IBM BigFix Compliance UPDATE: CIS Checklist for Solaris 11 (site ver 3) published 2017-02-10

Product:
IBM BigFix Compliance

Title:
Updated Security Configuration Management (SCM) CIS Checklist for Solaris 11

Security Benchmark:
CIS Oracle Solaris 11 Benchmark, V1.1.0

Published Site:
CIS Checklist for Solaris 11 RG03, site version 3
(The site version is provided for air-gap customers)

Actions to take:
• If you are already subscribed to this site, no action is needed.
• To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigiFix Compliance product and you must be using IBM BigFix version 9.2 and later.

Details:
• Both analysis and remediation checks are included
• Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.

Changelist:
CIS-5.1 removed
CIS-9.17 removed
CIS-2.11 removed

The following checks were renumbered from Check number A to Check number B as shown below:
CIS-2.13 to CIS-2.12
CIS-9.18 to CIS-9.17
CIS-9.19 to CIS-9.18
CIS-9.20 to CIS-9.19
CIS-9.21 to CIS-9.20
CIS-9.24 to CIS-9.23
CIS-9.25 to CIS-9.24

CIS-2.2: Also check for port 587.
CIS-2.4: No longer check svc:/network/nis/domain.
CIS-2.5: No longer check svc:/network/nis/domain.
CIS-3.13: Check send_redirects instead of _send_redirects and check
value off instead of 0.
CIS-4.5: Change regular expression to be more flexible in matching.
CIS-6.4: MaxAuthTries is now 6.
CIS-6.8: Also check /etc/pam.d/*.
CIS-6.11: The gdm-autologin settings can no longer be commented out,
they must be completely removed.
CIS-6.17: Now check for passwd.cfg and in changed grub.cfg location.
CIS-7.1: No longer check /etc/default/passwd.
CIS-7.2: Check MINSPECIAL=1 instead of MINALPHA=2 and check MINDIGIT
instead of MINNONALPHA. PASSLENGTH is now 14.
CIS-7.4: Make sure proftp is installed before performing check.
CIS-8.1: Also check owner and group.
CIS-8.3: Make sure gdmis installed before performing check.
CIS-9.1: Only apply to non-global zones.
CIS-9.3: Added more system accounts.
CIS-9.14: Now applies to all users with passwords.
Various minor changes to documentation.

To know more about IBM BigFix Compliance SCM checklists, please see
• IBM Developer Works: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/SCM%20Checklists
• IBM Blog for Checklist Release Announcement: https://www.ibm.com/developerworks/community/groups/service/html/community/updates?communityUuid=a1a33778-88b7-452a-9133-c955812f8910&filter=all
• Bigfix forums: https://forum.bigfix.com/c/release-announcements/compliance

We hope you find this latest release of SCM content useful and effective. Thank you!

– The IBM BigFix Compliance team