Skip to content

Adding Debian 13 CIS controls to the benchmark #14684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
scdarva wants to merge 5 commits into
base: master
Choose a base branch
from
+669 −0
Open

Adding Debian 13 CIS controls to the benchmark #14684

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
31723cc
debian13 add CIS checks 1.1.1.1-1.2.1.2
scdarva Apr 29, 2026
1e9e65a
debian13 add CIS checks 1.1.1.1-1.2.1.2
scdarva Apr 29, 2026
f7826f8
adding newline in the end of file, and copying controls for 1.2.1.2-1…
scdarva May 5, 2026
27c6634
adding newline in the end of file
scdarva May 5, 2026
35e2000
fix: adding cis reference in tests for debian13
scdarva May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
376 changes: 376 additions & 0 deletions controls/cis_debian13.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,376 @@
---
policy: CIS Benchmark for Debian 13
title: CIS Benchmark for Debian 13
id: cis_debian13
version: '1.0.0'
source: https://www.cisecurity.org/cis-benchmarks

levels:
- id: l1_server
- id: l2_server
inherits_from:
- l1_server
- id: l1_workstation
- id: l2_workstation
inherits_from:
- l1_workstation

reference_type: cis
product: debian13

controls:
- id: 1.1.1.1
title: Ensure cramfs kernel module is not available (Automated)
levels:
- l1_server
- l1_workstation
rules:
- kernel_module_cramfs_disabled
status: automated

- id: 1.1.1.2
title: Ensure freevxfs kernel module is not available (Automated)
levels:
- l1_server
- l1_workstation
rules:
- kernel_module_freevxfs_disabled
status: automated

- id: 1.1.1.3
title: Ensure hfs kernel module is not available (Automated)
levels:
- l1_server
- l1_workstation
rules:
- kernel_module_hfs_disabled
status: automated

- id: 1.1.1.4
title: Ensure hfsplus kernel module is not available (Automated)
levels:
- l1_server
- l1_workstation
rules:
- kernel_module_hfsplus_disabled
status: automated

- id: 1.1.1.5
title: Ensure jffs2 kernel module is not available (Automated)
levels:
- l1_server
- l1_workstation
rules:
- kernel_module_jffs2_disabled
status: automated

- id: 1.1.1.6
title: Ensure overlayfs kernel module is not available (Automated)
levels:
- l2_server
- l2_workstation
rules:
- kernel_module_overlayfs_disabled
status: automated

- id: 1.1.1.7
title: Ensure squashfs kernel module is not available (Automated)
levels:
- l2_server
- l2_workstation
related_rules:
- kernel_module_squashfs_disabled
status: automated

- id: 1.1.1.8
title: Ensure udf kernel module is not available (Automated)
levels:
- l2_server
- l2_workstation
rules:
- kernel_module_udf_disabled
status: automated

- id: 1.1.1.9
title: Ensure firewire-core kernel module is not available (Automated)
levels:
- l1_server
- l2_workstation
rules:
- kernel_module_firewire-core_disabled
status: automated

- id: 1.1.1.10
title: Ensure usb-storage kernel module is not available (Automated)
levels:
- l1_server
- l2_workstation
rules:
- kernel_module_usb-storage_disabled
status: automated

- id: 1.1.1.11
title: Ensure unused filesystems kernel modules are not available (Manual)
levels:
- l1_server
- l1_workstation
status: manual

- id: 1.1.2.1.1
title: Ensure /tmp is a separate partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- partition_for_tmp
status: automated

- id: 1.1.2.1.2
title: Ensure nodev option set on /tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_tmp_nodev
status: automated

- id: 1.1.2.1.3
title: Ensure nosuid option set on /tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_tmp_nosuid
status: automated

- id: 1.1.2.1.4
title: Ensure noexec option set on /tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_tmp_noexec
status: automated

- id: 1.1.2.2.1
title: Ensure /dev/shm is tmpfs or a separate partition (Automated)
levels:
- l1_server
- l1_workstation
status: automated
rules:
- partition_for_dev_shm

- id: 1.1.2.2.2
title: Ensure nodev option set on /dev/shm partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_dev_shm_nodev
status: automated

- id: 1.1.2.2.3
title: Ensure nosuid option set on /dev/shm partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_dev_shm_nosuid
status: automated

- id: 1.1.2.2.4
title: Ensure noexec option set on /dev/shm partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_dev_shm_noexec
status: automated

- id: 1.1.2.3.1
title: Ensure separate partition exists for /home (Automated)
levels:
- l2_server
- l2_workstation
rules:
- partition_for_home
status: automated

- id: 1.1.2.3.2
title: Ensure nodev option set on /home partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_home_nodev
status: automated

- id: 1.1.2.3.3
title: Ensure nosuid option set on /home partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_home_nosuid
status: automated

- id: 1.1.2.4.1
title: Ensure separate partition exists for /var (Automated)
levels:
- l2_server
- l2_workstation
rules:
- partition_for_var
status: automated

- id: 1.1.2.4.2
title: Ensure nodev option set on /var partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_nodev
status: automated

- id: 1.1.2.4.3
title: Ensure nosuid option set on /var partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_nosuid
status: automated

- id: 1.1.2.5.1
title: Ensure separate partition exists for /var/tmp (Automated)
levels:
- l2_server
- l2_workstation
rules:
- partition_for_var_tmp
status: automated

- id: 1.1.2.5.2
title: Ensure nodev option set on /var/tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_tmp_nodev
status: automated

- id: 1.1.2.5.3
title: Ensure nosuid option set on /var/tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_tmp_nosuid
status: automated

- id: 1.1.2.5.4
title: Ensure noexec option set on /var/tmp partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_tmp_noexec
status: automated

- id: 1.1.2.6.1
title: Ensure separate partition exists for /var/log (Automated)
levels:
- l2_server
- l2_workstation
rules:
- partition_for_var_log
status: automated

- id: 1.1.2.6.2
title: Ensure nodev option set on /var/log partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_nodev
status: automated

- id: 1.1.2.6.3
title: Ensure nosuid option set on /var/log partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_nosuid
status: automated

- id: 1.1.2.6.4
title: Ensure noexec option set on /var/log partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_noexec
status: automated

- id: 1.1.2.7.1
title: Ensure separate partition exists for /var/log/audit (Automated)
levels:
- l2_server
- l2_workstation
rules:
- partition_for_var_log_audit
status: automated

- id: 1.1.2.7.2
title: Ensure nodev option set on /var/log/audit partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_audit_nodev
status: automated

- id: 1.1.2.7.3
title: Ensure nosuid option set on /var/log/audit partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_audit_nosuid
status: automated

- id: 1.1.2.7.4
title: Ensure noexec option set on /var/log/audit partition (Automated)
levels:
- l1_server
- l1_workstation
rules:
- mount_option_var_log_audit_noexec
status: automated

- id: 1.2.1.1
title: Ensure the source.list and .source files use the Signed-By option (Manual)
levels:
- l1_server
- l1_workstation
status: manual

- id: 1.2.1.2
title: Ensure weak dependencies are configured (Automated)
levels:
- l2_server
- l2_workstation
rules:
- disable_weak_deps
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule disable_weak_deps is specific to the dnf package manager which isn't used in Debian. Therefore, it doesn't make sense to add this rule to Debian's security content. Debian uses apt instead. I suggest marking this control as manual or pending until a new rule covering apt is created.

status: automated

# - id: 1.2.1.3
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding notes for commented-out controls: Rather than leaving large commented-out YAML blocks with bare # TODO markers, consider using proper status: pending entries with notes: explaining what's needed. This makes the work queue visible to tooling (e.g., list_unmapped_requirements). Example:

  - id: 1.2.1.3
    title: Ensure access to gpg key files are configured (Automated)
    levels:
        - l1_server
        - l1_workstation
    status: pending
    notes: |-
        Needs a new Debian-specific rule for GPG key file access checks.

# title: Ensure access to gpg key files are configured (Automated)
# levels:
# - l1_server
# - l2_server
# rules:
# - configure_gpg_key_access
# status: automated

Check failure on line 376 in controls/cis_debian13.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files 

376:26 [new-line-at-end-of-file] no new line character at the end of file
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing new line character at the end of file

Copy link
Copy Markdown
Author

@scdarva scdarva May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for noticing, added it.

Also added more controls. Those that are commented out and have TODO are not implemented, as they need to be implemented later on.

3 changes: 3 additions & 0 deletions products/debian13/product.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@
title: "Debian Linux 13"
check_id: installed_OS_is_debian13

reference_uris:
cis: 'https://www.cisecurity.org/cis-benchmarks/'

# Mapping of CPE platform to package
platform_package_overrides:
gdm: gdm3
Expand All @@ -40,4 +43,4 @@
shadow: login
sssd: sssd-common
audit: auditd

Check warning on line 46 in products/debian13/product.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files 

46:1 [empty-lines] too many blank lines (1 > 0)
Loading
Loading