From e41e0a1d936a2d8f0aff3e6b48ccc48cdb67a2b1 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 2 Jul 2026 13:53:39 +0200 Subject: [PATCH 1/6] add a debian13 test suite container --- Dockerfiles/test_suite-debian13 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 Dockerfiles/test_suite-debian13 diff --git a/Dockerfiles/test_suite-debian13 b/Dockerfiles/test_suite-debian13 new file mode 100644 index 00000000000..f71f15628ec --- /dev/null +++ b/Dockerfiles/test_suite-debian13 @@ -0,0 +1,27 @@ +# This Dockerfile is a minimal example for a Debian 13 test suite target container. +FROM debian:13 + +ENV AUTH_KEYS=/root/.ssh/authorized_keys +ENV DEBIAN_FRONTEND=noninteractive + +ARG CLIENT_PUBLIC_KEY +ARG ADDITIONAL_PACKAGES + +# install additional packages +RUN true \ + && apt update \ + && apt install -y openssh-server python3 openscap-scanner \ + python3-apt $ADDITIONAL_PACKAGES \ + && true + +RUN true \ + && ssh-keygen -A \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ + && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ + && echo CPE_NAME="cpe:/o:debian:debian_linux:13" >> /etc/os-release \ + && true + +RUN mkdir -p /run/sshd +CMD ["/usr/sbin/sshd", "-D"] From b2ff1df16d821efd5d963656b1a4a88e40ede86e Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 2 Jul 2026 13:59:45 +0200 Subject: [PATCH 2/6] add new rule: apt_conf_disable_recommends --- components/apt.yml | 2 ++ .../apt/apt_conf_disable_recommends/bash/shared.sh | 7 +++++++ .../apt/apt_conf_disable_recommends/rule.yml | 12 ++++++++++++ .../apt/apt_conf_disable_recommends/sce/shared.sh | 11 +++++++++++ .../tests/recommends_disabled.pass.sh | 6 ++++++ .../tests/recommends_enabled.fail.sh | 6 ++++++ 6 files changed, 44 insertions(+) create mode 100644 linux_os/guide/services/apt/apt_conf_disable_recommends/bash/shared.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_recommends/rule.yml create mode 100644 linux_os/guide/services/apt/apt_conf_disable_recommends/sce/shared.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_recommends/tests/recommends_disabled.pass.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_recommends/tests/recommends_enabled.fail.sh diff --git a/components/apt.yml b/components/apt.yml index 8148a2d7df8..dadd89f372b 100644 --- a/components/apt.yml +++ b/components/apt.yml @@ -5,6 +5,7 @@ packages: - apt rules: - apt_conf_disallow_unauthenticated +- apt_conf_disable_recommends - apt_disable_weak_dependencies - apt_sources_list_official - directory_groupowner_apt_auth_conf_d @@ -28,3 +29,4 @@ rules: - file_permissions_apt_auth_conf_d - file_permissions_apt_gpg_keys - file_permissions_apt_sources_list_d + diff --git a/linux_os/guide/services/apt/apt_conf_disable_recommends/bash/shared.sh b/linux_os/guide/services/apt/apt_conf_disable_recommends/bash/shared.sh new file mode 100644 index 00000000000..883da6b73ec --- /dev/null +++ b/linux_os/guide/services/apt/apt_conf_disable_recommends/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_debian + +cat >> /etc/apt/apt.conf.d/60-no-weak-dependencies < /etc/apt/apt.conf.d/00-disable-recommends < /etc/apt/apt.conf.d/00-enable-recommends < Date: Thu, 2 Jul 2026 14:18:37 +0200 Subject: [PATCH 3/6] add new rule: apt_conf_disable_suggests --- components/apt.yml | 1 + .../apt/apt_conf_disable_suggests/bash/shared.sh | 7 +++++++ .../services/apt/apt_conf_disable_suggests/rule.yml | 12 ++++++++++++ .../apt/apt_conf_disable_suggests/sce/shared.sh | 11 +++++++++++ .../tests/suggests_disabled.pass.sh | 6 ++++++ .../tests/suggests_enabled.fail.sh | 6 ++++++ 6 files changed, 43 insertions(+) create mode 100644 linux_os/guide/services/apt/apt_conf_disable_suggests/bash/shared.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_suggests/rule.yml create mode 100644 linux_os/guide/services/apt/apt_conf_disable_suggests/sce/shared.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_suggests/tests/suggests_disabled.pass.sh create mode 100644 linux_os/guide/services/apt/apt_conf_disable_suggests/tests/suggests_enabled.fail.sh diff --git a/components/apt.yml b/components/apt.yml index dadd89f372b..d8afbd8eb65 100644 --- a/components/apt.yml +++ b/components/apt.yml @@ -6,6 +6,7 @@ packages: rules: - apt_conf_disallow_unauthenticated - apt_conf_disable_recommends +- apt_conf_disable_suggests - apt_disable_weak_dependencies - apt_sources_list_official - directory_groupowner_apt_auth_conf_d diff --git a/linux_os/guide/services/apt/apt_conf_disable_suggests/bash/shared.sh b/linux_os/guide/services/apt/apt_conf_disable_suggests/bash/shared.sh new file mode 100644 index 00000000000..d8918ad221b --- /dev/null +++ b/linux_os/guide/services/apt/apt_conf_disable_suggests/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_debian + +cat >> /etc/apt/apt.conf.d/60-no-weak-dependencies < /etc/apt/apt.conf.d/00-disable-suggests < /etc/apt/apt.conf.d/00-enable-suggests < Date: Thu, 2 Jul 2026 14:47:10 +0200 Subject: [PATCH 4/6] add some rules in debian13 CIS benchmark --- controls/cis_debian13.yml | 2817 ++++++++++++++++++++++++++++++++++++- 1 file changed, 2763 insertions(+), 54 deletions(-) diff --git a/controls/cis_debian13.yml b/controls/cis_debian13.yml index f409e5958df..5cd35fad36b 100644 --- a/controls/cis_debian13.yml +++ b/controls/cis_debian13.yml @@ -362,9 +362,10 @@ controls: levels: - l2_server - l2_workstation - status: pending - notes: |- - Needs a new Debian-specific rule checking weak dependencies + rules: + - apt_conf_disable_recommends + - apt_conf_disable_suggests + status: automated - id: 1.2.1.3 title: Ensure access to gpg key files are configured (Automated) @@ -378,7 +379,7 @@ controls: Check if .list and .sources in /etc/apt/sources.list.d have permissions 0644 and owned by root:root and include option signed-by - id: 1.2.1.4 - title: Ensure access to /etc/apt/trusted.gpg.d directory is configured + title: Ensure access to /etc/apt/trusted.gpg.d directory is configured (Automated) levels: - l1_server - l2_server @@ -386,7 +387,7 @@ controls: notes: |- Needs a new Debian-specific rule for /etc/apt/trusted.gpg.d directory access checks. Check if /etc/apt/trusted.gpg.d has permissions 0755 and owned by root:root - + - id: 1.2.1.5 title: Ensure access to /etc/apt/auth.conf.d directory is configured (Automated) levels: @@ -399,11 +400,11 @@ controls: - id: 1.2.1.6 title: Ensure access to files in the /etc/apt/auth.conf.d/ directory is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: pending notes: |- - Check if /etc/apt/auth.conf.d/* has permissions 0755 and owned by root:root + Check if /etc/apt/auth.conf.d/* has permissions 0755 and owned by root:root - id: 1.2.1.7 title: Ensure access to /usr/share/keyrings directory is configured (Automated) @@ -412,7 +413,7 @@ controls: - l2_server status: pending notes: |- - Check if /usr/share/keyrings has permissions 0755 and owned by root:root + Check if /usr/share/keyrings has permissions 0755 and owned by root:root - id: 1.2.1.8 title: Ensure access to /etc/apt/sources.list.d directory is configured (Automated) @@ -421,7 +422,7 @@ controls: - l2_server status: pending notes: |- - Check if /etc/apt/sources.list.d has permissions 0755 and owned by root:root + Check if /etc/apt/sources.list.d has permissions 0755 and owned by root:root - id: 1.2.1.9 title: Ensure access to files in /etc/apt/sources.list.d are configured (Automated) @@ -435,22 +436,22 @@ controls: - id: 1.2.2.1 title: Ensure updates, patches, and additional security software are installed (Manual) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: manual - id: 1.3.1.1 - title: Ensure AppArmor is installed (Automated) + title: Ensure AppArmor packages are installed (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - package_apparmor_installed - - package_apparmor-utils_installed + - package_apparmor_installed + - package_apparmor-utils_installed status: automated - id: 1.3.1.2 - title: Ensure AppArmor is enabled in the bootloader configuration (Automated) + title: Ensure AppArmor is enabled (Automated) levels: - l1_server - l1_workstation @@ -476,8 +477,8 @@ controls: - id: 1.3.1.4 title: Ensure apparmor_restrict_unprivileged_unconfined is enabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: pending notes: |- Check if sysctl kernel.apparmor_restrict_unprivileged_unconfined = 1 @@ -523,35 +524,36 @@ controls: - id: 1.5.3 title: Ensure kernel.yama.ptrace_scope is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_yama_ptrace_scope_value=1 + - sysctl_kernel_yama_ptrace_scope status: automated - id: 1.5.4 title: Ensure fs.suid_dumpable is configured (Automated) levels: - - l1_server - - l1_workstation - rules: - - sysctl_fs_suid_dumpable + - l1_server + - l1_workstation + rules: + - sysctl_fs_suid_dumpable status: automated - id: 1.5.5 title: Ensure kernel.dmesg_restrict is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - sysctl_kernel_dmesg_restrict + - sysctl_kernel_dmesg_restrict status: automated - id: 1.5.6 title: Ensure prelink is not installed (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - disable_prelink status: automated @@ -559,8 +561,8 @@ controls: - id: 1.5.7 title: Ensure Automatic Error Reporting is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: pending notes: |- Check if systemctl is-active apport.service , fail if it's active @@ -569,63 +571,2770 @@ controls: - id: 1.5.8 title: Ensure kernel.kptr_restrict is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - sysctl_kernel_kptr_restrict + - sysctl_kernel_kptr_restrict status: automated - id: 1.5.9 title: Ensure kernel.randomize_va_space is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - sysctl_kernel_randomize_va_space + - sysctl_kernel_randomize_va_space status: automated - id: 1.5.10 title: Ensure kernel.yama.ptrace_scope is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: + - sysctl_kernel_yama_ptrace_scope_value=1 - sysctl_kernel_yama_ptrace_scope status: automated - id: 1.5.11 title: Ensure core file size is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - disable_users_coredumps - id: 1.5.12 title: Ensure systemd-coredump ProcessSizeMax is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - coredump_disable_backtraces + - coredump_disable_backtraces status: automated - id: 1.5.13 title: Ensure systemd-coredump Storage is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation rules: - - coredump_disable_storage + - coredump_disable_storage status: automated - id: 1.6.1 title: Ensure /etc/motd is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation + rules: + - banner_etc_motd_cis + - cis_banner_text=cis + status: automated + + - id: 1.6.2 + title: Ensure /etc/issue is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - cis_banner_text=cis + - banner_etc_issue_cis + status: automated + + - id: 1.6.3 + title: Ensure /etc/issue.net is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - cis_banner_text=cis + - banner_etc_issue_net_cis + status: automated + + - id: 1.6.4 + title: Ensure access to /etc/motd is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + status: automated + + - id: 1.6.5 + title: Ensure access to /etc/issue is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + status: automated + + - id: 1.6.6 + title: Ensure access to /etc/issue.net is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_issue_net + - file_owner_etc_issue_net + - file_permissions_etc_issue_net + status: automated + + - id: 1.7.1 + title: Ensure GDM is removed (Automated) + levels: + - l2_server + rules: + - package_gdm_removed + status: automated + + - id: 1.7.2 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - login_banner_text=cis_default + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + status: automated + + - id: 1.7.3 + title: Ensure GDM disable-user-list option is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - dconf_gnome_disable_user_list + status: automated + + - id: 1.7.4 + title: Ensure GDM screen locks when the user is idle (Automated) + levels: + - l1_server + - l1_workstation + rules: + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_delay + status: automated + notes: | + The rules satisfy both controls 1.7.4 and 1.7.5. + Rule lock_enabled is not part of CIS recommendation but is + required to assure the lock is enabled and cannot be manually disabled. + See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123 + + - id: 1.7.5 + title: Ensure GDM screen locks cannot be overridden (Automated) + levels: + - l1_server + - l1_workstation + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_delay + status: automated + notes: | + The rules satisfy both controls 1.7.4 and 1.7.5. + Rule lock_enabled is not part of CIS recommendation but is + required to assure the lock is enabled and cannot be manually disabled. + See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123 + + - id: 1.7.6 + title: Ensure GDM automatic mounting of removable media is disabled (Automated) + levels: + - l1_server + - l2_workstation + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + status: automated + notes: | + The rules satisfy both controls 1.7.6 and 1.7.7 + + - id: 1.7.7 + title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) + levels: + - l1_server + - l2_workstation + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + status: automated + notes: | + The rules satisfy both controls 1.7.6 and 1.7.7 + + - id: 1.7.8 + title: Ensure GDM autorun-never is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - dconf_gnome_disable_autorun + status: automated + notes: | + The rule satisfies both controls 1.7.8 and 1.7.9 + + - id: 1.7.9 + title: Ensure GDM autorun-never is not overridden (Automated) + levels: + - l1_server + - l1_workstation + rules: + - dconf_gnome_disable_autorun + status: automated + notes: | + The rule satisfies both controls 1.7.8 and 1.7.9 + + - id: 1.7.10 + title: Ensure XDMCP is not enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - gnome_gdm_disable_xdmcp + status: automated + + - id: 1.7.11 + title: Ensure Xwayland is configured (Automated) + levels: + - l2_server + - l2_workstation + status: pending + + - id: 2.1.1 + title: Ensure autofs services are not in use (Automated) + levels: + - l1_server + - l2_workstation + rules: + - service_autofs_disabled + - package_autofs_removed + status: automated + + - id: 2.1.2 + title: Ensure avahi daemon services are not in use (Automated) + levels: + - l1_server + - l2_workstation + rules: + - package_avahi_removed + - service_avahi-daemon_disabled + status: automated + + - id: 2.1.3 + title: Ensure dhcp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_dhcp_removed + - service_dhcpd_disabled + - service_dhcpd6_disabled + status: automated + + - id: 2.1.4 + title: Ensure dns server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_bind_removed + - service_named_disabled + status: automated + + - id: 2.1.5 + title: Ensure dnsmasq services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_dnsmasq_removed + - service_dnsmasq_disabled + status: automated + + - id: 2.1.6 + title: Ensure ftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_vsftpd_removed + - service_vsftpd_disabled + status: automated + + - id: 2.1.7 + title: Ensure ldap server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_openldap-servers_removed + - service_slapd_disabled + status: automated + + - id: 2.1.8 + title: Ensure message access server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_dovecot_removed + - service_dovecot_disabled + status: automated + + - id: 2.1.9 + title: Ensure network file system services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_nfs-kernel-server_removed + - service_nfs_disabled + status: automated + + - id: 2.1.10 + title: Ensure nis server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_ypserv_removed + - service_ypserv_disabled + status: automated + + - id: 2.1.11 + title: Ensure print server services are not in use (Automated) + levels: + - l1_server + - l2_workstation + rules: + - package_cups_removed + - service_cups_disabled + status: automated + + - id: 2.1.12 + title: Ensure rpcbind services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_rpcbind_removed + - service_rpcbind_disabled + status: automated + + - id: 2.1.13 + title: Ensure rsync services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_rsync_removed + - service_rsyncd_disabled + status: automated + + - id: 2.1.14 + title: Ensure samba file server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_samba_removed + - service_smb_disabled + status: automated + + - id: 2.1.15 + title: Ensure snmp services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_net-snmp_removed + - service_snmpd_disabled + status: automated + + - id: 2.1.16 + title: Ensure tftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_tftp-server_removed + - service_tftp_disabled + status: automated + + - id: 2.1.17 + title: Ensure tftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 2.1.18 + title: Ensure web proxy server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_squid_removed + - service_squid_disabled + status: automated + + - id: 2.1.19 + title: Ensure web server services are not in use (Automated) + levels: + - l1_server + - l1_workstation rules: - - banner_etc_motd_cis - - cis_banner_text=cis + - package_httpd_removed + - package_nginx_removed + - service_httpd_disabled + - service_nginx_disabled status: automated + - id: 2.1.20 + title: Ensure xinetd services are not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_xinetd_removed + - service_xinetd_disabled + status: automated + + - id: 2.1.21 + title: Ensure X window server services are not in use (Automated) + levels: + - l2_server + rules: + - package_xorg-x11-server-common_removed + status: automated + + - id: 2.1.22 + title: Ensure mail transfer agent are configured for local-only mode (Automated) + levels: + - l1_server + - l1_workstation + rules: + - has_nonlocal_mta + - var_postfix_inet_interfaces=loopback-only + - postfix_network_listening_disabled + status: automated + + - id: 2.1.23 + title: Ensure only approved services are listening on a network interface (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 2.2.1 + title: Ensure nis Client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_nis_removed + status: automated + + - id: 2.2.2 + title: Ensure rsh client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_rsh_removed + status: automated + + - id: 2.2.3 + title: Ensure talk client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_talk_removed + status: automated + + - id: 2.2.4 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_inetutils-telnet_removed + - package_telnet_removed + status: automated + + - id: 2.2.5 + title: Ensure ldap client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_openldap-clients_removed + status: automated + + - id: 2.2.6 + title: Ensure ftp client is not installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_ftp_removed + - package_tnftp_removed + status: automated + + - id: 2.3.1.1 + title: Ensure a single time synchronization daemon is in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_timesync_service=systemd-timesyncd + - package_chrony_installed + - service_chronyd_enabled + - service_chronyd_disabled + - package_timesyncd_installed + - service_timesyncd_enabled + - service_timesyncd_disabled + - ntp_single_service_active + status: automated + notes: | + To select which timesync daemon to install and configure, use the + profile variable var_timesync_service. + + - id: 2.3.2.1 + title: Ensure systemd-timesyncd configured with authorized timeserver (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_multiple_time_servers=debian + - service_timesyncd_configured + status: automated + + - id: 2.3.2.2 + title: Ensure systemd-timesyncd is enabled and running (Automated) + levels: + - l1_server + - l1_workstation + related_rules: + - service_timesyncd_enabled + - service_timesyncd_disabled + status: automated + notes: Implemented in 2.3.1.1 + + - id: 2.3.3.1 + title: Ensure chrony is configured with authorized timeserver (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_multiple_time_servers=debian + - var_multiple_time_pools=debian + - chronyd_configure_pool_and_server + status: partial + notes: | + Rule does not check or remediate config files included via + confdir and sourcedir directives. + + - id: 2.3.3.2 + title: Ensure chrony is running as user _chrony (Automated) + levels: + - l1_server + - l1_workstation + rules: + - chronyd_run_as_chrony_user + status: automated + + - id: 2.3.3.3 + title: Ensure chrony is enabled and running (Automated) + levels: + - l1_server + - l1_workstation + related_rules: + - service_chronyd_enabled + - service_chronyd_disabled + status: automated + notes: Implemented in 2.3.1.1 + + - id: 2.4.1.1 + title: Ensure cron daemon is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_cron_installed + - service_cron_enabled + status: automated + + - id: 2.4.1.2 + title: Ensure access to /etc/crontab is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_cron_allow_exists + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + status: automated + + - id: 2.4.1.3 + title: Ensure access to /etc/cron.hourly is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + status: automated + + - id: 2.4.1.4 + title: Ensure access to /etc/cron.daily is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + status: automated + + - id: 2.4.1.5 + title: Ensure access to /etc/cron.weekly is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + status: automated + + - id: 2.4.1.6 + title: Ensure access to /etc/cron.monthly is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + status: automated + + - id: 2.4.1.7 + title: Ensure access to /etc/cron.yearly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 2.4.1.8 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + status: automated + + - id: 2.4.1.9 + title: Ensure access to crontab is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_cron_deny_not_exist + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow + status: automated + + - id: 2.4.2.1 + title: Ensure access to at is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_at_allow_exists + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow + - file_groupowner_at_deny + - file_owner_at_deny + - file_permissions_at_deny + status: automated + notes: file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept + daemon + + - id: 3.1.1 + title: Ensure IPv6 status is identified (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 3.1.2 + title: Ensure wireless interfaces are not available (Automated) + levels: + - l1_server + rules: + - wireless_disable_interfaces + status: automated + + - id: 3.1.3 + title: Ensure bluetooth services are not in use (Automated) + levels: + - l1_server + - l2_workstation + rules: + - service_bluetooth_disabled + status: automated + + - id: 3.2.1 + title: Ensure atm kernel module is not available + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.2.2 + title: Ensure can kernel module is not available + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.2.3 + title: Ensure dccp kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + rules: + - kernel_module_dccp_disabled + status: automated + + - id: 3.2.4 + title: Ensure rds kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + rules: + - kernel_module_rds_disabled + status: automated + + - id: 3.2.5 + title: Ensure sctp kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + rules: + - kernel_module_sctp_disabled + status: automated + + - id: 3.2.6 + title: Ensure tipc kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + rules: + - kernel_module_tipc_disabled + status: automated + + - id: 3.3.1.1 + title: Ensure net.ipv4.ip_forward is configured (Automated) + levels: + - l2_server + - l1_workstation + rules: + - sysctl_net_ipv4_ip_forward + status: automated + + - id: 3.3.1.2 + title: Ensure net.ipv4.conf.all.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.3 + title: Ensure net.ipv4.conf.default.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.4 + title: Ensure net.ipv4.conf.all.send_redirects is configured + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.5 + title: Ensure net.ipv4.conf.default.send_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.6 + title: Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.7 + title: Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.8 + title: Ensure net.ipv4.conf.all.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.9 + title: Ensure net.ipv4.conf.default.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.10 + title: Ensure net.ipv4.conf.all.secure_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.11 + title: Ensure net.ipv4.conf.default.secure_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.12 + title: Ensure net.ipv4.conf.all.rp_filter is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.13 + title: Ensure net.ipv4.conf.default.rp_filter is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.14 + title: Ensure net.ipv4.conf.all.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.15 + title: Ensure net.ipv4.conf.default.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.16 + title: Ensure net.ipv4.conf.all.log_martians is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.17 + title: Ensure net.ipv4.conf.default.log_martians is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1.18 + title: Ensure net.ipv4.tcp_syncookies is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.1. + title: Ensure is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.1 + title: Ensure Ensure net.ipv6.conf.all.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.2 + title: Ensure net.ipv6.conf.default.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.3 + title: Ensure net.ipv6.conf.all.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.4 + title: Ensure net.ipv6.conf.default.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.5 + title: Ensure net.ipv6.conf.all.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.6 + title: Ensure net.ipv6.conf.default.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.7 + title: Ensure net.ipv6.conf.all.accept_ra is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.3.2.8 + title: Ensure net.ipv6.conf.default.accept_ra is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 4.1.1 + title: Ensure ufw is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_ufw_installed + - package_iptables-persistent_removed + - firewall_single_service_active + - var_network_filtering_service=ufw + - check_ufw_active + - service_ufw_enabled + status: automated + + - id: 4.1.2 + title: Ensure ufw service is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 4.1.3 + title: Ensure ufw incoming default is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 4.1.4 + title: Ensure ufw outgoing default is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 4.1.5 + title: Ensure ufw routed default is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 5.1.1 + title: Ensure access_to /etc/ssh/sshd_config is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + status: automated + + - id: 5.1.2 + title: Ensure access to SSH private host key files is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_permissions_sshd_private_key + status: automated + + - id: 5.1.3 + title: Ensure access to SSH public host key files is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_permissions_sshd_pub_key + status: automated + + - id: 5.1.4 + title: Ensure sshd access is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_limit_user_access + status: automated + + - id: 5.1.5 + title: Ensure sshd Banner is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_enable_warning_banner_net + status: automated + + - id: 5.1.6 + title: Ensure sshd Ciphers are configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_use_strong_ciphers + status: automated + + - id: 5.1.7 + title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_idle_timeout_value=5_minutes + - var_sshd_set_keepalive=3 + - sshd_set_idle_timeout + - sshd_set_keepalive + status: partial + notes: | + The current implementation imposes an upper boundary on the + values. The CIS benchmark requires only that the values + are greater than 0. + + - id: 5.1.8 + title: Ensure sshd DisableForwarding is enabled (Automated) + levels: + - l1_workstation + - l2_server + rules: + - sshd_disable_forwarding + status: automated + + - id: 5.1.9 + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) + levels: + - l1_workstation + - l2_server + rules: + - sshd_disable_gssapi_auth + status: automated + + - id: 5.1.10 + title: Ensure sshd HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - disable_host_auth + status: automated + + - id: 5.1.11 + title: Ensure sshd IgnoreRhosts is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_disable_rhosts + status: automated + + - id: 5.1.12 + title: Ensure sshd KexAlgorithms is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_strong_kex=cis_debian13 + - sshd_use_strong_kex + status: automated + + - id: 5.1.13 + title: Ensure sshd post-quantum cryptography key exchange algorithms are configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 5.1.14 + title: Ensure sshd LoginGraceTime is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_sshd_set_login_grace_time=60 + - sshd_set_login_grace_time + status: automated + + - id: 5.1.15 + title: Ensure sshd LogLevel is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_set_loglevel_info + status: automated + + - id: 5.1.16 + title: Ensure sshd MACs are configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_strong_macs=cis_debian12 + - sshd_use_strong_macs + status: automated + + - id: 5.1.17 + title: Ensure sshd MaxAuthTries is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + status: automated + + - id: 5.1.18 + title: Ensure sshd MaxSessions is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_sshd_max_sessions=10 + - sshd_set_max_sessions + status: automated + + - id: 5.1.19 + title: Ensure sshd MaxStartups is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_sshd_set_maxstartups=10:30:60 + - sshd_set_maxstartups + status: automated + + - id: 5.1.20 + title: Ensure sshd PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_disable_empty_passwords + status: automated + + - id: 5.1.21 + title: Ensure sshd PermitRootLogin is disabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_disable_root_login + status: automated + + - id: 5.1.22 + title: Ensure sshd PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_do_not_permit_user_env + status: automated + + - id: 5.1.23 + title: Ensure sshd UsePAM is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sshd_enable_pam + status: automated + + - id: 5.2.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_sudo_installed + status: automated + + - id: 5.2.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sudo_add_use_pty + status: automated + + - id: 5.2.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sudo_custom_logfile + status: automated + + - id: 5.2.4 + title: Ensure users must provide password for escalation (Automated) + levels: + - l2_server + - l2_workstation + rules: + - sudo_require_authentication + status: automated + + - id: 5.2.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + - l1_workstation + rules: + - sudo_remove_no_authenticate + status: automated + + - id: 5.2.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_sudo_timestamp_timeout=15_minutes + - sudo_require_reauthentication + status: automated + + - id: 5.2.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_pam_wheel_group_for_su=cis + - ensure_pam_wheel_group_empty + - use_pam_wheel_group_for_su + status: automated + + - id: 5.3.1.1 + title: Ensure latest version of pam is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_pam_runtime_installed + status: automated + notes: | + The CIS control checks that version >= 1.5.2-6 and not that + it is the latest version as the title suggests. + + - id: 5.3.1.2 + title: Ensure latest version of libpam-modules is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_pam_modules_installed + status: automated + + - id: 5.3.1.3 + title: Ensure latest version of libpam-pwquality is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_pam_pwquality_installed + status: automated + + - id: 5.3.2.1 + title: Ensure pam_unix module is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_unix_enabled + status: automated + + - id: 5.3.2.2 + title: Ensure pam_faillock module is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_passwords_pam_faillock_enabled + status: automated + + - id: 5.3.2.3 + title: Ensure pam_pwquality module is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_pwquality_enabled + status: automated + + - id: 5.3.2.4 + title: Ensure pam_pwhistory module is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_pwhistory_enabled + status: automated + + - id: 5.3.3.1.1 + title: Ensure password failed attempts lockout is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_passwords_pam_faillock_deny=4 + - accounts_passwords_pam_faillock_deny + status: automated + + - id: 5.3.3.1.2 + title: Ensure password unlock time is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_passwords_pam_faillock_unlock_time=900 + - accounts_passwords_pam_faillock_unlock_time + status: automated + + - id: 5.3.3.1.3 + title: Ensure password failed attempts lockout includes root account (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_accounts_passwords_pam_faillock_root_unlock_time=900 + - accounts_passwords_pam_faillock_root_unlock_time + status: automated + + - id: 5.3.3.2.1 + title: Ensure password number of changed characters is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_difok=2 + - accounts_password_pam_difok + status: automated + + - id: 5.3.3.2.2 + title: Ensure minimum password length is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_minlen=14 + - accounts_password_pam_minlen + status: automated + + - id: 5.3.3.2.3 + title: Ensure password complexity is configured (Manual) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_minclass=4 + - var_password_pam_dcredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_ocredit=1 + - var_password_pam_ucredit=1 + - accounts_password_pam_minclass + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit + status: automated + + - id: 5.3.3.2.4 + title: Ensure password same consecutive characters is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_maxrepeat=3 + - accounts_password_pam_maxrepeat + status: automated + + - id: 5.3.3.2.5 + title: Ensure password maximum sequential characters is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_maxsequence + status: automated + + - id: 5.3.3.2.6 + title: Ensure password dictionary check is enabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_dictcheck=1 + - accounts_password_pam_dictcheck + status: automated + + - id: 5.3.3.2.7 + title: Ensure password quality checking is enforced (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_enforcing=1 + - accounts_password_pam_enforcing + status: automated + + - id: 5.3.3.2.8 + title: Ensure password quality is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_enforce_root + status: automated + + - id: 5.3.3.3.1 + title: Ensure password history remember is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_pam_remember=24 + - accounts_password_pam_pwhistory_remember + status: automated + + - id: 5.3.3.3.2 + title: Ensure password history is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_pwhistory_enforce_root + status: automated + + - id: 5.3.3.3.3 + title: Ensure pam_pwhistory includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_pwhistory_use_authtok + status: automated + + - id: 5.3.3.4.1 + title: Ensure pam_unix does not include nullok (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_empty_passwords_unix + status: automated + + - id: 5.3.3.4.2 + title: Ensure pam_unix does not include remember (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_unix_no_remember + status: automated + + - id: 5.3.3.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_password_hashing_algorithm_pam=yescrypt + - set_password_hashing_algorithm_systemauth + status: automated + + - id: 5.3.3.4.4 + title: Ensure pam_unix includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_pam_unix_authtok + status: automated + + - id: 5.4.1.1 + title: Ensure password expiration is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_maximum_age_login_defs=365 + - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing + status: automated + + - id: 5.4.1.2 + title: Ensure minimum password days is configured (Manual) + levels: + - l2_server + - l2_workstation + rules: + - var_accounts_minimum_age_login_defs=1 + - accounts_minimum_age_login_defs + - accounts_password_set_min_life_existing + status: automated + + - id: 5.4.1.3 + title: Ensure password expiration warning days is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_warn_age_login_defs + status: automated + + - id: 5.4.1.4 + title: Ensure strong password hashing algorithm is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=yescrypt + status: automated + notes: Rule allows either SHA512 or YESCRYPT + + - id: 5.4.1.5 + title: Ensure inactive password lock is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_account_disable_post_pw_expiration=45 + - account_disable_post_pw_expiration + - accounts_set_post_pw_existing + status: automated + notes: CIS setting now 45 days. + + - id: 5.4.1.6 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_last_change_is_in_past + status: automated + + - id: 5.4.2.1 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_no_uid_except_zero + status: automated + + - id: 5.4.2.2 + title: Ensure root is the only GID 0 account (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_root_gid_zero + status: automated + notes: | + The remediation is not automated as the removal or modification + of group IDs from a system is too disruptive. + + - id: 5.4.2.3 + title: Ensure group root is the only GID 0 group (Automated) + levels: + - l1_server + - l1_workstation + rules: + - groups_no_zero_gid_except_root + status: automated + notes: | + The remediation is not automated as the removal or modification + of group IDs from a system is too disruptive. + + - id: 5.4.2.4 + title: Ensure root account access is controlled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - ensure_root_access_controlled + status: automated + notes: This rule doesn't come with a remediation, as the exact requirement allows root to either + have a password or be locked. + + - id: 5.4.2.5 + title: Ensure root path integrity (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_root_path_dirs_no_write + - root_path_all_dirs + - root_path_no_dot + - no_dirs_unowned_by_root + status: automated + + - id: 5.4.2.6 + title: Ensure root user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_umask_root + status: automated + + - id: 5.4.2.7 + title: Ensure system accounts do not have a valid login shell (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_shelllogin_for_systemaccounts + status: automated + + - id: 5.4.2.8 + title: Ensure accounts without a valid login shell are locked (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_invalid_shell_accounts_unlocked + status: automated + notes: | + Remediation is not automated. + + - id: 5.4.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation + rules: + - no_nologin_in_shells + status: automated + + - id: 5.4.3.2 + title: Ensure default user shell timeout is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_tmout=15_min + - accounts_tmout + status: automated + + - id: 5.4.3.3 + title: Ensure default user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - var_accounts_user_umask=027 + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + status: automated + + - id: 6.1.1.1.1 + title: Ensure journald service is active (Automated) + levels: + - l1_server + - l1_workstation + rules: + - service_systemd-journald_enabled + status: automated + + - id: 6.1.1.1.2 + title: Ensure journald log file access is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.1.1.1.3 + title: Ensure journald log file rotation is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.1.1.1.4 + title: Ensure journald ForwardToSyslog is disabled (Automated) + levels: + - l1_server + - l1_workstation + rules: + - journald_disable_forward_to_syslog + status: automated + + - id: 6.1.1.1.5 + title: Ensure journald Storage is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - journald_storage + status: automated + + - id: 6.1.1.1.6 + title: Ensure journald Compress is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - journald_compress + status: automated + + - id: 6.1.1.2.1 + title: Ensure systemd-journal-remote is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_systemd-journal-remote_installed + status: automated + + - id: 6.1.1.2.2 + title: Ensure systemd-journal-upload authentication is configured (Manual) + levels: + - l1_server + - l1_workstation + rules: + - systemd_journal_upload_server_tls + - systemd_journal_upload_url + status: automated + + - id: 6.1.1.2.3 + title: Ensure systemd-journal-upload is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + rules: + - service_systemd-journal-upload_enabled + status: automated + + - id: 6.1.1.2.4 + title: Ensure systemd-journal-remote service is not in use (Automated) + levels: + - l1_server + - l1_workstation + rules: + - socket_systemd-journal-remote_disabled + status: automated + + - id: 6.1.2.1 + title: Ensure rsyslog is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - package_rsyslog_installed + status: automated + + - id: 6.1.2.2 + title: Ensure rsyslog service is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + rules: + - service_rsyslog_enabled + status: automated + + - id: 6.1.2.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation + rules: + - journald_forward_to_syslog + status: automated + + - id: 6.1.2.4 + title: Ensure rsyslog log file creation mode is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - rsyslog_filecreatemode + status: automated + + - id: 6.1.2.5 + title: Ensure rsyslog logging is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.1.2.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + levels: + - l1_server + - l1_workstation + related_rules: + - rsyslog_remote_loghost + status: manual + notes: | + Existing rule (rsyslog_remote_loghost) is not used because rsyslog configuration + is site-specific and can be too complex to reliably audit and remediate. + See also https://github.com/ComplianceAsCode/content/issues/11812 + + - id: 6.1.2.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + - l1_workstation + rules: + - rsyslog_nolisten + status: automated + + - id: 6.1.2.8 + title: Ensure logrotate is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.1.2.9 + title: Ensure rsyslog-gnutls is installed (Automated) + levels: + - l2_server + - l2_workstation + status: pending + + - id: 6.1.2.10 + title: Ensure rsyslog forwarding uses gtls (Automated) + levels: + - l2_server + - l2_workstation + status: pending + + - id: 6.1.2.11 + title: Ensure rsyslog CA certificates are configured (Manual) + levels: + - l2_server + - l2_workstation + status: pending + + - id: 6.1.3.1 + title: Ensure access to all logfiles has been configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupownerships_var_log_apt + - file_groupownerships_var_log_gdm + - file_groupownerships_var_log_gdm3 + - file_groupownerships_var_log_landscape + - file_groupownerships_var_log_sssd + - file_groupowner_var_log_auth + - file_groupowner_var_log_cloud_init + - file_groupowner_var_log_journal + - file_groupowner_var_log_lastlog + - file_groupowner_var_log_localmessages + - file_groupowner_var_log_messages + - file_groupowner_var_log_secure + - file_groupowner_var_log_syslog + - file_groupowner_var_log_waagent + - file_groupowner_var_log_wbtmp + - file_ownerships_var_log_apt + - file_ownerships_var_log_gdm + - file_ownerships_var_log_gdm3 + - file_ownerships_var_log_landscape + - file_ownerships_var_log_sssd + - file_owner_var_log_auth + - file_owner_var_log_cloud_init + - file_owner_var_log_journal + - file_owner_var_log_lastlog + - file_owner_var_log_localmessages + - file_owner_var_log_messages + - file_owner_var_log_secure + - file_owner_var_log_syslog + - file_owner_var_log_waagent + - file_owner_var_log_wbtmp + - file_permissions_var_log_apt + - file_permissions_var_log_auth + - file_permissions_var_log_cloud-init + - file_permissions_var_log_gdm + - file_permissions_var_log_gdm3 + - file_permissions_var_log_lastlog + - file_permissions_var_log_cloud-init + - file_permissions_var_log_localmessages + - file_permissions_var_log_messages + - file_permissions_var_log_secure + - file_permissions_var_log_sssd + - file_permissions_var_log_syslog + - file_permissions_var_log_waagent + - file_permissions_var_log_wbtmp + - file_groupownerships_var_log + - file_ownerships_var_log + - permissions_local_var_log + status: automated + + - id: 6.2.1.1 + title: Ensure auditd packages are installed (Automated) + levels: + - l2_server + - l2_workstation + rules: + - package_audit_installed + - package_audit-audispd-plugins_installed + status: automated + + - id: 6.2.1.2 + title: Ensure auditd service is enabled and active (Automated) + levels: + - l2_server + - l2_workstation + rules: + - service_auditd_enabled + status: automated + + - id: 6.2.1.3 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + levels: + - l2_server + - l2_workstation + rules: + - grub2_audit_argument + - zipl_audit_argument + status: automated + + - id: 6.2.1.4 + title: Ensure audit_backlog_limit is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - grub2_audit_backlog_limit_argument + - var_audit_backlog_limit=8192 + - zipl_audit_backlog_limit_argument + status: automated + + - id: 6.2.2.1 + title: Ensure audit log storage size is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_auditd_max_log_file=6 + - auditd_data_retention_max_log_file + status: automated + + - id: 6.2.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_auditd_max_log_file_action=keep_logs + - auditd_data_retention_max_log_file_action + status: automated + + - id: 6.2.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_auditd_disk_error_action=cis_debian12 + - var_auditd_disk_full_action=cis_debian12 + - auditd_data_disk_error_action + - auditd_data_disk_full_action + status: automated + + - id: 6.2.2.4 + title: Ensure system warns when audit logs are low on space (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_auditd_action_mail_acct=root + - var_auditd_space_left_action=email + - var_auditd_admin_space_left_action=halt + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + status: partial + notes: | + The variables should allow multiple options. + + - id: 6.2.3.1 + title: Ensure modification of the /etc/sudoers file is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_sysadmin_actions + status: automated + + - id: 6.2.3.2 + title: Ensure actions as another user are always logged (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_suid_auid_privilege_function + status: automated + + - id: 6.2.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_sudo_log_events + status: automated + + - id: 6.2.3.4 + title: Ensure events that modify date and time information are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_watch_localtime + status: automated + + - id: 6.2.3.5 + title: Ensure events that modify sethostname and setdomainname are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_networkconfig_modification_sethostname + - audit_rules_networkconfig_modification_setdomainname + status: automated + + - id: 6.2.3.6 + title: Ensure events that modify /etc/issue and /etc/issue.net are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_networkconfig_modification_etc_issue + - audit_rules_networkconfig_modification_etc_issue_net + status: automated + + - id: 6.2.3.7 + title: Ensure events that modify /etc/hosts and /etc/hostname are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_networkconfig_modification_etc_hosts + - audit_rules_networkconfig_modification_hostname_file + status: automated + + - id: 6.2.3.8 + title: Ensure events that modify the system's network environment are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_networkconfig_modification + status: automated + + - id: 6.2.3.9 + title: Ensure events that modify /etc/NetworkManager directory are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_networkconfig_modification_networkmanager + status: automated + + - id: 6.2.3.10 + title: Ensure use of privileged commands are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_privileged_commands + status: automated + + - id: 6.2.3.11 + title: Ensure unsuccessful file access attempts are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + status: automated + + - id: 6.2.3.12 + title: Ensure events that modify /etc/group information are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_group + + - id: 6.2.3.13 + title: Ensure events that modify /etc/passwd information are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_passwd + status: automated + + - id: 6.2.3.14 + title: Ensure events that modify /etc/shadow and /etc/gshadow are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow + status: automated + + - id: 6.2.3.15 + title: Ensure events that modify /etc/security/opasswd are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + + - id: 6.2.3.16 + title: Ensure events that modify /etc/nsswitch.conf file are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_nsswitch_conf + status: automated + + - id: 6.2.3.17 + title: Ensure events that modify /etc/pam.conf and /etc/pam.d/ information are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_usergroup_modification_pam_conf + - audit_rules_usergroup_modification_pamd + status: automated + + - id: 6.2.3.18 + title: Ensure discretionary access control permission modification events chmod,fchmod,fchmodat,fchmodat2 are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + status: automated + + - id: 6.2.3.19 + title: Ensure discretionary access control permission modification events chown,fchown,lchown,fchownat are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_fchownat + status: automated + + - id: 6.2.3.20 + title: Ensure discretionary access control permission modification events setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr + status: automated + + - id: 6.2.3.21 + title: Ensure successful file system mounts are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_media_export + status: automated + + - id: 6.2.3.22 + title: Ensure session initiation information is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_session_events + status: automated + + - id: 6.2.3.23 + title: Ensure login and logout events are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - var_accounts_passwords_pam_faillock_dir=run + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + status: automated + + - id: 6.2.3.24 + title: Ensure unlink file deletion events by users are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + status: automated + + - id: 6.2.3.25 + title: Ensure rename file deletion events by users are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + status: automated + + - id: 6.2.3.26 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_mac_modification_etc_apparmor + - audit_rules_mac_modification_etc_apparmor_d + status: automated + + - id: 6.2.3.27 + title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_execution_chcon + status: automated + + - id: 6.2.3.28 + title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_execution_setfacl + status: automated + + - id: 6.2.3.29 + title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_execution_chacl + status: automated + + - id: 6.2.3.30 + title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_privileged_commands_usermod + status: automated + + - id: 6.2.3.31 + title: Ensure kernel module loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_privileged_commands_kmod + status: automated + + - id: 6.2.3.32 + title: Ensure kernel "init_module" and "finit_module" loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_finit + status: automated + + - id: 6.2.3.33 + title: Ensure kernel "delete_module" loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_kernel_module_loading_delete + status: automated + + - id: 6.2.3.34 + title: Ensure kernel query_module loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_query + status: automated + + - id: 6.2.3.35 + title: Ensure the audit configuration is loaded regardless of errors (Automated) + levels: + - l2_server + - l2_workstation + status: pending + + - id: 6.2.3.36 + title: Ensure the audit configuration is immutable (Automated) + levels: + - l2_server + - l2_workstation + rules: + - audit_rules_immutable + status: automated + + - id: 6.2.3.37 + title: Ensure the running and on disk configuration is the same (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 6.2.4.1 + title: Ensure audit log files mode is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_permissions_var_log_audit + status: automated + + - id: 6.2.4.2 + title: Ensure audit log files owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_ownership_var_log_audit_stig + status: automated + + - id: 6.2.4.3 + title: Ensure audit log files group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_group_ownership_var_log_audit + status: automated + + - id: 6.2.4.4 + title: Ensure the audit log file directory mode is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - directory_permissions_var_log_audit + status: automated + + - id: 6.2.4.5 + title: Ensure audit configuration files mode is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rules + - file_permissions_etc_audit_rulesd + status: automated + + - id: 6.2.4.6 + title: Ensure audit configuration files owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_ownership_audit_configuration + status: automated + + - id: 6.2.4.7 + title: Ensure audit configuration files group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_groupownership_audit_configuration + status: automated + + - id: 6.2.4.8 + title: Ensure audit tools mode is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_permissions_audit_binaries + status: automated + + - id: 6.2.4.9 + title: Ensure audit tools owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_ownership_audit_binaries + status: automated + + - id: 6.2.4.10 + title: Ensure audit tools group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + rules: + - file_groupownership_audit_binaries + status: automated + + - id: 6.3.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + rules: + - aide_build_database + - package_aide_installed + status: automated + + - id: 6.3.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + rules: + - aide_periodic_checking_systemd_timer + status: automated + + - id: 6.3.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l2_server + - l2_workstation + rules: + - aide_check_audit_tools + status: automated + + - id: 7.1.1 + title: Ensure access to /etc/passwd is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + status: automated + + - id: 7.1.2 + title: Ensure access to /etc/passwd- is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + status: automated + + - id: 7.1.3 + title: Ensure access to /etc/group is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + status: automated + + - id: 7.1.4 + title: Ensure paccess to /etc/group- is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + status: automated + + - id: 7.1.5 + title: Ensure access to /etc/shadow is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_shadow + - file_owner_etc_shadow + - file_permissions_etc_shadow + status: automated + + - id: 7.1.6 + title: Ensure access to /etc/shadow- is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + status: automated + + - id: 7.1.7 + title: Ensure access to /etc/gshadow is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + status: automated + + - id: 7.1.8 + title: Ensure access to /etc/gshadow- is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + status: automated + + - id: 7.1.9 + title: Ensure access to /etc/shells is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_owner_etc_shells + - file_groupowner_etc_shells + - file_permissions_etc_shells + status: automated + + - id: 7.1.10 + title: Ensure access to /etc/security/opasswd is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_owner_etc_security_opasswd + - file_groupowner_etc_security_opasswd + - file_permissions_etc_security_opasswd + - file_owner_etc_security_opasswd_old + - file_groupowner_etc_security_opasswd_old + - file_permissions_etc_security_opasswd_old + status: automated + + - id: 7.1.11 + title: Ensure world writable files and directories are secured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - file_permissions_unauthorized_world_writable + status: automated + + - id: 7.1.12 + title: Ensure no files or directories without an owner and a group exist (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_files_unowned_by_user + - file_permissions_ungroupowned + status: automated + + - id: 7.1.13 + title: Ensure SUID and SGID files are reviewed (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 7.2.1 + title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_password_all_shadowed + status: automated + + - id: 7.2.2 + title: Ensure /etc/shadow password fields are not empty (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_empty_passwords_etc_shadow + status: automated + + - id: 7.2.3 + title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) + levels: + - l1_server + - l1_workstation + rules: + - gid_passwd_group_same + status: automated + + - id: 7.2.4 + title: Ensure shadow group is empty (Automated) + levels: + - l1_server + - l1_workstation + rules: + - ensure_shadow_group_empty + status: automated + + - id: 7.2.5 + title: Ensure no duplicate UIDs exist (Automated) + levels: + - l1_server + - l1_workstation + rules: + - account_unique_id + status: automated + + - id: 7.2.6 + title: Ensure no duplicate GIDs exist (Automated) + levels: + - l1_server + - l1_workstation + rules: + - group_unique_id + status: automated + + - id: 7.2.7 + title: Ensure no duplicate user names exist (Automated) + levels: + - l1_server + - l1_workstation + rules: + - account_unique_name + status: automated + + - id: 7.2.8 + title: Ensure no duplicate group names exist (Automated) + levels: + - l1_server + - l1_workstation + rules: + - group_unique_name + status: automated + + - id: 7.2.9 + title: Ensure local interactive user home directories are configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - accounts_user_interactive_home_directory_exists + - file_groupownership_home_directories + - file_ownership_home_directories + - file_permissions_home_directories + status: automated + + - id: 7.2.10 + title: Ensure local interactive user dot files access is configured (Automated) + levels: + - l1_server + - l1_workstation + rules: + - no_rsh_trust_files + - no_forward_files + - no_netrc_files + - accounts_user_dot_user_ownership + - accounts_user_dot_group_ownership + - var_user_initialization_files_regex=all_dotfiles + - file_permission_user_init_files + - file_permission_user_bash_history + status: automated From c088e43835e62c60ec0526658f68b5e1638ddfaa Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 2 Jul 2026 15:01:04 +0200 Subject: [PATCH 5/6] add debian 13 CIS profiles --- .../profiles/cis_level1_workstation.profile | 19 +++++++++++++++++++ .../profiles/cis_level2_server.profile | 19 +++++++++++++++++++ .../profiles/cis_level2_workstation.profile | 19 +++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 products/debian13/profiles/cis_level1_workstation.profile create mode 100644 products/debian13/profiles/cis_level2_server.profile create mode 100644 products/debian13/profiles/cis_level2_workstation.profile diff --git a/products/debian13/profiles/cis_level1_workstation.profile b/products/debian13/profiles/cis_level1_workstation.profile new file mode 100644 index 00000000000..cfc331a4235 --- /dev/null +++ b/products/debian13/profiles/cis_level1_workstation.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + +reference: https://www.cisecurity.org/benchmark/debian_linux + +title: 'CIS Debian Benchmark for Level 1 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Workstation" + configuration from the Center for Internet Security® + Debian 13 Benchmark™, v1.0.0, released 2025-12-16. + + This profile includes Center for Internet Security® + Debian 13 Benchmark™ content. + +selections: + - cis_debian13:all:l1_workstation diff --git a/products/debian13/profiles/cis_level2_server.profile b/products/debian13/profiles/cis_level2_server.profile new file mode 100644 index 00000000000..f17e167a39e --- /dev/null +++ b/products/debian13/profiles/cis_level2_server.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + +reference: https://www.cisecurity.org/benchmark/debian_linux + +title: 'CIS Debian Benchmark for Level 2 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Server" + configuration from the Center for Internet Security® + Debian 13 Benchmark™, v1.0.0, released 2025-12-16. + + This profile includes Center for Internet Security® + Debian 13 Benchmark™ content. + +selections: + - cis_debian13:all:l2_server diff --git a/products/debian13/profiles/cis_level2_workstation.profile b/products/debian13/profiles/cis_level2_workstation.profile new file mode 100644 index 00000000000..0c9d0eb08a1 --- /dev/null +++ b/products/debian13/profiles/cis_level2_workstation.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + +reference: https://www.cisecurity.org/benchmark/debian_linux + +title: 'CIS Debian Benchmark for Level 2 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Workstation" + configuration from the Center for Internet Security® + Debian 13 Benchmark™, v1.0.0, released 2025-12-16. + + This profile includes Center for Internet Security® + Debian 13 Benchmark™ content. + +selections: + - cis_debian13:all:l2_workstation From 97cc46c75886e084170dd7f9e5fe658ac6718df4 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 2 Jul 2026 15:55:49 +0200 Subject: [PATCH 6/6] add debian support in grub2_bootloader_argument aval template --- .../grub2_bootloader_argument/oval.template | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template index 8f31aadbc09..0b2fec8b167 100644 --- a/shared/templates/grub2_bootloader_argument/oval.template +++ b/shared/templates/grub2_bootloader_argument/oval.template @@ -20,7 +20,7 @@ + `/boot/grub2/grubenv` OL7 `uses_grub_cfg` `/boot/grub2/grub.cfg` `/etc/default/grub` (args on `vmlinuz` lines) - Ubuntu `uses_grub_cfg` `/boot/grub/grub.cfg` `/etc/default/grub` `/etc/default/grub.d/*.cfg` + Ubuntu, Debian `uses_grub_cfg` `/boot/grub/grub.cfg` `/etc/default/grub` `/etc/default/grub.d/*.cfg` `uses_etc_default_grub_d` (args on `vmlinuz` lines) LONG DESCRIPTION (text equivalent of the table): @@ -42,7 +42,7 @@ Boot entries: `/boot/grub2/grub.cfg` (args on `vmlinuz` lines) Persistent config: `/etc/default/grub` - Ubuntu: + Ubuntu, Debian: Flags: `uses_grub_cfg`, `uses_etc_default_grub_d` Boot entries: `/boot/grub/grub.cfg` (args on `vmlinuz` lines) Persistent config: `/etc/default/grub` @@ -103,7 +103,7 @@ `/boot/grub2/grub.cfg` (exists on all platforms, but content differs) Generated by `grub2-mkconfig` from `/etc/default/grub`. - On OL7 and Ubuntu (non-`BLS` platforms), `grub.cfg` contains the actual kernel + On OL7, Debian, and Ubuntu (non-`BLS` platforms), `grub.cfg` contains the actual kernel boot lines with one `linux /vmlinuz-...` line per installed kernel, e.g.: linux /vmlinuz-5.4.0-150-generic root=/dev/mapper/ubuntu-root ro audit=1 This template checks these `vmlinuz` lines for the required kernel argument. @@ -122,7 +122,7 @@ If `GRUB_DISABLE_RECOVERY=true` is also set, there are no recovery entries, so `_DEFAULT` effectively applies to all entries too. - `/etc/default/grub.d/*.cfg` (Ubuntu only) + `/etc/default/grub.d/*.cfg` (Debian and Ubuntu) Drop-in config files that supplement `/etc/default/grub`. Can also set `GRUB_CMDLINE_LINUX` and `GRUB_CMDLINE_LINUX_DEFAULT`. `grub2-mkconfig` reads these in addition to `/etc/default/grub`. @@ -275,8 +275,8 @@ {{% set uses_boot_loader_entries = product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhel10"] %}} {{% set uses_kernelopts = product in ["ol8", "rhel8"] %}} -{{% set uses_etc_default_grub_d = 'ubuntu' in product %}} -{{% set uses_grub_cfg = product in ["ol7"] or 'ubuntu' in product %}} +{{% set uses_etc_default_grub_d = 'ubuntu' in product or 'debian' in product %}} +{{% set uses_grub_cfg = product in ["ol7"] or 'ubuntu' in product or 'debian' in product %}} {{% set has_separate_bios_and_uefi = grub2_uefi_boot_path and grub2_uefi_boot_path != grub2_boot_path %}} {{% set has_value = ARG_VALUE or ARG_VARIABLE %}} @@ -367,7 +367,7 @@ {{%- endif %}} {{%- if uses_grub_cfg %}} - {{# OL7 / Ubuntu `{grub2_boot_path}/grub.cfg` (`uses_grub_cfg`) + {{# OL7 / Debian / Ubuntu `{grub2_boot_path}/grub.cfg` (`uses_grub_cfg`) BIOS: `{grub2_boot_path}/grub.cfg` (e.g. `/boot/grub2/grub.cfg`) UEFI: `{grub2_uefi_boot_path}/grub.cfg` (e.g. `/boot/efi/EFI/redhat/grub.cfg`) UEFI criterion only emitted when `has_separate_bios_and_uefi` is true. #}} @@ -388,7 +388,7 @@ {{# `GRUB_CMDLINE_LINUX` (applies to all boot entries). - Checks `/etc/default/grub`, plus `/etc/default/grub.d/*.cfg` drop-ins on Ubuntu. #}} + Checks `/etc/default/grub`, plus `/etc/default/grub.d/*.cfg` drop-ins on Ubuntu and Debian. #}} @@ -403,7 +403,7 @@ `GRUB_CMDLINE_LINUX_DEFAULT` only applies to non-recovery boot entries, so if this variable is used, rescue boot entries have to be disabled with GRUB_DISABLE_RECOVERY=true in `/etc/default/grub`, to ensure the argument ARG_NAME_UNDERSCORED is set for ALL boot entries. - Also checks `/etc/default/grub.d/*.cfg` drop-ins for Ubuntu. #}} + Also checks `/etc/default/grub.d/*.cfg` drop-ins for Ubuntu and Debian. #}} {{%- endif %}} -{{# OL7, Ubuntu — uses_grub_cfg #}} +{{# OL7, Debian, Ubuntu — uses_grub_cfg #}} {{%- if uses_grub_cfg %}} {{# Emit BIOS variant (`{grub2_boot_path}/grub.cfg`) unconditionally; emit UEFI variant (`{grub2_uefi_boot_path}/grub.cfg`) only when the platform has separate BIOS and UEFI paths. #}}