[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Ubuntu Linux 20.04, published 2025-06-16
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Thu Jun 19 09:39:11 PDT 2025
*Product:*
BigFix Compliance
*Title:*
Updated CIS Checklist for Ubuntu Linux 20.04
*Security Benchmark:*
CIS Checklist for Ubuntu Linux 20.04 LTS Benchmark, v3.0.0
*Published Sites:*
CIS Checklist for Ubuntu20, site version 11
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 172
● Total Updated Fixlets: 124
● Total Deleted Fixlets: 149
● Total Fixlets in Site: 298
*New Items:*
● Ensure cramfs kernel module is not available
● Ensure freevxfs kernel module is not available
● Ensure hfs kernel module is not available
● Ensure hfsplus kernel module is not available
● Ensure jffs2 kernel module is not available
● Ensure overlay kernel module is not available
● Ensure squashfs kernel module is not available
● Ensure udf kernel module is not available
● Ensure usb-storage kernel module is not available
● Ensure /dev/shm is a separate partition
● Ensure latest versions of the apparmor packages are installed
● Ensure all AppArmor Profiles are not disabled
● Ensure access to bootloader config is configured
● Ensure address space layout randomization is enabled
● Ensure /etc/motd is configured
● Ensure /etc/issue is configured
● Ensure /etc/issue.net is configured
● Ensure access to /etc/motd is configured
● Ensure access to /etc/issue is configured
● Ensure access to /etc/issue.net is configured
● Ensure GDM is removed
● Ensure XDMCP is not enabled
● Ensure autofs services are not in use
● Ensure nis server services are not in use
● Ensure print server services are not in use
● Ensure rpcbind services are not in use
● Ensure rsync services are not in use
● Ensure samba file server services are not in use
● Ensure snmp services are not in use
● Ensure tftp server services are not in use
● Ensure web proxy server services are not in use
● Ensure web server services are not in use
● Ensure xinetd services are not in use
● Ensure avahi daemon services are not in use
● Ensure X window server services are not in use
● Ensure mail transfer agents are configured for local-only mode
● Ensure dhcp server services are not in use
● Ensure dns server services are not in use
● Ensure dnsmasq services are not in use
● Ensure ftp server services are not in use
● Ensure ldap server services are not in use
● Ensure message access server services are not in use
● Ensure network file system services are not in use
● Ensure nis client is not installed
● Ensure ldap client is not installed
● Ensure ftp client is not installed
● Ensure access to /etc/crontab is configured
● Ensure access to /etc/cron.hourly is configured
● Ensure access to /etc/cron.daily is configured
● Ensure access to /etc/cron.weekly is configured
● Ensure access to /etc/cron.monthly is configured
● Ensure access to /etc/cron.yearly is configured
● Ensure access to /etc/cron.d is configured
● Ensure access to crontab is configured
● Ensure access to at is configured
● Ensure wireless interfaces are not available
● Ensure bluetooth services are not in use
● Ensure dccp kernel module is not available
● Ensure tipc kernel module is not available
● Ensure rds kernel module is not available
● Ensure sctp kernel module is not available
● Ensure ip forwarding is disabled
● Ensure tcp syn cookies is enabled
● Ensure ipv6 router advertisements are not accepted
● Ensure bogus icmp responses are ignored
● Ensure broadcast icmp requests are ignored
● Ensure icmp redirects are not accepted
● Ensure secure icmp redirects are not accepted
● Ensure reverse path filtering is enabled
● Ensure a single firewall configuration utility is in use
● Ensure nftables is not in use with ufw
● Ensure nftables is not in use with iptables
● Ensure ufw is not in use with iptables
● Ensure access to /etc/ssh/sshd_config is configured
● Ensure sshd HostbasedAuthentication is disabled
● Ensure sshd IgnoreRhosts is enabled
● Ensure sshd KexAlgorithms is configured
● Ensure sshd LoginGraceTime is configured
● Ensure sshd LogLevel is configured
● Ensure sshd MACs are configured
● Ensure sshd MaxAuthTries is configured
● Ensure sshd MaxSessions is configured
● Ensure sshd MaxStartups is configured
● Ensure sshd PermitEmptyPasswords is disabled
● Ensure access to SSH private host key files is configured
● Ensure sshd PermitRootLogin is disabled
● Ensure sshd PermitUserEnvironment is disabled
● Ensure sshd UsePAM is enabled
● Ensure access to SSH public host key files is configured
● Ensure sshd access is configured
● Ensure sshd Banner is configured
● Ensure sshd Ciphers are configured
● Ensure sshd ClientAliveInterval and ClientAliveCountMax are
configured
● Ensure sshd DisableForwarding is enabled
● Ensure sshd GSSAPIAuthentication is disabled
● Ensure sudo authentication timeout is configured
● Ensure latest version of pam is installed
● Ensure latest version of libpam-modules is installed
● Ensure latest version of libpam-pwquality is installed
● Ensure pam_unix module is enabled
● Ensure pam_faillock module is enabled
● Ensure pam_pwquality module is enabled
● Ensure pam_pwhistory module is enabled
● Ensure password failed attempts lockout is configured
● Ensure password unlock time is configured
● Ensure password failed attempts lockout includes root account
● Ensure password number of changed characters is configured
● Ensure minimum password length is configured
● Ensure password complexity is configured
● Ensure password same consecutive characters is configured
● Ensure password maximum sequential characters is configured
● Ensure password dictionary check is enabled
● Ensure password quality checking is enforced
● Ensure password quality is enforced for the root user
● Ensure password history remember is configured
● Ensure password history is enforced for the root user
● Ensure pam_pwhistory includes use_authtok
● Ensure pam_unix does not include nullok
● Ensure pam_unix does not include remember
● Ensure pam_unix includes a strong password hashing algorithm
● Ensure pam_unix includes use_authtok
● Ensure password expiration is configured
● Ensure minimum password days is configured
● Ensure password expiration warning days is configured
● Ensure inactive password lock is configured
● Ensure root is the only GID 0 account
● Ensure group root is the only GID 0 group
● Ensure root account access is controlled
● Ensure root path integrity
● Ensure root user umask is configured
● Ensure system accounts do not have a valid login shell
● Ensure accounts without a valid login shell are locked
● Ensure default user umask is configured
● Ensure journald service is enabled and active
● Ensure journald log file rotation is configured
● Ensure systemd-journal-upload authentication is configured
● Ensure systemd-journal-upload is enabled and active
● Ensure systemd-journal-remote service is not in use
● Ensure journald ForwardToSyslog is disabled
● Ensure journald Compress is configured
● Ensure journald Storage is configured
● Ensure rsyslog service is enabled and active
● Ensure rsyslog log file creation mode is configured
● Ensure access to all logfiles has been configured
● Ensure auditd packages are installed
● Ensure audit_backlog_limit is configured
● Ensure system warns when audit logs are low on space
● Ensure successful and unsuccessful attempts to use the chcon command
are collected
● Ensure successful and unsuccessful attempts to use the setfacl
command are collected
● Ensure successful and unsuccessful attempts to use the chacl command
are collected
● Ensure successful and unsuccessful attempts to use the usermod
command are collected
● Ensure audit log files mode is configured
● Ensure audit tools group owner is configured
● Ensure audit log files owner is configured
● Ensure audit log files group owner is configured
● Ensure the audit log file directory mode is configured
● Ensure audit configuration files mode is configured
● Ensure audit configuration files owner is configured
● Ensure audit configuration files group owner is configured
● Ensure audit tools mode is configured
● Ensure audit tools owner is configured
● Ensure access to /etc/passwd is configured
● Ensure access to /etc/security/opasswd is configured
● Ensure no files or directories without an owner and a group exist
● Ensure access to /etc/passwd- is configured
● Ensure access to /etc/group is configured
● Ensure access to /etc/group- is configured
● Ensure access to /etc/shadow is configured
● Ensure access to /etc/shadow- is configured
● Ensure access to /etc/gshadow is configured
● Ensure access to /etc/gshadow- is configured
● Ensure access to /etc/shells is configured
*Modified Items:*
● Ensure /tmp is a separate partition
● Ensure nodev option set on /tmp partition
● Ensure nosuid option set on /tmp partition
● Ensure noexec option set on /tmp partition
● Ensure nodev option set on /dev/shm partition
● Ensure nosuid option set on /dev/shm partition
● Ensure noexec option set on /dev/shm partition
● Ensure separate partition exists for /home
● Ensure nodev option set on /home partition
● Ensure nosuid option set on /home partition
● Ensure separate partition exists for /var
● Ensure nodev option set on /var partition
● Ensure nosuid option set on /var partition
● Ensure separate partition exists for /var/tmp
● Ensure nodev option set on /var/tmp partition
● Ensure nosuid option set on /var/tmp partition
● Ensure noexec option set on /var/tmp partition
● Ensure separate partition exists for /var/log
● Ensure nodev option set on /var/log partition
● Ensure nosuid option set on /var/log partition
● Ensure noexec option set on /var/log partition
● Ensure separate partition exists for /var/log/audit
● Ensure nodev option set on /var/log/audit partition
● Ensure nosuid option set on /var/log/audit partition
● Ensure noexec option set on /var/log/audit partition
● Ensure GPG keys are configured
● Ensure updates, patches, and additional security software are
installed
● Ensure AppArmor is enabled in the bootloader configuration
● Ensure all AppArmor Profiles are enforcing
● Ensure ptrace\_scope is restricted
● Ensure core dumps are restricted
● Ensure prelink is not installed
● Ensure Automatic Error Reporting is not enabled
● Ensure GDM login banner is configured
● Ensure GDM disable-user-list option is enabled
● Ensure GDM screen locks when the user is idle
● Ensure GDM screen locks cannot be overridden
● Ensure GDM automatic mounting of removable media is disabled
● Ensure GDM disabling automatic mounting of removable media is not
overridden
● Ensure GDM autorun-never is enabled
● Ensure GDM autorun-never is not overridden
● Ensure rsh client is not installed
● Ensure talk client is not installed
● Ensure telnet client is not installed
● Ensure a single time synchronization daemon is in use
● Ensure systemd-timesyncd configured with authorized timeserver
● Ensure systemd-timesyncd is enabled and running
● Ensure chrony is configured with authorized timeserver
● Ensure chrony is running as user \_chrony
● Ensure chrony is enabled and running
● Ensure cron daemon is enabled and active
● Ensure packet redirect sending is disabled
● Ensure source routed packets are not accepted
● Ensure suspicious packets are logged
● Ensure ufw is installed
● Ensure iptables-persistent is not installed with ufw
● Ensure ufw service is enabled
● Ensure ufw loopback traffic is configured
● Ensure ufw default deny firewall policy
● Ensure nftables is installed
● Ensure nftables rules are permanent
● Ensure ufw is uninstalled or disabled with nftables
● Ensure iptables are flushed with nftables
● Ensure a nftables table exists
● Ensure nftables base chains exist
● Ensure nftables loopback traffic is configured
● Ensure nftables default deny firewall policy
● Ensure nftables service is enabled
● Ensure iptables packages are installed
● Ensure iptables default deny firewall policy
● Ensure iptables loopback traffic is configured
● Ensure ip6tables default deny firewall policy
● Ensure ip6tables loopback traffic is configured
● Ensure sudo is installed
● Ensure sudo commands use pty
● Ensure sudo log file exists
● Ensure users must provide password for privilege escalation
● Ensure re-authentication for privilege escalation is not disabled
globally
● Ensure access to the su command is restricted
● Ensure strong password hashing algorithm is configured
● Ensure all users last password change date is in the past
● Ensure root is the only UID 0 account
● Ensure nologin is not listed in /etc/shells
● Ensure default user shell timeout is configured
● Ensure AIDE is installed
● Ensure filesystem integrity is regularly checked
● Ensure cryptographic mechanisms are used to protect the integrity of
audit tools
● Ensure systemd-journal-remote is installed
● Ensure rsyslog is installed
● Ensure journald is configured to send logs to rsyslog
● Ensure rsyslog is configured to send logs to a remote log host
● Ensure rsyslog is not configured to receive logs from a remote client
● Ensure auditd service is enabled and active
● Ensure auditing for processes that start prior to auditd is enabled
● Ensure audit log storage size is configured
● Ensure audit logs are not automatically deleted
● Ensure system is disabled when audit logs are full
● Ensure changes to system administration scope (sudoers) is collected
● Ensure successful file system mounts are collected
● Ensure session initiation information is collected
● Ensure login and logout events are collected
● Ensure file deletion events by users are collected
● Ensure events that modify the system's Mandatory Access Controls are
collected
● Ensure kernel module loading unloading and modification is collected
● Ensure actions as another user are always logged
● Ensure the audit configuration is immutable
● Ensure the running and on disk configuration is the same
● Ensure events that modify the sudo log file are collected
● Ensure events that modify date and time information are collected
● Ensure events that modify the system's network environment are
collected
● Ensure use of privileged commands are collected
● Ensure unsuccessful file access attempts are collected
● Ensure events that modify user/group information are collected
● Ensure discretionary access control permission modification events
are collected
● Ensure world writable files and directories are secured
● Ensure accounts in /etc/passwd use shadowed passwords
● Ensure local interactive user dot files access is configured
● Ensure /etc/shadow password fields are not empty
● Ensure all groups in /etc/passwd exist in /etc/group
● Ensure shadow group is empty
● Ensure no duplicate UIDs exist
● Ensure no duplicate GIDs exist
● Ensure no duplicate user names exist
● Ensure no duplicate group names exist
*Deleted Items:*
● Ensure mounting of cramfs filesystems is disabled
● Ensure mounting of freevxfs filesystems is disabled
● Ensure mounting of jffs2 filesystems is disabled
● Ensure mounting of hfs filesystems is disabled
● Ensure mounting of hfsplus filesystems is disabled
● Ensure mounting of squashfs filesystems is disabled
● Ensure mounting of udf filesystems is disabled
● Disable USB Storage
● Disable Automounting
● Ensure permissions on bootloader config are configured
● Ensure authentication required for single user mode
● Ensure address space layout randomization (ASLR) is enabled
● Ensure AppArmor is installed
● Ensure all AppArmor Profiles are in enforce or complain mode
● Ensure message of the day is configured properly
● Ensure local login warning banner is configured properly
● Ensure remote login warning banner is configured properly
● Ensure permissions on /etc/motd are configured
● Ensure permissions on /etc/issue are configured
● Ensure permissions on /etc/issue.net are configured
● Ensure GNOME Display Manager is removed
● Ensure XDCMP is not enabled
● Ensure ntp access control is configured
● Ensure ntp is configured with authorized timeserver
● Ensure ntp is running as user ntp
● Ensure ntp is enabled and running
● Ensure X Window System is not installed
● Ensure IMAP and POP3 server are not installed
● Ensure Samba is not installed
● Ensure HTTP Proxy Server is not installed
● Ensure SNMP Server is not installed
● Ensure NIS Server is not installed
● Ensure dnsmasq is not installed
● Ensure mail transfer agent is configured for local-only mode
● Ensure rsync service is either not installed or is masked
● Ensure Avahi Server is not installed
● Ensure CUPS is not installed
● Ensure DHCP Server is not installed
● Ensure LDAP server is not installed
● Ensure NFS is not installed
● Ensure DNS Server is not installed
● Ensure FTP Server is not installed
● Ensure HTTP server is not installed
● Ensure NIS Client is not installed
● Ensure LDAP client is not installed
● Ensure RPC is not installed
● Ensure nonessential services are removed or masked
● Ensure wireless interfaces are disabled
● Ensure bluetooth is disabled
● Ensure DCCP is disabled
● Ensure SCTP is disabled
● Ensure RDS is disabled
● Ensure TIPC is disabled
● Ensure IP forwarding is disabled
● Ensure ICMP redirects are not accepted
● Ensure secure ICMP redirects are not accepted
● Ensure broadcast ICMP requests are ignored
● Ensure bogus ICMP responses are ignored
● Ensure Reverse Path Filtering is enabled
● Ensure TCP SYN Cookies is enabled
● Ensure IPv6 router advertisements are not accepted
● Ensure nftables is not installed with iptables
● Ensure ufw is uninstalled or disabled with iptables
● Ensure permissions on /etc/crontab are configured
● Ensure permissions on /etc/cron.hourly are configured
● Ensure permissions on /etc/cron.daily are configured
● Ensure permissions on /etc/cron.weekly are configured
● Ensure permissions on /etc/cron.monthly are configured
● Ensure permissions on /etc/cron.d are configured
● Ensure cron is restricted to authorized users
● Ensure at is restricted to authorized users
● Ensure permissions on /etc/ssh/sshd_config are configured
● Ensure SSH PermitUserEnvironment is disabled
● Ensure SSH IgnoreRhosts is enabled
● Ensure SSH X11 forwarding is disabled
● Ensure only strong Ciphers are used
● Ensure only strong MAC algorithms are used
● Ensure only strong Key Exchange algorithms are used
● Ensure SSH AllowTcpForwarding is disabled
● Ensure SSH warning banner is configured
● Ensure SSH MaxAuthTries is set to 4 or less
● Ensure SSH MaxStartups is configured
● Ensure permissions on SSH private host key files are configured
● Ensure SSH LoginGraceTime is set to one minute or less
● Ensure SSH MaxSessions is set to 10 or less
● Ensure SSH Idle Timeout Interval is configured
● Ensure permissions on SSH public host key files are configured
● Ensure SSH access is limited
● Ensure SSH LogLevel is appropriate
● Ensure SSH PAM is enabled
● Ensure SSH root login is disabled
● Ensure SSH HostbasedAuthentication is disabled
● Ensure SSH PermitEmptyPasswords is disabled
● Ensure sudo authentication timeout is configured correctly
● Ensure password creation requirements are configured
● Ensure lockout for failed password attempts is configured
● Ensure password reuse is limited
● Ensure all current passwords uses the configured hashing algorithm
● Ensure minimum days between password changes is configured
● Ensure password expiration is 365 days or less
● Ensure password expiration warning days is 7 or more
● Ensure inactive password lock is 30 days or less
● Ensure the number of changed characters in a new password is
configured
● Ensure preventing the use of dictionary words for passwords is
configured
● Ensure system accounts are secured
● Ensure default group for the root account is GID 0
● Ensure default user umask is 027 or more restrictive
● Ensure maximum number of same consecutive characters in a password
is configured
● Ensure systemd-journal-remote is configured
● Ensure systemd-journal-remote is enabled
● Ensure journald is not configured to receive logs from a remote
client
● Ensure journald service is enabled
● Ensure journald is configured to compress large log files
● Ensure journald is configured to write logfiles to persistent disk
● Ensure journald is not configured to send logs to rsyslog
● Ensure journald log rotation is configured per site policy
● Ensure journald default file permissions configured
● Ensure rsyslog service is enabled
● Ensure rsyslog default file permissions are configured
● Ensure logging is configured
● Ensure all logfiles have appropriate access configured
● Ensure auditd is installed
● Ensure audit_backlog_limit is sufficient
● Ensure successful and unsuccessful attempts to use the chcon command
are recorded
● Ensure successful and unsuccessful attempts to use the setfacl
command are recorded
● Ensure successful and unsuccessful attempts to use the chacl command
are recorded
● Ensure successful and unsuccessful attempts to use the usermod
command are recorded
● Ensure audit log files are mode 0640 or less permissive
● Ensure audit tools belong to group root
● Ensure only authorized users own audit log files
● Ensure only authorized groups are assigned ownership of audit log
files
● Ensure the audit log directory is 0750 or more restrictive
● Ensure audit configuration files are 640 or more restrictive
● Ensure audit configuration files are owned by root
● Ensure audit configuration files belong to group root
● Ensure audit tools are 755 or more restrictive
● Ensure audit tools are owned by root
● Ensure permissions on /etc/passwd are configured
● Ensure permissions on /etc/opasswd are configured
● Ensure no unowned or ungrouped files or directories exist
● Ensure permissions on /etc/passwd- are configured
● Ensure permissions on /etc/group are configured
● Ensure permissions on /etc/group- are configured
● Ensure permissions on /etc/shadow are configured
● Ensure permissions on /etc/shadow- are configured
● Ensure permissions on /etc/gshadow are configured
● Ensure permissions on /etc/gshadow- are configured
● Ensure permissions on /etc/shells are configured
● Ensure root PATH Integrity
*Additional details:*
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed”
for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are
rebooted.
● Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 9.5 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250619/0cb9bea5/attachment.html>
More information about the Besadmin-announcements
mailing list