[BESAdmin-Announcements] Enhanced Security for SCM Middleware and Unix Checklists

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Wed Jun 4 06:53:56 PDT 2025 

Product:
BigFix Compliance

Title:
Enhanced Security for SCM Middleware and Unix Checklists

At BigFix, we continuously invest in strengthening the security,
consistency, and reliability of our platform. As part of this ongoing
initiative, we’ve introduced key enhancements to the security of SCM
Middleware and Unix checklists, along with improvements that promote more
consistent compliance assessments and simplify the management of checklist
content.

What’s New?

   - We have introduced a more secure content delivery model for Middleware
   and Unix checklists.
      - With this enhancement, when the Environment Setup task Action is
      executed, it will securely download a sqlite_detect.db file from the
      external site - only after verifying the file’s integrity through a hash
      and SHA-256 checksum. This file contains all relevant detect scripts.
      - Using relevance, the agent will retrieve the IDs of all fixlets in
      the current checklist and extract the corresponding detect
scripts for each
      ID, then execute them sequentially on the endpoint.
   - We added Desired Values for all checks across the checklists listed
   below in the table.
   - The Synchronize Custom Checks wizard is now supported for Unix and
   Middleware checklists.

Why This Matters

   - This enhancement ensures that detect scripts are securely delivered at
   runtime and are no longer persistently stored or modifiable on endpoints.
   This adds an extra layer of protection by enabling compliance content to be
   executed in a secure, controlled, and verifiable manner, strengthening the
   reliability and trustworthiness of compliance checks across SCM Middleware
   and Unix checklists.
   - Inclusion of Desired Values across all checklists and support for
   synchronization of Middleware and Unix checklists via the Synchronize
   Custom Checks wizard, helps in achieving more consistent compliance
   assessments and streamlined content management.

What’s Covered
This enhancement applies to the following SCM checklists:
<https://federal-forum.bigfix.com/t/enhanced-security-for-scm-middleware-and-unix-checklists/3209#p-3826-released-checklists-1>Released
Checklists
SL Number Checklist Name Site Version
1 CIS Checklist for AIX 7.x 5
2 DISA STIG Checklist for AIX 7.x 11
3 CIS Checklist for Solaris 11.4 7
4 CIS Checklist for Solaris 11.1 3
5 DISA STIG Checklist for Solaris 11 20
6 CIS Checklist for MacOS 15 4
7 CIS Checklist for MacOS 14 9
8 CIS Checklist for MacOS 13 10
9 CIS Checklist for MacOS 12 9
10 DISA STIG Checklist for MacOS 15 2
11 DISA STIG Checklist for MacOS 14 5
12 DISA STIG Checklist for Mac OS 13 4
13 DISA STIG Checklist for Mac OS 12 7
14 CIS Checklist for MS SQL Server 2016 14
15 CIS Checklist for MS SQL Server 2014 7
16 CIS Checklist for MS SQL Server 2017 11
17 CIS Checklist for MS SQL Server 2019 18
18 CIS Checklist for MS SQL Server 2022 7
19 DISA STIG Checklist for MS SQL Server 2014 6
20 DISA STIG Checklist for MS SQL Server 2016 8
21 CIS Checklist for IBM DB2 11 on Linux 4
22 CIS Checklist for IBM DB2 11 on Windows 2
23 CIS Checklist for MS IIS 10 18
24 DISA STIG Checklist for MS IIS 10.0 18
25 CIS Checklist for Apache Server 2_4 on Linux 8
26 DISA STIG Checklist for Apache Server 2_4 on Windows 12
27 DISA STIG Checklist for Apache Server 2.4 on Linux 21
28 CIS Checklist for Apache Tomcat 10.1 on Linux 3
29 CIS Checklist for Apache Tomcat 10 on Linux 4
30 CIS Checklist for Apache Tomcat 9 on Linux 4
31 DISA STIG Checklist for Apache Tomcat 9 Server on Linux 7
32 CIS Checklist for Oracle 19C database on Windows 7
33 DISA STIG Checklist for Oracle Database 19c on Windows 2
34 CIS Checklist for Oracle 19C database on Linux 10
35 DISA Checklist for Oracle 19C database on Linux 6

What Stays Unchanged:

   - No changes to directory structures, script paths, or log file
   locations.
   - The way compliance is evaluated remains the same.
   - No SQLite installation is required on endpoints.

Actions to take:

   - To subscribe to the above site, you can use the License Overview
   Dashboard to enable and gather the site. Note that you must be entitled to
   the BigFix Compliance product, and you must be using BigFix version 10 and
   later.
   Steps: Dashboard –> License Overview –> Select and Enable Site -->
   Gather Site
   - If you use custom sites, please update them to incorporate the latest
   content. You can do this using the Synchronize Custom Checks wizard.
   Note: *During the initial synchronization, you will notice that all
   checks are removed and then re-added.*
   Note: *Ensure that the Environment Setup Tasks are manually copied from
   the external site and remove the old environmental setup task for the first
   time. Starting with the next release, synchronization for these checklists
   will be fully seamless.*

More information:
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

   - BigFix Forum 1
   <https://forum.bigfix.com/c/release-announcements/compliance>
   - BigFix Compliance SCM Checklists 2
   <https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250604/1e27494b/attachment.html>

More information about the Besadmin-announcements mailing list