(imported topic written by SY57_Jim_Montgomery)
Is there a recommended way to deploy the FDCC related SCM sites so that we can easily:
A) generate xccdf reports on the entire infrastructure
B) enable admins to report and see their compliance on their responsibility area
C) report on all computers globally
The following is what we’ve come up with internally, and I want to see if anyone is deploying this way, or if there is anything we are forgetting.
We’ll create a custom site called Custom FDCC.
We’ll copy all fixlets from the 3 FDCC external sites to the new custom site. (I only care about windows XP right now)
The FDCC external sites will not be subscribed to by any clients.
We’ll create an automatic group that contains all Windows XP computers in the environment, WinXP.
The Custom FDCC site will only subscribe members of this WinXP group.
The command line xccdf tool requires a site and a group to run, so we can now feed it the Custom FDCC site and WinXP group.
Admins will have read access to the Custom FDCC site so they can apply fixlets to remediate, and so they can report on results.
Admins that can see all computers can report on the results globally, and admins with limited scope will only see their results.
Does this sound right? Am I forgetting anything? Yep - anytime the FDCC datastream changes I’ll have to re-copy the fixlets. Also, my understanding is that OMB/NIST requires an xccdf report of results from our entire agency - with this setup I can generate that from this one site and one group.
Thanks for any tips,
-Jim