Product:
BigFix Compliance
Title:
Enhanced Security for SCM Middleware and Unix Checklists
At BigFix, we continuously invest in strengthening the security, consistency, and reliability of our platform. As part of this ongoing initiative, we’ve introduced key enhancements to the security of SCM Middleware and Unix checklists, along with improvements that promote more consistent compliance assessments and simplify the management of checklist content.
What’s New?
- We have introduced a more secure content delivery model for Middleware and Unix checklists.
- With this enhancement, when the Environment Setup task Action is executed, it will securely download a sqlite_detect.db file from the external site - only after verifying the file’s integrity through a hash and SHA-256 checksum. This file contains all relevant detect scripts.
- Using relevance, the agent will retrieve the IDs of all fixlets in the current checklist and extract the corresponding detect scripts for each ID, then execute them sequentially on the endpoint.
- We added Desired Values for all checks across the checklists listed below in the table.
- The Synchronize Custom Checks wizard is now supported for Unix and Middleware checklists.
Why This Matters
- This enhancement ensures that detect scripts are securely delivered at runtime and are no longer persistently stored or modifiable on endpoints. This adds an extra layer of protection by enabling compliance content to be executed in a secure, controlled, and verifiable manner, strengthening the reliability and trustworthiness of compliance checks across SCM Middleware and Unix checklists.
- Inclusion of Desired Values across all checklists and support for synchronization of Middleware and Unix checklists via the Synchronize Custom Checks wizard, helps in achieving more consistent compliance assessments and streamlined content management.
What’s Covered
This enhancement applies to the following SCM checklists:
Released Checklists
| SL Number | Checklist Name | Site Version | ||
|---|---|---|---|---|
| 1 | CIS Checklist for AIX 7.x | 5 | ||
| 2 | DISA STIG Checklist for AIX 7.x | 11 | ||
| 3 | CIS Checklist for Solaris 11.4 | 7 | ||
| 4 | CIS Checklist for Solaris 11.1 | 3 | ||
| 5 | DISA STIG Checklist for Solaris 11 | 20 | ||
| 6 | CIS Checklist for MacOS 15 | 4 | ||
| 7 | CIS Checklist for MacOS 14 | 9 | ||
| 8 | CIS Checklist for MacOS 13 | 10 | ||
| 9 | CIS Checklist for MacOS 12 | 9 | ||
| 10 | DISA STIG Checklist for MacOS 15 | 2 | ||
| 11 | DISA STIG Checklist for MacOS 14 | 5 | ||
| 12 | DISA STIG Checklist for Mac OS 13 | 4 | ||
| 13 | DISA STIG Checklist for Mac OS 12 | 7 | ||
| 14 | CIS Checklist for MS SQL Server 2016 | 14 | ||
| 15 | CIS Checklist for MS SQL Server 2014 | 7 | ||
| 16 | CIS Checklist for MS SQL Server 2017 | 11 | ||
| 17 | CIS Checklist for MS SQL Server 2019 | 18 | ||
| 18 | CIS Checklist for MS SQL Server 2022 | 7 | ||
| 19 | DISA STIG Checklist for MS SQL Server 2014 | 6 | ||
| 20 | DISA STIG Checklist for MS SQL Server 2016 | 8 | ||
| 21 | CIS Checklist for IBM DB2 11 on Linux | 4 | ||
| 22 | CIS Checklist for IBM DB2 11 on Windows | 2 | ||
| 23 | CIS Checklist for MS IIS 10 | 18 | ||
| 24 | DISA STIG Checklist for MS IIS 10.0 | 18 | ||
| 25 | CIS Checklist for Apache Server 2_4 on Linux | 8 | ||
| 26 | DISA STIG Checklist for Apache Server 2_4 on Windows | 12 | ||
| 27 | DISA STIG Checklist for Apache Server 2.4 on Linux | 21 | ||
| 28 | CIS Checklist for Apache Tomcat 10.1 on Linux | 3 | ||
| 29 | CIS Checklist for Apache Tomcat 10 on Linux | 4 | ||
| 30 | CIS Checklist for Apache Tomcat 9 on Linux | 4 | ||
| 31 | DISA STIG Checklist for Apache Tomcat 9 Server on Linux | 7 | ||
| 32 | CIS Checklist for Oracle 19C database on Windows | 7 | ||
| 33 | DISA STIG Checklist for Oracle Database 19c on Windows | 2 | ||
| 34 | CIS Checklist for Oracle 19C database on Linux | 10 | ||
| 35 | DISA Checklist for Oracle 19C database on Linux | 6 |
What Stays Unchanged:
- No changes to directory structures, script paths, or log file locations.
- The way compliance is evaluated remains the same.
- No SQLite installation is required on endpoints.
Actions to take:
- To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10 and later.
Steps: Dashboard –> License Overview –> Select and Enable Site --> Gather Site - If you use custom sites, please update them to incorporate the latest content. You can do this using the Synchronize Custom Checks wizard.
Note: During the initial synchronization, you will notice that all checks are removed and then re-added.
Note: Ensure that the Environment Setup Tasks are manually copied from the external site and remove the old environmental setup task for the first time. Starting with the next release, synchronization for these checklists will be fully seamless.
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
– The BigFix Compliance team