| 1.1.11 Ensure separate partition exists for /var/log | CIS Debian Family Server L2 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.1.3 Ensure chrony is configured - user | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.6 Ensure LDAP server is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.8 Ensure DNS Server is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.1.16 Ensure rsync service is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.2.3 Ensure talk client is not installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.3 Ensure nonessential services are removed or masked | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.1.1 Disable IPv6 - grub.cfg | CIS Debian Family Server L2 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Disable IPv6 - sysctl.conf all | CIS Debian Family Server L2 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Disable IPv6 - sysctl.conf default | CIS Debian Family Server L2 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.1 Ensure packet redirect sending is disabled - all /etc/sysctl.conf /etc/sysctl.d/* | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.2.2 Ensure IP forwarding is disabled - ipv6 /etc/sysctl.conf /etc/sysctl.d/* | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects' | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.6 Ensure bogus ICMP responses are ignored - net.ipv4.icmp_ignore_bogus_error_responses = 1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.8 Ensure TCP SYN Cookies is enabled - net.ipv4.tcp_syncookies = 1 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.3.9 Ensure IPv6 router advertisements are not accepted - files net.ipv6.conf.all.accept_ra = 0 | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.5.3 Ensure RDS is disabled - modprobe | CIS Debian Family Server L2 v1.0.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 3.5.4 Ensure TIPC is disabled - modprobe | CIS Debian Family Server L2 v1.0.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 3.6.1.3 Ensure ufw service is enabled - systemctl | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.1.7 Ensure default deny firewall policy | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.1 Ensure nftables is installed | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.4 Ensure a table exists | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.2.9 Ensure nftables service is enabled | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.1.1 Ensure iptables packages are installed - iptables-persistent | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.2.2 Ensure loopback traffic is configured - OUTPUT | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.3.1 Ensure IPv6 default deny firewall policy - Chain INPUT | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6.3.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled | CIS Debian Family Server L2 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.1.4 Ensure audit_backlog_limit is sufficient | CIS Debian Family Server L2 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES x64 | CIS Debian Family Server L2 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.12 Ensure successful file system mounts are collected - auditctl mount | CIS Debian Family Server L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.2.1.2 Ensure rsyslog service is enabled | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.5 Ensure logging is configured - '*.emerg :omusrmsg:*' | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client | CIS Debian Family Workstation L1 v1.0.0 | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 5.1.4 Ensure permissions on /etc/cron.daily are configured | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.1.9 Ensure at is restricted to authorized users - at.deny | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.2.2 Ensure permissions on SSH private host key files are configured | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.2.9 Ensure SSH root login is disabled | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.2.15 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.2.19 Ensure SSH PAM is enabled | CIS Debian Family Workstation L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.4.1.1 Ensure password expiration is 365 days or less - users | CIS Debian Family Workstation L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.2 Ensure system accounts are secured | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/login.defs | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 6.1.4 Ensure permissions on /etc/group are configured | CIS Debian Family Workstation L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2.6 Ensure users' dot files are not group or world writable | CIS Debian Family Workstation L1 v1.0.0 | Unix | ACCESS CONTROL |
| 6.2.10 Ensure root is the only UID 0 account | CIS Debian Family Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
