Creating custom checklists for internal policies

(imported topic written by JHearnsberger)

Hey guys,

Thought I would pass this along, in hopes that someone else might get some use out of some of my headache with our implementation. I work for a fuel retailer and there are settings that we monitor and track that are outside of “normal” security and compliance checklists. One of these checklists I have put together is a checklist to monitor credit card discount settings when a card is used at the dispenser. Of course, there isn’t a 3rd party provider for this, such as DISA STIG and others - so I had to be creative.

Below are the steps I found that worked for creating a custom site, with custom relevance analysis, and have it report up to SCA / TEMA. I put this together to make sure my guys are following a standard with creating these sites, and I am sharing in hopes that it helps someone not get stuck on this.

IBM Endpoint Manager - Configuration Management Setup

1. Go to Security Configuration domain
2. Open the wizard “Create Custom Checklist”
3. Name the checklist
4. Check one of the DISA STIG checklist items - will be deleted later.
5. Create Checklist
6. Subscribe computers to the new custom checklist
7. Navigate to your new custom site, and deactive the analysis from the DISA STIG checklist we added previously.
8. Open the wizard “Create Custom Relevance SCM Checks”
9. Select Site and Applicability fixlet
10. Complete all fields in “Required Information” fields
11. Put a description in for what the filxlet does
12. Paste debugged relevance into “Compliance Relevance”
13. Paste debugged relevance into “Analysis Relevance”, include desired values and a relevant title.
14. Include remediation actionscript, if needed.
15. Click Create Fixlet
16. Go into the custom checklist again.
17. Delete the DISA STIG fixlets, tasks, and analysis. DO NOT delete the applicability fixlet
18. Change the applicability fixlet to: name ofoperating system = “Win7” orname ofoperating system = “WinXP”. This fixlet will incllude Windows XP systems until they are out of production.
19. Ensure that the correct systems are subscribed, have started being analyzed, and are reporting back to the server.
20. Go to the SCA dashboard and run a manual import
21. Verify that the new checklist is reporting to the dashboard.

Hello,
my Customer used this procedure to create custom checklist for “RHEL 7.2” but it didn’t work.
This is his feedback:
I of course created custom check and fixlet applicability for AIX 7.2 as a applicability ‘fixlet applicability’ for benchmark checklist .
But it don’t resolved my problem, because checks copied from ‘CIS Checklist for AIX 5.3 and 6.1was not applicable because have otherx-fixlet-scm-sentinel-id`.

            <Name>x-fixlet-scm-sentinel-idref</Name>

            <Value>cpe:/o:ibm:aix:5.3,o:ibm:aix:6.1</Value>

      </MIMEField>

so I exported ‘Fixlet applicability’ and I edited as below:

                    <MIMEField>

                               <Name>x-fixlet-scm-sentinel-id</Name>

                               <Value>cpe:/o:ibm:aix:7.2</Value>

                    </MIMEField>

In next step, I exported all fixlets synchronized from Site from CIS Checklist for AIX 5.3 and 6.1 and CIS Checklist for AIX 7.1 - RG03 to my custom site and edited tag x-fixlet-scm-sentinel-idref as bellow:

                           <MIMEField>

                                           <Name>x-fixlet-scm-sentinel-idref</Name>

                                           <Value>cpe:/o:ibm:aix:7.2</Value>

                           </MIMEField>

Without this change the checks were showed as “not applicable” into SCA.

I’m wondering a litte bit about lack in documentation. The wiki article https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en#!/wiki/BigFix%20Wiki/page/SCM%20Custom%20Fixlet%20Authoring is pretty helpful. Looking at eg. “x-fixlet-scm-sentinel-idref” I was not able to find some hints about cpe: , cc: etc.

Maybe @Aram, @JasonWalker are able to provide some details?