Release notes - Debian Linux

This article provides detailed information about the CIS Security Benchmarks for Debian Linux, including supported benchmarks, mismatched rules, and configurable parameters across all supported versions.

Supported benchmarks

Debian Version	Benchmark Title
Debian 12	CIS Debian Linux 12 Benchmark 1.0.0 Level 1 + Level 2 - Server

CIS Debian Linux 12 Benchmark 1.0.0 Level 1 + Level 2 - Server

Mismatched rules

Note

The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.

Ensure only one logging system is in use

Configurable parameters

Rule	Parameter	Default Value
Ensure dns server services are not in use	serviceName	named.service
	expectedUnitFileState	enabled
	expectedActiveState	active
	packageName	bind9
Ensure permissions on /etc/crontab are configured	mask	0177
	owner	root
	group	root
Ensure permissions on /etc/cron.hourly are configured	mask	0077
	owner	root
	group	root
Ensure permissions on /etc/cron.daily are configured	mask	0077
	owner	root
	group	root
	packageName	cron
Ensure permissions on /etc/cron.weekly are configured	mask	0077
	owner	root
	group	root
Ensure permissions on /etc/cron.monthly are configured	mask	0077
	owner	root
	group	root
Ensure permissions on /etc/cron.d are configured	mask	0077
	owner	root
	group	root
Ensure permissions on /etc/ssh/sshd_config are configured	mask	0177
	owner	root
	group	root
Ensure permissions on /etc/passwd are configured	mask	0133
	owner	root
	group	root
Ensure permissions on /etc/passwd- are configured	mask	0133
	owner	root
	group	root
Ensure permissions on /etc/group are configured	mask	0133
	owner	root
	group	root
Ensure permissions on /etc/group- are configured	mask	0133
	owner	root
	group	root
Ensure permissions on /etc/shadow are configured	mask	0137
	owner	root
	group	root\|shadow
Ensure permissions on /etc/shadow- are configured	mask	0137
	owner	root
	group	root\|shadow
Ensure permissions on /etc/gshadow are configured	mask	0137
	owner	root
	group	shadow\|root
Ensure permissions on /etc/gshadow- are configured	mask	0137
	owner	root
	group	shadow\|root
Ensure permissions on /etc/shells are configured	mask	0133
	owner	root
	group	root
Ensure permissions on /etc/security/opasswd are configured	mask	0177
	owner	root
	group	root

Feedback

Was this page helpful?

Last updated on 2025-11-08