requirements are configured - ocredit | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.3 Ensure password reuse is limited | CIS Debian 9 Server L1 v1.0.1 | Unix | ACCESS CONTROL |
| 5.4.1.1 Ensure password expiration is 365 days or less - users | CIS Debian 9 Server L1 v1.0.1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.4.1.3 Ensure password expiration warning days is 7 or more - login.defs | CIS Debian 9 Server L1 v1.0.1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.1.2 Ensure permissions on /etc/gshadow are configured | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.1.10 Ensure no world writable files exist | CIS Debian 9 Server L1 v1.0.1 | Unix | ACCESS CONTROL |
| 6.1.14 Audit SGID executables | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.2 Ensure no legacy '+' entries exist in /etc/passwd | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.4 Ensure no legacy '+' entries exist in /etc/group | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.5 Ensure root is the only UID 0 account | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.7 Ensure all users' home directories exist | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.14 Ensure no users have .rhosts files | CIS Debian 9 Server L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group | CIS Debian 9 Server L1 v1.0.1 | Unix | ACCESS CONTROL |
