I am currently working with BigFix Compliance and would like to customize the compliance check (IIS 8, 7, 10 and Apache) for “TLS Cipher Suite ordering is Configured”. Specifically, I want to evaluate compliance based on a custom cipher suite order defined by our internal security policy, rather than the default CIS benchmark recommendation.
Could you please guide me on how to modify the analysis or relevance expression to reflect our custom ordering? Any documentation or examples would be greatly appreciated.
Which checklist are you using as your starting point, and can you point at a specific fixlet you want to customize?
Json, step 2 example tasks, but this could be for other tasks on other sites that use the “Environment Setup Task” where the query scripts are stored without the ability to modify them.
Site: CIS Checklist for MS II 8
Task ID: 7144
Task Name: Ensure TLS Cipher Suite ordering is Configured
Site: CIS Checklist for MS II 10
Task ID: 7124
Task Name: (L2) Ensure TLS Cipher Suite ordering is Configured
Hello friends, any suggestions?
The good news: it’s possible. The less good news: it needs some work. I would strongly recommend to test in test environment.
Exporting the fixlet and open it in notepad++ shows an xml structure. In the given example for IIS10, Task 7124 the magic is in lines 34/35 containing base64 encoded content after cis-7.12.ps1:
Taking this content (prefered for me: copy to new tab in notepad++), mark it, right click “plugin commands - base64 decode” shows the powershell script as well as the values for the cipher list.
Edit, base64 encode, replace it in the original fixlet and import it into BigFix. Do not forget to delete the old one to avoid duplicate SCM IDs.
Perfect would be to have a paremeterized fixlet to have the ability to just enter the own value in the fixlet and thats it.
There is some old (unfortunatly not updated…) documentation available for custom SCM content explaining the xml structure: SCM Checklists - Outdated - BigFix Wiki Wiki
Same for parameterized fixlets: Creating parameterized fixlets - BigFix Wiki Wiki
1 Like