[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Debian Linux 11, published 2025-08-19
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Tue Aug 19 07:49:49 PDT 2025
*Product:*
BigFix Compliance
*Title:*
Updated CIS Checklist for Debian Linux 11
*Security Benchmark:*
CIS Checklist for Debian Linux 11 Benchmark, v2.0.0
*Published Sites:*
CIS Checklist for Debian Linux 11, site version 2
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 72
● Total Updated Fixlets: 126
● Total Deleted Fixlets: 47
● Total Fixlets in Site: 287
*ADDED :*
● Ensure xinetd services are not in use
● Ensure world writable files and directories are secured
● Ensure /dev/shm is a separate partition
● Ensure web server services are not in use
● Ensure web proxy server services are not in use
● Ensure IPv6 status is identified
● Ensure X window server services are not in use
● Ensure access to all logfiles has been configured
● Ensure accounts without a valid login shell are locked
● Ensure audit tools group owner is configured
● Ensure avahi daemon services are not in use
● Ensure bluetooth services are not in use
● Ensure cramfs kernel module is not available
● Ensure default user umask is configured
● Ensure dhcp server services are not in use
● Ensure dns server services are not in use
● Ensure dnsmasq services are not in use
● Ensure freevxfs kernel module is not available
● Ensure ftp client is not installed
● Ensure ftp server services are not in use
● Ensure tftp server services are not in use
● Ensure group root is the only GID 0 group
● Ensure hfs kernel module is not available
● Ensure hfsplus kernel module is not available
● Ensure jffs2 kernel module is not available
● Ensure journald ForwardToSyslog is disabled
● Ensure latest version of pam is installed
● Ensure ldap server services are not in use
● Ensure libpam-modules is installed
● Ensure libpam-pwquality is installed
● Ensure system warns when audit logs are low on space
● Ensure local interactive user dot files access is configured
● Ensure message access server services are not in use
● Ensure minimum password length is configured
● Ensure network file system services are not in use
● Ensure nis server services are not in use
● Ensure no files or directories without an owner and a group exist
● Ensure nologin is not listed in /etc/shells
● Ensure pam_faillock module is enabled
● Ensure pam_pwhistory includes use_authtok
● Ensure pam_pwhistory module is enabled
● Ensure pam_pwquality module is enabled
● Ensure pam_unix does not include nullok
● Ensure pam_unix does not include remember
● Ensure pam_unix includes a strong password hashing algorithm
● Ensure pam_unix includes use_authtok
● Ensure pam_unix module is enabled
● Ensure password complexity is configured
● Ensure password dictionary check is enabled
● Ensure password failed attempts lockout includes root account
● Ensure password failed attempts lockout is configured
● Ensure password history is enforced for the root user
● Ensure password history remember is configured
● Ensure password maximum sequential characters is configured
● Ensure password number of changed characters is configured
● Ensure password quality checking is enforced
● Ensure password quality is enforced for the root user
● Ensure password same consecutive characters is configured
● Ensure sshd GSSAPIAuthentication is disabled
● Ensure sshd DisableForwarding is enabled
● Ensure password unlock time is configured
● Ensure permissions on /etc/security/opasswd are configured
● Ensure permissions on /etc/shells are configured
● Ensure print server services are not in use
● Ensure ptrace_scope is restricted
● Ensure snmp services are not in use
● Ensure rds kernel module is not available
● Ensure root password is set
● Ensure root path integrity
● Ensure root user umask is configured
● Ensure rpcbind services are not in use
● Ensure samba file server services are not in use
*UPDATED :*
● Ensure /tmp is a separate partition
● Ensure nodev option set on /tmp partition
● Ensure nosuid option set on /tmp partition
● Ensure noexec option set on /tmp partition
● Ensure nodev option set on /dev/shm partition
● Ensure nosuid option set on /dev/shm partition
● Ensure noexec option set on /dev/shm partition
● Ensure separate partition exists for /home
● Ensure nodev option set on /home partition
● Ensure nosuid option set on /home partition
● Ensure separate partition exists for /var
● Ensure nodev option set on /var partition
● Ensure nosuid option set on /var partition
● Ensure separate partition exists for /var/tmp
● Ensure nodev option set on /var/tmp partition
● Ensure nosuid option set on /var/tmp partition
● Ensure noexec option set on /var/tmp partition
● Ensure separate partition exists for /var/log
● Ensure nodev option set on /var/log partition
● Ensure nosuid option set on /var/log partition
● Ensure noexec option set on /var/log partition
● Ensure separate partition exists for /var/log/audit
● Ensure nodev option set on /var/log/audit partition -
● Ensure nosuid option set on /var/log/audit partition
● Ensure noexec option set on /var/log/audit partition
● Ensure GPG keys are configured
● Ensure updates, patches, and additional security software are
installed
● Ensure AppArmor is installed
● Ensure all AppArmor Profiles are enforcing
● Ensure bootloader password is set
● Ensure core dumps are restricted
● Ensure prelink is not installed
● Ensure Automatic Error Reporting is not enabled
● Ensure message of the day is configured properly
● Ensure local login warning banner is configured properly
● Ensure remote login warning banner is configured properly
● Ensure GDM login banner is configured
● Ensure GDM disable-user-list option is enabled
● Ensure GDM screen locks when the user is idle
● Ensure GDM screen locks cannot be overridden
● Ensure GDM automatic mounting of removable media is disabled
● Ensure GDM disabling automatic mounting of removable media is not
overridden
● Ensure GDM autorun-never is enabled
● Ensure GDM autorun-never is not overridden
● Ensure XDCMP is not enabled
● Ensure mail transfer agent is configured for local-only mode
● Ensure NIS Client is not installed
● Ensure rsh client is not installed
● Ensure talk client is not installed
● Ensure telnet client is not installed
● Ensure time synchronization is in use
● Ensure a single time synchronization daemon is in use
● Ensure chrony is configured with authorized timeserver
● Ensure chrony is running as user _chrony
● Ensure chrony is enabled and running
● Ensure permissions on /etc/crontab are configured
● Ensure permissions on /etc/cron.hourly are configured
● Ensure permissions on /etc/cron.daily are configured
● Ensure permissions on /etc/cron.weekly are configured
● Ensure permissions on /etc/cron.monthly are configured
● Ensure permissions on /etc/cron.d are configured
● Ensure at is restricted to authorized users
● Ensure wireless interfaces are disabled
● Ensure packet redirect sending is disabled
● Ensure source routed packets are not accepted
● Ensure suspicious packets are logged
● Ensure ufw is installed - Sections Modified:
● Ensure ufw service is enabled
● Ensure ufw default deny firewall policy
● Ensure nftables is installed
● Ensure ufw is uninstalled or disabled with nftables
● Ensure nftables loopback traffic is configured
● Ensure iptables packages are installed
● Ensure nftables is not installed with iptables
● Ensure ufw is uninstalled or disabled with iptables
● Ensure ip6tables default deny firewall policy
● Ensure ip6tables loopback traffic is configured
● Ensure permissions on /etc/ssh/sshd_config are configured
● Ensure permissions on SSH private host key files are configured
● Ensure permissions on SSH public host key files are configured
● Ensure sudo is installed
● Ensure sudo commands use pty
● Ensure sudo log file exists
● Ensure all users last password change date is in the past
● Ensure root is the only UID 0 account
● Ensure AIDE is installed
● Ensure filesystem integrity is regularly checked
● Ensure systemd-journal-remote is installed
● Ensure auditd service is enabled and active
● Ensure system is disabled when audit logs are full
● Ensure changes to system administration scope (sudoers) is collected
● Ensure actions as another user are always logged
● Ensure events that modify the sudo log file are collected
● Ensure events that modify date and time information are collected
● Ensure events that modify the system's network environment are
collected
● Ensure use of privileged commands are collected
● Ensure unsuccessful file access attempts are collected
● Ensure events that modify user/group information are collected
● Ensure discretionary access control permission modification events
are collected
● Ensure successful file system mounts are collected
● Ensure session initiation information is collected
● Ensure login and logout events are collected
● Ensure file deletion events by users are collected
● Ensure events that modify the system's Mandatory Access Controls are
collected
● Ensure successful and unsuccessful attempts to use the chcon command
are recorded
● Ensure successful and unsuccessful attempts to use the setfacl
command are recorded
● Ensure successful and unsuccessful attempts to use the chacl command
are recorded
● Ensure successful and unsuccessful attempts to use the usermod
command are recorded
● Ensure kernel module loading unloading and modification is collected
● Ensure the audit configuration is immutable
● Ensure the running and on disk configuration is the same
● Ensure permissions on /etc/passwd are configured
● Ensure permissions on /etc/passwd- are configured
● Ensure permissions on /etc/group are configured
● Ensure permissions on /etc/group- are configured
● Ensure permissions on /etc/shadow are configured
● Ensure permissions on /etc/shadow- are configured
● Ensure permissions on /etc/gshadow are configured
● Ensure permissions on /etc/gshadow- are configured
● Ensure accounts in /etc/passwd use shadowed passwords
● Ensure all groups in /etc/passwd exist in /etc/group
● Ensure shadow group is empty
● Ensure no duplicate UIDs exist
● Ensure no duplicate GIDs exist
● Ensure no duplicate user names exist
● Ensure no duplicate group names exist
*DELETED :*
● Ensure ntp is configured with authorized timeserver
● Ensure rsyslog service is enabled
● Ensure journald is not configured to send logs to rsyslog
● Ensure password creation requirements are configured
● Ensure local interactive user home directories exist
● Ensure HTTP server is not installed
● Ensure no ungrouped files or directories exist
● Ensure mounting of cramfs filesystems is disabled
● Ensure audit tools belong to group root
● Ensure ntp access control is configured
● Ensure no local interactive user has .netrc files
● Ensure SSH X11 forwarding is disabled
● Ensure X Window System is not installed
● Ensure Avahi Server is not installed
● Ensure lockout for failed password attempts is configured
● Ensure default user umask is 027 or more restrictive
● Ensure DHCP Server is not installed
● Ensure no local interactive user has .rhosts files
● Ensure SNMP Server is not installed
● Ensure password reuse is limited
● Ensure Samba is not installed
● Ensure NIS Server is not installed
● Ensure rsyslog is installed
● Ensure ntp is running as user ntp
● Ensure LDAP server is not installed
● Ensure rsyslog is not configured to receive logs from a remote client
● Ensure no local interactive user has .forward files
● Ensure RDS is disabled
● Ensure no unowned files or directories exist
● Ensure HTTP Proxy Server is not installed
● Ensure rsyslog is configured to send logs to a remote log host
● Ensure NFS is not installed
● Ensure DNS Server is not installed
● Ensure all logfiles have appropriate permissions and ownership
● Ensure SSH AllowTcpForwarding is disabled
● Ensure no world writable files exist
● Ensure FTP Server is not installed
● Ensure local interactive user dot files are not group or world
writable
● Ensure local interactive users own their home directories
● Ensure rsyslog default file permissions are configured
● Ensure authentication required for single user mode
● Ensure IMAP and POP3 server are not installed
● Ensure CUPS is not installed
● Ensure RPC is not installed
● Ensure ntp is enabled and running
● Ensure root PATH Integrity
*Additional details:*
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed”
for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are
rebooted.
● Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 10 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250819/b9960f1c/attachment.html>
More information about the Besadmin-announcements
mailing list