The list of items you generate that the customer should consider include the following:
Are all updates and patches current on the server? Is YOU automatically configured?
Is wireless in use? What type of encryption is employed on it?
Are all updates and patches current on the workstations?
Are the wiring closets secured?
Is there sufficient documentation on the server (administrator's logbook and so on)?
How many know the root password? How often is it changed?
Is the server physically secured within a server room or other area?
What files have SUID and SGID permissions set on them?
Are all the services that are running on the server truly required?
How often are log files audited? Who does the auditing?
Is someone assigned to keeping abreast of security threats/developments through cert.org or another site?
Who adds new users and groups, and how often is this done?
Is the boot menu password protected?
Are users aware of security policies regarding best practices for passwords?
Are currently installed packages current and known to be secure? How are administrators notified of updates to them?
Is remote administration allowed? How is it monitored?
What level of encryption is used for passwords?
Are certificates used, and, if so, what level of encryption is applied to them?
