| 1.1.7 Ensure separate partition exists for /var/tmp | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 1.6.1.1 Ensure SELinux is enabled in the bootloader configuration - security=selinux | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.1.4 Ensure no unconfined daemons exist | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.2.2 Ensure all AppArmor Profiles are enforcing - complain mode | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.2.2 Ensure all AppArmor Profiles are enforcing - profiles loaded | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects' | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.3 Ensure secure ICMP redirects are not accepted - files net.ipv4.conf.default.secure_redirects = 0 | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.6 Ensure bogus ICMP responses are ignored - files net.ipv4.icmp_ignore_bogus_error_responses = 1 | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1 | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.4 Ensure permissions on /etc/hosts.allow are configured | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.4.4 Ensure TIPC is disabled - modprobe | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.5.1.1 Ensure default deny firewall policy - Chain FORWARD | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1.2 Ensure loopback traffic is configured - output | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2.1 Ensure IPv6 default deny firewall policy - Chain FORWARD | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3 Ensure iptables is installed | CIS Debian 9 Workstation L1 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Disable IPv6 | CIS Debian 9 Workstation L2 v1.0.1 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 4.1.1.2 Ensure system is disabled when audit logs are full - space_left_action | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.3 Ensure auditing for processes that start prior to auditd is enabled | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl chown fchown fchownat lchown | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl chown fchown fchownat lchown x64 | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl lsetxattr setxattr fsetxattr removexattr | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.10 Ensure discretionary access control permission modification events are collected - chmod fchmod fchmodat | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.10 Ensure discretionary access control permission modification events are collected - lsetxattr setxattr fsetxattr removexattr | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected - EACCES | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected - EACCES x64 | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected - EPERM | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.13 Ensure successful file system mounts are collected - auditctl mount | CIS Debian 9 Workstation L2 v1.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.14 Ensure file deletion events by users are collected - delete | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.16 Ensure system administrator actions (sudolog) are collected - auditctl /var/log/sudo.log | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.17 Ensure kernel module loading and unloading is collected - /sbin/modprobe | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.17 Ensure kernel module loading and unloading is collected - /sbin/rmmod | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.17 Ensure kernel module loading and unloading is collected - init_module | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.2.1.1 Ensure rsyslog service is enabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.3 Ensure rsyslog default file permissions are configured | CIS Debian 9 Workstation L1 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 4.2.1.5 Ensure rsyslog is not configured to receive logs from a remote client | CIS Debian 9 Workstation L1 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver | CIS Debian 9 Workstation L1 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - log src | CIS Debian 9 Workstation L1 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 5.2.6 Ensure SSH X11 forwarding is disabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.2.9 Ensure SSH HostbasedAuthentication is disabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.2.12 Ensure SSH PermitUserEnvironment is disabled | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.1 Ensure password creation requirements are configured - dcredit | CIS Debian 9 Workstation L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1 Ensure password creation requirements are configured - lcredit | CIS Debian 9 Workstation L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.2 Ensure lockout for failed password attempts is configured | CIS Debian 9 Workstation L1 v1.0.1 | Unix | ACCESS CONTROL |
| 5.4.1.4 Ensure inactive password lock is 30 days or less - users | CIS Debian 9 Workstation L1 v1.0.1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.1.13 Audit SUID executables | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.1 Ensure password fields are not empty | CIS Debian 9 Workstation L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.3 Ensure no legacy '+' entries exist in /etc/shadow | CIS Debian 9 Workstation L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.5 Ensure root is the only UID 0 account | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.11 Ensure no users have .forward files | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.16 Ensure no duplicate UIDs exist | CIS Debian 9 Workstation L1 v1.0.1 | Unix | ACCESS CONTROL |
