BigFix Compliance: Updated CIS Checklist for RHEL 8, published 2020-07-27

Release Announcements Compliance (Release Announcements)
1

Product:
BigFix Compliance

Title:
Updated CIS Red Hat Enterprise Linux 8 Benchmark with bugfixes.

Security Benchmark:
CIS Red Hat Enterprise Linux 8 Benchmark, v1.0.0

Published Sites:
CIS Checklist for RHEL 8, site version 5
(The site version is provided for air-gap customers.)

Details:
Fixed and improved implementation for the following check:

  • Ensure mail transfer agent is configured for local-only mode
  • Ensure access to the su command is restricted
  • Ensure loopback traffic is configured (A)
  • Ensure_wireless_interfaces_are_disabled
  • Create_custom_authselect_profile
  • Ensure_firewall_rules_exist_for_all_open_ports
  • Ensure_no_unconfined_services_exist
  • Ensure_authentication_required_for_single_user_mode
  • Ensure_time_synchronization_is_in_use
  • Ensure_DCCP_is_disabled
  • Ensure_SCTP_is_disabled
  • Ensure_RDS_is_disabled
  • Ensure_TIPC_is_disabled
  • Ensure_audit_log_storage_size_is_configured
  • Ensure_local_login_warning_banner_is_configured_properly
  • Ensure_remote_login_warning_banner_is_configured_properly
  • Ensure_permissions_on_etcmotd_are_configured
  • Ensure_permissions_on_etcissue.net_are_configured
  • Ensure password fields are not empty
  • Ensure password expiration warning days is 7 or more
  • Ensure password expiration is 365 days or less
  • Ensure inactive password lock is 30 days or less
  • Ensure minimum days between password changes is 7 or more

Actions to take:
• To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.2 and later.

• If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/9.5/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html.

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance

BigFix Compliance SCM Checklists:
https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Checklist/SCM_Checklist.html

We hope you find this latest release of SCM content useful and effective. Thank you!

– The BigFix Compliance team

2

It seems like someone corrected the fixlets for all 3 journald checks. Unfortunately, the analyses keep checking within config file “/etc/ssh/sshd_config” which is wrong.

EDIT: just seen, it’s only the relevance which is now correct, the action points to wrong config file as well.