[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for SUSE Linux 15, published 2025-06-20

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Mon Jun 23 07:28:22 PDT 2025 

*Product:*
BigFix Compliance

*Title:*
New CIS Checklist for SUSE Linux 15

*Security Benchmark:*
CIS Checklist for SUSE Linux 15 Benchmark, v2.0.1

*Published Sites:*
CIS Checklist for SUSE Linux 15, site version 9
(The site version is provided for air-gap customers.)

*Details:*

●      Total New Fixlets: 100

●      Total Updated Fixlets: 22

●      Total Deleted Fixlets: 0

●      Total Fixlets in Site: 276

*New Items:*

●      Ensure nosuid option set on /home partition

●      Ensure nodev option set on /var partition

●      Ensure nosuid option set on var partition

●      Ensure nodev option set on varlog partition

●      Ensure nosuid option set on varlog partition

●      Ensure noexec option set on varlog partition

●      Ensure nodev option set on varlogaudit partition

●      Ensure nosuid option set on varlogaudit partition

●      Ensure noexec option set on varlogaudit partition

●      Ensure repo gpgcheck is globally activated

●      Ensure crypto-policies-scripts package is installed

●      Ensure system wide crypto policy is not set to legacy

●      Ensure system wide crypto policy is not set in sshd configuration

●      Ensure system wide crypto policy disables sha1 hash and signature
support

●      Ensure system wide crypto policy disables macs less than 128 bits

●      Ensure system wide crypto policy disables cbc for ssh

●      Ensure system wide crypto policy disables chacha20-poly1305 for ssh

●      Ensure GDM login banner is configured

●      Ensure GDM disable-user-list option is enabled

●      Ensure GDM screen locks when the user is idle

●      Ensure GDM automatic mounting of removable media is disabled

●      Ensure GDM disabling automatic mounting of removable media is not
overridden

●      Ensure GDM autorun-never is enabled

●      Ensure GDM autorun-never is not overridden

●      Ensure XDMCP is not enabled

●      Ensure dns server services are not in use

●      Ensure dnsmasq services are not in use

●      Ensure message access server services are not in use

●      Ensure tftp server services are not in use

●      Ensure ftp client is not installed

●      Ensure tftp client is not installed

●      Ensure systemd-timesyncd configured with authorized timeserver

●      Ensure systemd-timesyncd is enabled and running

●      Ensure chrony is enabled and running

●      Ensure IPv6 status is identified

●      Ensure bluetooth services are not in use

●      Ensure rds kernel module is not available

●      Ensure sctp kernel module is not available

●      Ensure a single firewall configuration utility is in use

●      Ensure sshd Banner is configured

●      Ensure sshd DisableForwarding is enabled

●      Ensure sshd GSSAPIAuthentication is disabled

●      Ensure users must provide password for escalation

●      Ensure re-authentication for privilege escalation is not disabled
globally

●      Ensure sudo authentication timeout is configured correctly

●      Ensure latest version of pam is installed

●      Ensure password failed attempts lockout is configured

●      Ensure password failed attempts lockout includes root account

●      Ensure password dictionary check is enabled

●      Ensure password number of changed characters is configured

●      Ensure password length is configured

●      Ensure password complexity is configured

●      Ensure password same consecutive characters is configured

●      Ensure password maximum sequential characters is configured

●      Ensure password quality is enforced for the root user

●      Ensure password history remember is configured

●      Ensure password history is enforced for the root user

●      Ensure pam pwhistory includes use authtok

●      Ensure pam unix does not include nullok

●      Ensure pam unix does not include remember

●      Ensure pam unix includes a strong password hashing algorithm

●      Ensure pam unix includes use authtok

●      Ensure group root is the only GID 0 group

●      Ensure root account access is controlled

●      Ensure root user umask is configured

●      Ensure accounts without a valid login shell are locked

●      Ensure nologin is not listed in etcshells

●      Ensure cryptographic mechanisms are used to protect the integrity of
audit tools

●      Ensure journald service is enabled and active

●      Ensure journald log file rotation is configured

●      Ensure only one logging system is in use

●      Ensure systemd-journal-remote is installed

●      Ensure systemd-journal-upload authentication is configured

●      Ensure systemd-journal-upload is enabled and active

●      Ensure systemd-journal-remote service is not in use

●      Ensure rsyslog is not configured to receive logs from a remote client

●      Ensure access to all logfiles has been configured

●      Ensure actions as another user are always logged

●      Ensure events that modify the sudo log file are collected

●      Ensure successful and unsuccessful attempts to use the chcon command
are collected

●      Ensure successful and unsuccessful attempts to use the setfacl
command are collected

●      Ensure successful and unsuccessful attempts to use the chacl command
are collected

●      Ensure successful and unsuccessful attempts to use the usermod
command are collected

●      Ensure kernel module loading unloading and modification is collected

●      Ensure the running and on disk configuration is the same

●      Ensure the audit log file directory mode is configured

●      Ensure audit log files mode is configured

●      Ensure audit log files owner is configured

●      Ensure audit log files group owner is configured

●      Ensure audit configuration files mode is configured

●      Ensure audit configuration files owner is configured

●      Ensure audit configuration files group owner is configured

●      Ensure audit tools mode is configured

●      Ensure audit tools owner is configured

●      Ensure audit tools group owner is configured

●      Ensure access to /etc/gshadow is configured

●      Ensure access to /etc/gshadow- is configured

●      Ensure access to etcshells is configured

●      Ensure access to etcsecurityopasswd is configured

●      Ensure local interactive user home directories are configured



*Modified Items:*

●      Ensure cramfs kernel module is not available

●      Ensure freevxfs kernel module is not available

●      Ensure hfs kernel module is not available

●      Ensure hfsplus kernel module is not available

●      Ensure jffs2 kernel module is not available

●      Ensure squashfs kernel module is not available

●      Ensure udf kernel module is not available

●      Ensure ldap server services are not in use

●      Ensure rsync services are not in use

●      Ensure X window server services are not in use

●      Ensure ldap client is not installed

●      Ensure a single time synchronization daemon is in use

●      Ensure dccp kernel module is not available

●      Ensure tipc kernel module is not available

●      Ensure sshd PermitUserEnvironment is disabled

●      Ensure root is the only UID 0 account

●      Ensure audit tools group owner is configured

●      Ensure access to /etc/shadow is configured

●      Ensure access to /etc/shadow- is configured

●      Ensure no duplicate UIDs exist

●      Ensure no duplicate user names exist

●      Ensure local interactive user home directories are configured





*Additional details:*
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable
customization for compliance evaluation. Note that parameterization and
remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for
those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and
the check will be compliant.



*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 9.5 and
later.
● If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see Using the Synchronize
Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the
following resources:


● BigFix Forum:
This category is used by HCL to announce new releases for BigFix Compliance.

● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective.

Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250623/6b0c537b/attachment.html>

More information about the Besadmin-announcements mailing list