Product:
BigFix Compliance
Title:
Updated CIS Checklist for Debian Linux 12
Security Benchmark:
CIS Debian Linux 12 Benchmark, v1.1.0
Published Sites:
CIS Checklist for Debian Linux 12, site version 3
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 33
Total Updated Fixlets: 193
Total Deleted Fixlets: 19
Total Fixlets in Site: 299
New Fixlets :
Ensure overlayfs kernel module is not available
Ensure unused filesystems kernel modules are not available
Ensure XDMCP is not enabled
Ensure a single firewall utility
Ensure a single firewall configuration utility is in use
Ensure nftables is not in use with iptables
Ensure ufw is not in use with iptables
Ensure minimum password days is configured
Ensure root account access is controlled
Ensure only one logging system is in use
Ensure systemd-journal-upload authentication is configured
Ensure rsyslog
Ensure rsyslog is installed
Ensure rsyslog service is enabled and active
Ensure journald is configured to send logs to rsyslog
Ensure rsyslog log file creation mode is configured
Ensure rsyslog logging is configured
Ensure rsyslog is configured to send logs to a remote log host
Ensure rsyslog is not configured to receive logs from a remote client
Ensure logrotate is configured
Ensure auditd packages are installed
Ensure successful and unsuccessful attempts to use the chcon command are collected
Ensure successful and unsuccessful attempts to use the setfacl command are collected
Ensure successful and unsuccessful attempts to use the chacl command are collected
Ensure successful and unsuccessful attempts to use the usermod command are collected
Ensure audit log files owner is configured
Ensure audit log files group owner is configured
Ensure the audit log file directory mode is configured
Ensure audit configuration files owner is configured
Ensure audit configuration files group owner is configured
Ensure audit tools owner is configured
Ensure audit tools group owner is configured
Ensure cryptographic mechanisms are used to protect the integrity of audit tools
Modified Fixlets:
Ensure cramfs kernel module is not available
Ensure freevxfs kernel module is not available
Ensure hfs kernel module is not available
Ensure hfsplus kernel module is not available
Ensure jffs2 kernel module is not available
Ensure squashfs kernel module is not available
Ensure udf kernel module is not available
Ensure usb-storage kernel module is not available
Ensure /tmp is a separate partition
Ensure separate partition exists for /home
Ensure nodev option set on /home partition
Ensure nosuid option set on /home partition
Ensure separate partition exists for /var
Ensure nodev option set on /var partition
Ensure nosuid option set on /var partition
Ensure separate partition exists for /var/tmp
Ensure nodev option set on /var/tmp partition
Ensure nosuid option set on /var/tmp partition
Ensure noexec option set on /var/tmp partition
Ensure separate partition exists for /var/log
Ensure nodev option set on /var/log partition
Ensure nosuid option set on /var/log partition
Ensure noexec option set on /var/log partition
Ensure separate partition exists for /var/log/audit
Ensure nodev option set on /var/log/audit partition
Ensure nosuid option set on /var/log/audit partition
Ensure noexec option set on /var/log/audit partition
Ensure GPG keys are configured
Ensure AppArmor is installed
Ensure AppArmor is enabled in the bootloader configuration
Ensure all AppArmor Profiles are in enforce or complain mode
Ensure all AppArmor Profiles are enforcing
Ensure bootloader password is set
Ensure address space layout randomization is enabled
Ensure ptrace_scope is restricted
Ensure core dumps are restricted
Ensure GDM is removed
Ensure GDM login banner is configured
Ensure GDM disable-user-list option is enabled
Ensure GDM screen locks when the user is idle
Ensure GDM screen locks cannot be overridden
Ensure GDM automatic mounting of removable media is disabled
Ensure GDM disabling automatic mounting of removable media is not overridden
Ensure GDM autorun-never is enabled
Ensure GDM autorun-never is not overridden
Ensure autofs services are not in use
Ensure avahi daemon services are not in use
Ensure dhcp server services are not in use
Ensure dns server services are not in use
Ensure dnsmasq services are not in use
Ensure ftp server services are not in use
Ensure ldap server services are not in use
Ensure message access server services are not in use
Ensure network file system services are not in use
Ensure nis server services are not in use
Ensure print server services are not in use
Ensure rpcbind services are not in use
Ensure rsync services are not in use
Ensure samba file server services are not in use
Ensure snmp services are not in use
Ensure tftp server services are not in use
Ensure web proxy server services are not in use
Ensure web server services are not in use
Ensure xinetd services are not in use
Ensure X window server services are not in use
Ensure mail transfer agent is configured for local-only mode
Ensure NIS Client is not installed
Ensure rsh client is not installed
Ensure talk client is not installed
Ensure telnet client is not installed
Ensure ldap client is not installed
Ensure ftp client is not installed
Ensure a single time synchronization daemon is in use
Ensure systemd-timesyncd configured with authorized timeserver
Ensure systemd-timesyncd is enabled and running
Ensure chrony is configured with authorized timeserver
Ensure permissions on /etc/cron.weekly are configured
Ensure permissions on /etc/cron.monthly are configured
Ensure permissions on /etc/cron.d are configured
Ensure crontab is restricted to authorized users
Ensure at is restricted to authorized users
Ensure IPv6 status is identified
Ensure bluetooth services are not in use
Ensure dccp kernel module is not available
Ensure tipc kernel module is not available
Ensure rds kernel module is not available
Ensure sctp kernel module is not available
Ensure ip forwarding is disabled
Ensure packet redirect sending is disabled
Ensure bogus icmp responses are ignored
Ensure broadcast icmp requests are ignored
Ensure icmp redirects are not accepted
Ensure secure icmp redirects are not accepted
Ensure reverse path filtering is enabled
Ensure source routed packets are not accepted
Ensure suspicious packets are logged
Ensure tcp syn cookies is enabled
Ensure ipv6 router advertisements are not accepted
Ensure ufw is installed
Ensure iptables-persistent is not installed with ufw
Ensure ufw loopback traffic is configured
Ensure ufw default deny firewall policy
Ensure nftables is installed
Ensure ufw is uninstalled or disabled with nftables
Ensure a nftables table exists
Ensure nftables loopback traffic is configured
Ensure nftables outbound and established connections are configured
Ensure nftables default deny firewall policy
Ensure nftables rules are permanent
Ensure iptables packages are installed
Ensure iptables default deny firewall policy
Ensure iptables loopback traffic is configured
Ensure iptables outbound and established connections are configured
Ensure iptables firewall rules exist for all open ports
Ensure ip6tables default deny firewall policy
Ensure ip6tables loopback traffic is configured
Ensure ip6tables outbound and established connections are configured
Ensure ip6tables firewall rules exist for all open ports
Ensure permissions on /etc/ssh/sshd_config are configured
Ensure permissions on SSH private host key files are configured
Ensure permissions on SSH public host key files are configured
Ensure sshd access is configured
Ensure sshd Banner is configured
Ensure sshd Ciphers are configured
Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
Ensure sshd DisableForwarding is enabled
Ensure sshd GSSAPIAuthentication is disabled
Ensure sshd HostbasedAuthentication is disabled
Ensure sshd IgnoreRhosts is enabled
Ensure sshd KexAlgorithms is configured
Ensure sshd LoginGraceTime is configured
Ensure sshd LogLevel is configured
Ensure sshd MACs are configured
Ensure sshd MaxAuthTries is configured
Ensure sshd MaxSessions is configured
Ensure sshd MaxStartups is configured
Ensure sshd PermitEmptyPasswords is disabled
Ensure sshd PermitRootLogin is disabled
Ensure sshd PermitUserEnvironment is disabled
Ensure sshd UsePAM is enabled
Ensure sudo is installed
Ensure sudo commands use pty
Ensure latest version of pam is installed
Ensure libpam-modules is installed
Ensure pam_unix module is enabled
Ensure pam_faillock module is enabled
Ensure pam_pwquality module is enabled
Ensure pam_pwhistory module is enabled
Ensure password failed attempts lockout is configured
Ensure password unlock time is configured
Ensure password failed attempts lockout includes root account
Ensure password number of changed characters is configured
Ensure minimum password length is configured
Ensure password complexity is configured
Ensure password same consecutive characters is configured
Ensure password maximum sequential characters is configured
Ensure password dictionary check is enabled
Ensure pam_pwhistory includes use_authtok
Ensure pam_unix does not include nullok
Ensure pam_unix does not include remember
Ensure password expiration is configured
Ensure all users last password change date is in the past
Ensure root user umask is configured
Ensure nologin is not listed in /etc/shells
Ensure default user umask is configured
Ensure auditd service is enabled and active
Ensure system is disabled when audit logs are full
Ensure system warns when audit logs are low on space
Ensure changes to system administration scope (sudoers) is collected
Ensure actions as another user are always logged
Ensure events that modify the sudo log file are collected
Ensure events that modify date and time information are collected
Ensure events that modify the system’s network environment are collected
Ensure use of privileged commands are collected
Ensure unsuccessful file access attempts are collected
Ensure events that modify user/group information are collected
Ensure discretionary access control permission modification events are collected
Ensure successful file system mounts are collected
Ensure session initiation information is collected
Ensure login and logout events are collected
Ensure file deletion events by users are collected
Ensure events that modify the system’s Mandatory Access Controls are collected
Ensure kernel module loading unloading and modification is collected
Ensure the audit configuration is immutable
Ensure the running and on disk configuration is the same
Ensure audit log files mode is configured
Ensure audit configuration files mode is configured
Ensure audit tools mode is configured
Ensure AIDE is installed
Ensure world writable files and directories are secured
Ensure no files or directories without an owner and a group exist
Ensure SUID and SGID files are reviewed
Ensure local interactive user dot files access is configured
Deleted Fixlets :
Ensure prelink is not installed
Ensure XDCMP is not enabled
Ensure nftables is not installed with iptables
Ensure ufw is uninstalled or disabled with iptables
Ensure minimum password age is configured
Ensure root password is set
Ensure systemd-journal-remote authentication is configured
Ensure auditd is installed
Ensure successful and unsuccessful attempts to use the chcon command are recorded
Ensure successful and unsuccessful attempts to use the setfacl command are recorded
Ensure successful and unsuccessful attempts to use the chacl command are recorded
Ensure successful and unsuccessful attempts to use the usermod command are recorded
Ensure only authorized users own audit log files
Ensure only authorized groups are assigned ownership of audit log files
Ensure the audit log directory mode is configured
Ensure audit configuration files are owned by root
Ensure audit configuration files belong to group root
Ensure audit tools are owned by root
Ensure audit tools belong to group root
Additional details:
Both analysis and remediation checks are included
Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
The action results will show “Pending Restart” instead of “Fixed” for those checks which requires OS reboot.
The check will show relevant for those endpoints until they are rebooted.
Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 10 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
BigFix Forum:
BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team