Customize DISA Checks on AIX

I’m struggling with customizing some DISA checks on AIX, eg. “The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. - AIX 7.x”.

As our company is not the DoD I would like to have our company’s banner. One Guide leads to set parameters:, one other to export the fixlet and edit the .bes file

Unfortunately, for DISA fixlets there is no parameterizing and in the exported fixlets only base64 encrypted values can be found/edited.

I’m aware that I can deactivate the corresponding analyse and create custom analyse and fixlet. Or work with base64 encoding/decoding.

But I hope(d) there is an easier way.

@MatthiasW Relevance language is the “best way” for us to query things on a computer using Fixlets in BigFix.
We do this on the Windows Compliance Checks as shown in this vid:

For *nix, it is sometimes different.
For some of the DISA STIG compliance checks, we don’t have relevance inspectors that allow us to probe a computer directly, and so we rely on a one-two punch of “run this system command/script, pipe the results to a results file and then inspect the lines in the results file”. This is most common on the *nix agents and has been one thing we have been steadily improving over the years by adding more inspectors to *nix to allow for direct inspection.

The Fixlets that still use the Probe via action method have their scrips base64 encoded, as you have seen. This makes it a little hard to tweak them, as you are experiencing.

  • The good news is, you probably only need to tweak your copy of that Fixlet one time, and we will continue to improve the ability to tweak the compliance checks.
  • The bad news is that some of the older content is a little hard to customize, especially the first time.

This sounds like a good 5-minute video topic. Will see what I can do for you there.

Thanks for your suggestions @brolly33. After working a littel bit more with it the framework looks pretty good.

E.g. looking at rollback scripts and how to use them, some more detailed documentation for this framework would makes sense from my point of view.

As we have discovered some issues (better errors) within the DISA Fixlets it would be interesting how to report them to HCL or DISA.
As an example, fixlet “The AIX global initialization files must contain the mesg -n or mesg n commands. - AIX 7.x” menitiones to add “mesg” command to /etc/environment file which is wrong according to IBM documentation: where is mentioned that only Name=Value should be entered here.

Of course, this is an issue caused by DISA/STIG.

If the issue is with the BigFix representation of the DISA rule, you can always open a support ticket at and we will investigate with you.

If the issue is that DISA gives advise that is improper or inaccurate when compared to the IBM guidance, you would raise that with either DISA or IBM. We are codifying what DISA asserts as accurately as we can.

I have not yet gotten back to the 5 minute video. Once you do it once, it’s actually not terribly bad. As you noted above:

  • export the fixlet to a .BES file. (XML)

  • Find x-fixlet-detect-script0 and base64 decode the string there - will look like a shell script. If there is also a x-fixlet-detect-script1 or greater, append those into one big long Base64 string that then gets Base64 decoded.

  • modify the shell scrip to reflect your new banner

  • base64 encode the modified shell scrip and paste that back into x-fixlet-detect-script0

  • repeat with the x-fixlet-remediate-script0

  • save the .BES file (XML)

  • Import the .BES file into your BigFix console into a custom site.

  • Enjoy the new Fixlet.

Just a quick tip here. Relevance debugger can decode and encode those base64 passages for you.

1 Like

Thanks for the hint, good tip. I’m now using notepad++. Maybe someone find it useful also:

using right mouseclick on base64 code, plugincommands - base64 decode allows inline editing of shellscript code inline within the fixlet. After editing opposite way using base64 encode.

One other question:
within SCM/mytmp/results folder a file master.results is being created, eg:

/SCM/mytmp/results # cat master.results


What does “Fail:74” mean here? I’m going to have a deeper look at analyse results today but I would have expected a “0” here.
I can see this in several sites, example above is from original (custom copied) DISA AIX 7.x site.

1 Like

I love the Notepad++ tip - lets you do your editing right in the .BES file without having to pull things out, decode, edit, encode and then stick back into the .BES.

I did a short video and sent it in for publishing on our YouTube channel.
Not sure when it will be released.

To your second question, Fail here means that the check script ran and detected a compliance failure on the system. In other words, the system did not pass the check (not compliant for this check) and will be relevant for those 74 Fixlets.

1 Like