FDCC scanning, deployment, and reporting

(imported topic written by SY57_Jim_Montgomery)

Is there a recommended way to deploy the FDCC related SCM sites so that we can easily:

A) generate xccdf reports on the entire infrastructure

B) enable admins to report and see their compliance on their responsibility area

C) report on all computers globally

The following is what we’ve come up with internally, and I want to see if anyone is deploying this way, or if there is anything we are forgetting.

We’ll create a custom site called Custom FDCC.

We’ll copy all fixlets from the 3 FDCC external sites to the new custom site. (I only care about windows XP right now)

The FDCC external sites will not be subscribed to by any clients.

We’ll create an automatic group that contains all Windows XP computers in the environment, WinXP.

The Custom FDCC site will only subscribe members of this WinXP group.

The command line xccdf tool requires a site and a group to run, so we can now feed it the Custom FDCC site and WinXP group.

Admins will have read access to the Custom FDCC site so they can apply fixlets to remediate, and so they can report on results.

Admins that can see all computers can report on the results globally, and admins with limited scope will only see their results.

Does this sound right? Am I forgetting anything? Yep - anytime the FDCC datastream changes I’ll have to re-copy the fixlets. Also, my understanding is that OMB/NIST requires an xccdf report of results from our entire agency - with this setup I can generate that from this one site and one group.

Thanks for any tips,


(imported comment written by Jim_Hansen91)

Hi Jimbot,

The plan of attack that you outline is accurate and should take care of you. A couple of points:

  1. Since you do care about the Windows XP, Windows XP Firewall, and IE7 sites, the best way to generate a single XCCDF report output is in fact to merge them as you describe into a custom site. This is the preferred approach. The alternative would be to generate a separate report for each benchmark.

  2. Since you will not be using the external sites, you are doing the right thing by unsubscribing all computers to the sites. Since the Custom FDCC site will contain the checks, you’ll be covered there as well.

  3. The SCAP Reporter tool does require either a computer or a group. The purpose of this, of course, is so you can generate the necessary XCCDF report for each computer within the group you designate. You can, however, specify only a single computer to run the report against.

  4. In terms of updates made to the external sites, we recognize this as support for the change control process. As updates are made to the FDCC content, we’ve found that many customers first want to test the content in a lab or set of test systems before pushing the updates out to the infrastructure. When an updated version is provided this will provide you the opportunity to run both side by side and cut from one version of the standard to another more safely. I’d be curious as to your thoughts on this, though.

Please feel free to let me know if you have any other comments or questions. You are welcome to post them here on the forum or you can contact me directly as well at jim_hansen@bigfix.com.