[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Red Hat Enterprise Linux 8, published 2025-12-19
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Dec 22 08:13:32 PST 2025
*Product:*
BigFix Compliance
*Title:*
Updated CIS Checklist for Red Hat Enterprise Linux 8
<https://forum.bigfix.com/t/bigfix-compliance-new-disa-stig-checklist-for-suse-15-published-2024-07-26/49237>
*Security Benchmark:*
CIS Red Hat Enterprise Linux 8 Benchmark, V4.0.0
*Published Sites:*
CIS Checklist for RHEL 8, site version 41
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 84
● Total Updated Fixlets: 190
● Total Deleted Fixlets: 97
● Total Fixlets in Site: 312
*New Fixlets:*
● Ensure overlay kernel module is not available
● Ensure firewire-core kernel module is not available
● Ensure unused filesystems kernel modules are not available
● Ensure weak dependencies are configured
● Ensure core file size is configured
● Ensure fs.protected_hardlinks is configured
● Ensure fs.protected_symlinks is configured
● Ensure fs.suid_dumpable is configured
● Ensure kernel.dmesg_restrict is configured
● Ensure kernel.kptr_restrict is configured
● Ensure kernel.yama.ptrace_scope is configured
● Ensure kernel.randomize_va_space is configured
● Ensure systemd-coredump ProcessSizeMax is configured
● Ensure systemd-coredump Storage is configured
● Ensure system wide crypto policy macs are configured
● Ensure system wide crypto policy disables chacha20-poly1305 for ssh
● Ensure system wide crypto policy disables EtM for ssh
● Ensure /etc/motd is configured
● Ensure /etc/issue is configured
● Ensure /etc/issue.net is configured
● Ensure GDM screen lock is configured
● Ensure GDM automount is configured
● Ensure GDM autorun-never is configured
● Ensure GDM disable-user-list is configured
● Ensure Xwayland is configured
● Ensure cockpit web services are not in use
● Ensure access to /etc/cron.yearly is configured
● Ensure access to crontab is configured
● Ensure access to at is configured
● Ensure wireless interfaces are not available
● Ensure atm kernel module is not available
● Ensure can kernel module is not available
● Ensure net.ipv4.ip_forward is configured
● Ensure net.ipv4.conf.all.forwarding is configured
● Ensure net.ipv4.conf.default.forwarding is configured
● Ensure net.ipv4.conf.all.send_redirects is configured
● Ensure net.ipv4.conf.default.send_redirects is configured
● Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured
● Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured
● Ensure net.ipv4.conf.all.accept_redirects is configured
● Ensure net.ipv4.conf.default.accept_redirects is configured
● Ensure net.ipv4.conf.all.secure_redirects is configured
● Ensure net.ipv4.conf.default.secure_redirects is configured
● Ensure net.ipv4.conf.all.rp_filter is configured
● Ensure net.ipv4.conf.default.rp_filter is configured
● Ensure net.ipv4.conf.all.accept_source_route is configured
● Ensure net.ipv4.conf.default.accept_source_route is configured
● Ensure net.ipv4.conf.all.log_martians is configured
● Ensure net.ipv4.conf.default.log_martians is configured
● Ensure net.ipv4.tcp_syncookies is configured
● Ensure net.ipv6.conf.all.forwarding is configured
● Ensure net.ipv6.conf.default.forwarding is configured
● Ensure net.ipv6.conf.all.accept_redirects is configured
● Ensure net.ipv6.conf.default.accept_redirects is configured
● Ensure net.ipv6.conf.all.accept_source_route is configured
● Ensure net.ipv6.conf.default.accept_source_route is configured
● Ensure net.ipv6.conf.all.accept_ra is configured
● Ensure net.ipv6.conf.default.accept_ra is configured
● Ensure firewalld is installed
● Ensure firewalld backend is configured
● Ensure firewalld.service is configured
● Ensure firewalld active zone target is configured
● Ensure firewalld loopback traffic is configured
● Ensure firewalld loopback source address traffic is configured
● Ensure access to /etc/ssh/sshd_config is configured
● Ensure access to /etc/sysconfig/sshd is configured
● Ensure access to SSH private host key files is configured
● Ensure access to SSH public host key files is configured
● Ensure sshd GSSAPIAuthentication is disabled
● Ensure minimum password days is configured
● Ensure root is the only GID 0 account
● Ensure group root is the only GID 0 group
● Ensure root account access is controlled
● Ensure system accounts do not have a valid login shell
● Ensure accounts without a valid login shell are locked
● Ensure journald service is active
● Ensure journald log file rotation is configured
● Ensure journald ForwardToSyslog is disabled
● Ensure systemd-journal-remote service is not in use
● Ensure access to all logfiles has been configured
● Ensure the audit configuration is loaded regardless of errors
● Ensure audit log files mode is configured
● Ensure audit log files owner is configured
● Ensure systemd-journal-upload is enabled and active
*Updated Fixlets :*
● Ensure usb-storage kernel module is not
● Ensure squashfs kernel module is not
● Ensure udf kernel module is not available
● Ensure GPG keys are configured
● Ensure repo_gpgcheck is globally activated
● Ensure package manager repositories are
● Ensure updates, patches, and additional
● Ensure SELinux is installed
● Ensure SELinux is not disabled in
● Ensure SELinux policy is configured
● Ensure the SELinux mode is not disabled
● Ensure the SELinux mode is enforcing
● Ensure no unconfined services exist
● Ensure the MCS Translation Service
● Ensure SETroubleshoot is not installed
● Ensure bootloader password is set
● Ensure system wide crypto policy disables
● Ensure GDM login banner is configured
● Ensure XDMCP is not enabled
● Ensure autofs services are not in use
● Ensure nis server services are not in use
● Ensure print server services are not in use
● Ensure rpcbind services are not in use
● Ensure rsync services are not in use
● Ensure samba file server services are not in
● Ensure snmp services are not in use
● Ensure telnet server services are not in use
● Ensure tftp server services are not in use
● Ensure web proxy server services are not in
● Ensure web server services are not in use
● Ensure avahi daemon services are not in use
● Ensure xinetd services are not in use
● Ensure GNOME Display Manager is
● Ensure X window server services are not in
● Ensure mail transfer agents are configured
● Ensure only approved services are listening
● Ensure dhcp server services are not in use
● Ensure dns server services are not in use
● Ensure dnsmasq services are not in use
● Ensure ftp server services are not in use
● Ensure message access server services are
● Ensure network file system services are not
● Ensure ftp client is not installed
● Ensure ldap client is not installed
● Ensure nis client is not installed
● Ensure telnet client is not installed
● Ensure tftp client is not installed
● Ensure time synchronization is in use
● Ensure chrony is configured
● Ensure chrony is not run as the root user
● Ensure cron daemon is enabled and active
● Ensure dccp kernel module is not available
● Ensure rds kernel module is not available
● Ensure sctp kernel module is not available
● Ensure tipc kernel module is not available
● Ensure sshd crypto_policy is not set
● Ensure sshd DisableForwarding is enabled
● Ensure sshd HostbasedAuthentication is
● Ensure sshd IgnoreRhosts is enabled
● Ensure sshd KexAlgorithms is configured
● Ensure sshd LoginGraceTime is configured
● Ensure sshd LogLevel is configured
● Ensure sshd MACs are configured
● Ensure sshd MaxAuthTries is configured
● Ensure sshd MaxSessions is configured
● Ensure sshd MaxStartups is configured
● Ensure sshd PermitEmptyPasswords is
● Ensure sshd PermitRootLogin is disabled
● Ensure sshd PermitUserEnvironment is
● Ensure sshd UsePAM is enabled
● Ensure sshd access is configured
● Ensure sshd Banner is configured
● Ensure sshd Ciphers are configured
● Ensure sshd ClientAliveInterval and
● Ensure sudo is installed
● Ensure sudo commands use pty
● Ensure sudo log file exists
● Ensure users must provide password for
● Ensure re-authentication for privilege
● Ensure access to the su command is
● Ensure latest version of pam is installed
● Ensure latest version of authselect is
● Ensure active authselect profile includes
● Ensure pam_faillock module is enabled
● Ensure pam_pwquality module is enabled
● Ensure pam_pwhistory module is enabled
● Ensure pam_unix module is enabled
● Ensure password failed attempts lockout
● Ensure password unlock time is
● Ensure password failed attempts lockout
● Ensure password number of changed
● Ensure password length is configured
● Ensure password complexity is
● Ensure password same consecutive
● Ensure password maximum sequential
● Ensure password dictionary check is
● Ensure password quality is enforced for
● Ensure password history remember is
● Ensure password history is enforced for
● Ensure pam_pwhistory includes
● Ensure pam_unix does not include nullok
● Ensure pam_unix does not include
● Ensure pam_unix includes a strong
● Ensure pam_unix includes use_authtok
● Ensure strong password hashing algorithm
● Ensure all users last password change
● Ensure root is the only UID 0 account
● Ensure root path integrity
● Ensure root user umask is configured
● Ensure nologin is not listed in /etc/shells
● Ensure default user shell timeout is
● Ensure default user umask is configured
● Ensure AIDE is installedModified:
● Ensure filesystem integrity is regularly
● Ensure cryptographic mechanisms are used
● Ensure systemd-journal-remote is
● Ensure rsyslog is installed
● Ensure journald is configured to send logs
● Ensure rsyslog is configured to send logs to
● Ensure rsyslog is not configured to receive
● Ensure logrotate is configured
● Ensure auditing for processes that start
● Ensure audit log storage size is configured
● Ensure audit logs are not automatically
● Ensure system is disabled when audit logs
● Ensure system warns when audit logs are
● Ensure changes to system administration
● Ensure successful file system mounts are
● Ensure session initiation information is
● Ensure login and logout events are
● Ensure file deletion events by users are
● Ensure events that modify the system's
● Ensure kernel module loading unloading
● Ensure actions as another user are always
● Ensure the audit configuration is
● Ensure the running and on disk
● Ensure events that modify the sudo log file
● Ensure events that modify date and time
● Ensure events that modify the system's
● Ensure use of privileged commands are collected
● Ensure unsuccessful file access attempts
● Ensure events that modify user/group
● Ensure discretionary access control
● Ensure world writable files and directories
● Ensure SUID and SGID files are reviewed
● Ensure accounts in /etc/passwd use
● Ensure /etc/shadow password fields are not
● Ensure all groups in /etc/passwd exist in
● Ensure no duplicate UIDs exist
● Ensure no duplicate GIDs exist
● Ensure no duplicate user names exist
● Ensure no duplicate group names exist
● Ensure local interactive user home
● Ensure local interactive user dot files access
● Ensure cramfs kernel module is not
● Ensure freevxfs kernel module is not
● Ensure hfs kernel module is not available
● Ensure hfsplus kernel module is not
● Ensure jffs2 kernel module is not available
● Ensure nodev option set on /tmp partition
● Ensure nosuid option set on /tmp
● Ensure noexec option set on /tmp
● Ensure nodev option set on /dev/shm
● Ensure nosuid option set on /dev/shm
● Ensure noexec option set on /dev/shm
● Ensure separate partition exists for
● Ensure nodev option set on /home
● Ensure nosuid option set on /home
● Ensure separate partition exists for /var
● Ensure nodev option set on /var partition
● Ensure nosuid option set on /var partition
● Ensure separate partition exists for
● Ensure nodev option set on /var/tmp
● Ensure nosuid option set on /var/tmp
● Ensure noexec option set on /var/tmp
● Ensure separate partition exists for
● Ensure nodev option set on /var/log
● Ensure nosuid option set on /var/log
● Ensure noexec option set on /var/log
● Ensure separate partition exists for
● Ensure nodev option set on /var/log/audit
● Ensure nosuid option set on
● Ensure noexec option set on
● Ensure system wide crypto policy is not set to
● Ensure system wide crypto policy disables
● Ensure access to /etc/motd is configured
● Ensure access to /etc/issue is configured
● Ensure access to /etc/issue.net is configured
● Ensure IPv6 status is identified
● Ensure bluetooth services are not in use
*Deleted Fixlets:*
● Ensure /tmp is a separate partition
● Ensure /dev/shm is a separate partition
● Ensure gpgcheck is globally activated
● Ensure permissions on bootloader config are configured
● Ensure address space layout randomization (ASLR) is enabled
● Ensure ptrace_scope is restricted
● Ensure core dump backtraces are disabled
● Ensure core dump storage is disabled
● Ensure system wide crypto policy disables macs less than 128 bits
● Ensure message of the day is configured properly
● Ensure local login warning banner is configured properly
● Ensure remote login warning banner is configured properly
● Ensure GDM disable-user-list option is enabled
● Ensure GDM screen locks when the user is idle
● Ensure GDM screen locks cannot be overridden
● Ensure GDM automatic mounting of removable media is disabled
● Ensure GDM disabling automatic mounting of removable media is not
overridden
● Ensure GDM autorun-never is enabled
● Ensure GDM autorun-never is not overridden
● Ensure wireless interfaces are disabled
● Ensure ip forwarding is disabled
● Ensure tcp syn cookies is enabled
● Ensure ipv6 router advertisements are not accepted
● Ensure packet redirect sending is disabled
● Ensure bogus icmp responses are ignored
● Ensure broadcast icmp requests are ignored
● Ensure icmp redirects are not accepted
● Ensure secure icmp redirects are not accepted
● Ensure reverse path filtering is enabled
● Ensure source routed packets are not accepted
● Ensure suspicious packets are logged
● Ensure nftables is installed
● Ensure a single firewall configuration utility is in use
● Ensure nftables base chains exist
● Ensure host based firewall loopback traffic is configured
● Ensure firewalld drops unnecessary services and ports
● Ensure nftables established connections are configured
● Ensure nftables default deny firewall policy
● Ensure permissions on /etc/crontab are configured
● Ensure permissions on /etc/cron.hourly are configured
● Ensure permissions on /etc/cron.daily are configured
● Ensure permissions on /etc/cron.weekly are configured
● Ensure permissions on /etc/cron.monthly are configured
● Ensure permissions on /etc/cron.d are configured
● Ensure crontab is restricted to authorized users
● Ensure at is restricted to authorized users
● Ensure permissions on /etc/ssh/sshd_config are configured
● Ensure permissions on SSH private host key files are configured
● Ensure permissions on SSH public host key files are configured
● Ensure sudo authentication timeout is configured correctly
● Ensure password expiration is 365 days or less
● Ensure password expiration warning days is 7 or more
● Ensure inactive password lock is 30 days or less
● Ensure default group for the root account is GID 0
● Ensure system accounts are secured
● Ensure root password is set
● Ensure rsyslog service is enabled
● Ensure rsyslog default file permissions are configured
● Ensure logging is configured
● Ensure systemd-journal-remote is configured
● Ensure systemd-journal-remote is enabled
● Ensure journald is not configured to receive logs from a remote
client
● Ensure journald service is enabled
● Ensure journald is configured to compress large log files
● Ensure journald is configured to write logfiles to persistent disk
● Ensure journald is not configured to send logs to rsyslog
● Ensure journald log rotation is configured per site policy
● Ensure all logfiles have appropriate access configured
● Ensure audit is installed
● Ensure audit_backlog_limit is sufficient
● Ensure auditd service is enabled
● Ensure successful and unsuccessful attempts to use the chcon
command are recorded
● Ensure successful and unsuccessful attempts to use the setfacl
command are recorded
● Ensure successful and unsuccessful attempts to use the chacl
command are recorded
● Ensure successful and unsuccessful attempts to use the usermod
command are recorded
● Ensure the audit log directory is 0750 or more restrictive
● Ensure audit tools belong to group root
● Ensure audit log files are mode 0640 or less permissive
● Ensure only authorized users own audit log files
● Ensure only authorized groups are assigned ownership of audit log
files
● Ensure audit configuration files are 640 or more restrictive
● Ensure audit configuration files are owned by root
● Ensure audit configuration files belong to group root
● Ensure audit tools are 755 or more restrictive
● Ensure audit tools are owned by root
● Ensure permissions on /etc/passwd are configured
● Ensure permissions on /etc/shells are configured
● Ensure no unowned or ungrouped files or directories exist
● Audit system file permissions
● Ensure permissions on /etc/passwd- are configured
● Ensure permissions on /etc/opasswd are configured
● Ensure permissions on /etc/group are configured
● Ensure permissions on /etc/group- are configured
● Ensure permissions on /etc/shadow are configured
● Ensure permissions on /etc/shadow- are configured
● Ensure permissions on /etc/gshadow are configured
● Ensure permissions on /etc/gshadow- are configured
*Additional details:*
● Both analysis and remediation checks are included.
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
● Improved a few checks by adding the pending restart feature to them.
The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed”
for those checks which require OS reboot.
● The check will show relevant for those endpoints until they are
rebooted.
● Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 10.0.0
and later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20251222/103f3d9d/attachment.html>
More information about the Besadmin-announcements
mailing list