BigFix Security Configuration Management: New Features Available

(imported topic written by Jim_Hansen91)

We are pleased to announce the release of a new set of Security Configuration Management functionality and features.

Content Updates

  • Support for FDCC - The National Institute of Standards and Technology (NIST) released this update to the Federal Desktop Core Configuration on November 7th, 2008 to resolve a number of issues in the FDCC data streams and to provide full support for OVAL 5.3 and OVAL 5.4. A list of the specific changes can be found on the NIST web site here:

The BigFix checklist content has been updated and replaces the previous FDCC 1.0 content. The sites that are impacted include:

  • SCM Checklist for FDCC on Windows XP

  • SCM Checklist for FDCC on Windows XP Firewall

  • SCM Checklist for FDCC on Internet Explorer 7

If you are subscribed to these sites, your BigFix server should automatically gather this new content and make it available to you.

  • FDCC Remediation - On December 3rd, 2008, BigFix achieved yet another validation for its Security Configuration Management product. The product now includes certification for “Mis-configuration remediation”. The validation information from NIST can be found here:

The remediation functionality is now available in the published FDCC checklists (noted above) and available to subscribed customers. Note that all other SCM related content already includes both assessment and remediation capability. This new functionality and certification only impacts the FDCC checklists.

SCM Dashboard Enhancements

The SCM Dashboard is included with the Security Configuration Management product and provides a Console and Web Reports based view into the overall compliance state of the infrastructure as compared with security configuration policies. The dashboard is designed to be interactive and provides the ability to drill-down into the various graphs and charts to obtain key information about specific systems and policies. A summary of key features include:

  • Dashboard Performance - The initial version of the dashboard was limited in performance due to the high volume of data processing occuring to determine how compliant a system was to various configuration policies. In this updated release, the dashboard has been enhanced to provide over a 1000% improvement in performance across the board. The filtering and response times are decreased significantly and the dashboard can now more easily scale to the largest BigFix deployment sizes.

  • Filter Panel Enhancements - In the previous version of the dashboard, the Filter Panel was built into the left hand side of the dashboard. Although the Filter Panel could be scaled open or closed, it took up valuable real-estate. The filter panel is now overlayed on the dashboard when needed and can easily be opened and closed without impacting the real-estate available on the dashboard. In addition, the Filter Panel now includes better navigation capability and the ability to select many changes at once prior to applying the requested changes to the dashboard. These features and others provide a better overall user experience and enable quicker access to the dashboard views that you need to see.

  • Uncertainty Threshold - A new option was added to the dashboard to allow the end user to specify an “Uncertainty Threshold”. This value represents a time period from the last time a given computer checked in with the BigFix Server. This enables a user to discern between “compliant”, “non-compliant”, and “could be compliant but we don’t know for sure”, enabling users to have a more realistic view of the environment.

SCM Compliance Web Reports

The Security Configuration Management offering now includes three new reports that can be used to report against your compliance initiatives or to simply identify how compliant they are with their security baselines. The reports are summarized as follows:

  • Computer Compliance Summary - This report provides a summary view of the infrastructure as compared to a single configuration policy. The report includes a high level summary section that details the overall metrics associated with the configuration policy for all computers selected and provides a detailed break-down for each computer in the report.

  • Computer Compliance Detail - This report provides a detailed compliance view of a single computer against a single standard. The report will provide summary information on the overall compliance of that computer to the standard and provide the details for each individual configuration check indicating pass or fail.

  • Policy Compliance by Computer - This report provides a detailed view of a single policy (i.e. Fixlet) against all systems where that policy is being evaluated. The user can select the standard (i.e. site), choose the specific policy to report on, and generate the report to show which systems are and are not compliant with that policy.





Required BES Sites:

SCM Reporting (sold as part of Security Configuration Management v3)

Where to Get More Information: