If you export one of the default checklist fixlets and view it in a text editor, you’ll find a number of fields. These deal with how the fixlet is presented to the BigFix Compliance application, and how the wizards and dashboards deal with them.
Having not done this myself, I think the most important part is to have a unique value for “x-fixlet-scm-id” on each fixlet, and to have a “x-fixlet-xccdf-benchmark” value common to all of the fixlets from the same checklist. A partial export of one of the fixlets looks like this …
I’ll need to defer to someone with more SCA experience in that case.
Also advise you should read the Compliance operators guide. I just wanted to point out that there’s more to Compliance than just writing the fixlets, there is metadata there that is used in building the scores.
i read the SCA user guide but there is no correct view given how to get the analysis for own written fixlet to generate the SCM report. If this is the case the SCM is not straight forward and can’t be used for custom compliance report in general.
If your creating custom SCM checks (the checks themselves and associated analysis, if you want) then the easiest way is to use the create custom check wizards located in the SCM Reporting site. When you do that all of the needed XML meta-data will be written for you and imports into the Compliance reporting tools will work fine. There is one for using relevance (typically windows checks) and another for UNIX (shell scripts). Any reason you are not using these tools?
Hi @dmccalla, create custom checklist would not help , as i would ask you to create checklist from the industry stand checklist provided by IBM CIS/ PCI etc sites.
Hi @fermt, that means we need to update code into xml files? Is there any tool which can link both custom fixlet and analysis automatically and update the desired scm-id fields?
The create custom check wizards do what you are asking (proper XML MIME fields). I was not referring to the create custom checklist wizard in my previous post.
Security Configuration Domain (button on bottom left) > Configuration Management > Checklist Tools. The two wizards are named like “Create Custom * SCM Content”.
Hi @dmccalla, thanks for your help, i tried the option which you mentioned and found it is good to link the fixlet and analysis but only issue is that we need to write fixlet compliance and analysis relevance code by our own.
Is it something can we generate analysis relevance automatically just like we have fixlet generator which helps us to get the fixlet relevance code automatically somewhat
You could do that. Another option is to look at the existing checks and see if some of them are close to what you need and then modify. https://bigfix.me would also be a good resource.
Having created lot of SCM fixlets using an editor, i would say that the x-fixlet-xccdf-benchmark is optional. The only mandatory field required is x-fixlet-scm-id. And if you are using SCA 1.9 and above, make sure that id is unique or your SCA data imports would fail.
Can you try this
Create a empty site
Create a normal fixlet as you usually would and just the mimefield tag for x-fixlet-scm-id
Yes i m taking about x-fixlet-scm-id , if i generate this with guidegenerator.com then i think i need to generate this for all custom fixlet which i create by hand? Is it?
Do i need to create the same for respective analysis as well? Is it mandatory to have analysis for SCM reporting?
yes this needs to be done for all the custom fixlets. And the guid’s need to be unique. The analysis also needs to have the x-fixlet-scm-analysis-id, but if you do not need Measured values or more information from analysis properties, then you can skip it.
