CIS Hardening on BigFix server

ori 2022-06-22 06:44:29 UTC #1

Hey,

I’m want to hardening BigFix server 2016 according CIS Benchmark.
Is anyone here tried it?
There is impact? or some hardening clauses that can be a problem?
I’m talking about --> This benchmark

Thanks

rohit 2022-06-28 06:45:40 UTC #2

Bigfix does provide CIS Checklists that you can subscribe to.

ori 2022-06-28 07:33:29 UTC #3

Hey,
Thank you for the response.

I’m not ask about the checklist. I was asked about if there any issue to apply CIS on BigFix server.

Bigfix does provide CIS Checklists that you can subscribe to.

How can I apply it?

rohit 2022-06-29 04:48:46 UTC #4

On you console go to Bigfix Management -> License overview. Check if you can see CIS checklists in your license. You can subscribe from there and then assign computers.
You need Bigfix Compliance deployed as well.

ageorgiev 2022-06-29 09:24:02 UTC #5

That’s actually reminds me - wouldn’t it be neat if there was an actual “BigFix Security Checklists” that actually checks whether recommended security settings on both clients/relays/root server/copliance server/BFI server/plugin server/webui server/etc are being checked against “recommended” security configurations? Stuff like:

Are certificates available for all machines?
Are relay authentication configured?
Are operator pwd complexity set-up/enforced?
etc

All-in-all, how secure are BigFix products themselves… As a tool of such power and ability to track compliance for everything else, the fact that there is no easy way to keep track of its internal one, especially with the amount of new functionality/security settings/etc (several “warning fixlets” from a lot of years ago do not seem enough to me).

mesee2 2022-06-29 13:00:26 UTC #6

absolutely and not have the feature tied to anything but initial license for bigfix server.
Please submit as an enhancement request / idea, i am sure a number of us would vote for it