[BESAdmin-Announcements] BigFix Compliance: Updated CIS Checklist for Ubuntu Linux 22.04 LTS Server, published 2026-03-04

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Wed Mar 4 08:05:17 PST 2026 

*Product:*
BigFix Compliance

*Title:*
Updated CIS Checklist for Ubuntu Linux 22.04.

*Security Benchmark:*
CIS Ubuntu Linux 22.04 LTS Benchmark, V3.0.0

*Published Sites:*
CIS Checklist for Ubuntu Linux 22.04, site version 8.
(The site version is provided for air-gap customers.)

*Details:*

Total New Fixlets: 30

Total Updated Fixlets: 17

Total Deleted Fixlets: 0

Total Fixlets in Site: 302

*New Fixlets:*

●      Ensure net.ipv6.conf.all.forwarding is configured

●      Ensure net.ipv4.conf.default.forwarding is configured

●      Ensure ufw incoming default is configured

●      Ensure overlay kernel module is not available

●      Ensure logrotate is configured

●      Ensure net.ipv6.conf.default.forwarding is configured

●      Ensure net.ipv4.conf.all.rp_filter is configured

●      Ensure rsyslog logging is configured

●      Ensure unused filesystems kernel modules are not available

●      Ensure ufw routed default is configured

●      Ensure net.ipv4.conf.default.accept_redirects is configured

●      Ensure net.ipv4.conf.default.accept_source_route is configured

●      Ensure net.ipv4.conf.default.secure_redirects is configured

●      Ensure journald log file access is configured

●      Ensure core file size is configured

●      Ensure access to /etc/cron.yearly is configured

●      Ensure net.ipv6.conf.all.accept_source_route is configured

●      Ensure net.ipv4.conf.all.forwarding is configured

●      Ensure net.ipv4.conf.default.log_martians is configured

●      Ensure net.ipv6.conf.all.accept_redirects is configured

●      Ensure ufw outgoing default is configured

●      Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured

●      Ensure net.ipv6.conf.default.accept_redirects is configured

●      Ensure net.ipv4.conf.default.send_redirects is configured

●      Ensure net.ipv6.conf.default.accept_source_route is configured

●      Ensure Xwayland is configured

●      Ensure net.ipv6.conf.all.accept_ra is configured

●      Ensure net.ipv6.conf.default.accept_ra is configured

●      Ensure access to SSH public host key files is configured

●      Ensure firewire-core kernel module is not available

*Updated Fixlets:*

●      Ensure sshd Ciphers are configured

●      Ensure sshd ClientAliveInterval and ClientAliveCountMax are
configured

●      Ensure sshd DisableForwarding is enabled

●      Ensure sshd GSSAPIAuthentication is disabled

●      Ensure sshd HostbasedAuthentication is disabled

●      Ensure sshd IgnoreRhosts is enabled

●      Ensure sshd KexAlgorithms is configured

●      Ensure sshd LoginGraceTime is configured

●      Ensure sshd LogLevel is configured

●      Ensure sshd MACs are configured

●      Ensure sshd MaxAuthTries is configured

●      Ensure sshd MaxSessions is configured

●      Ensure sshd MaxStartups is configured

●      Ensure sshd PermitEmptyPasswords is disabled

●      Ensure sshd PermitRootLogin is disabled

●      Ensure sshd PermitUserEnvironment is disabled

●      Ensure sshd UsePAM is enabled




*Additional details: *● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable
customization for compliance evaluation. Note that parameterization and
remediation actions require the creation of a custom site.
Improved a few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for
those checks which require OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
*● *Post reboot of the endpoint the action results will show as “Fixed” and
the check will be compliant.


*Actions to take: *● To subscribe to the above site, you can use the
License Overview Dashboard to enable and gather the site. Note that you
must be entitled to the BigFix Compliance product and you must be using
BigFix version 10.0.7 and later.
●If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see Using the Synchronize
Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>


*More information: *To know more about the BigFix Compliance SCM
checklists, please see the following resources:


*● BigFix Forum: *
*https://forum.bigfix.com/c/release-announcements/compliance*
<https://forum.bigfix.com/c/release-announcements/compliance>


*● BigFix Compliance SCM Checklists: **Welcome to Wikis*
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>

We hope you find this latest release of SCM content useful and effective.

Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260304/e4507cc3/attachment.html>

More information about the Besadmin-announcements mailing list