I want to create custom security fixlet for Windows

Content Authoring
1

I need help to create custom security fixlet in BigFix for windows 2016 for below checks.

Here it he check, which i want to do for Windows 2016 machine.

%SystemRoot%\system
Maximum authority permitted to general users :
Read & Execute
List Folder Contents
Read

Kindly help me if any one have idea, like hoe to create it.

2

Greetings @sandhya692

You can create new Fixlets to check these types of compliance. The first thing you should do is check to see if you already have a Fixlet in your BigFix Compliance content, such as the Checklist sites for DISA STIG or CIS.

If you want to try your hand at creating a custom Fixlet for this check, I would start with the relevance inspectors for Access Control Lists.
https://developer.bigfix.com/relevance/reference/access-control-list.html
https://developer.bigfix.com/relevance/reference/security-descriptor.html

Here are a couple of samples of these inspectors to get you started.

q: (trustee of it, generic read permission of it, generic execute permission of it, list permission of it, grant type of it) of entries of dacl of security descriptor of system folder
A: NT SERVICE\TrustedInstaller, True, True, True, True
A: NT SERVICE\TrustedInstaller, False, False, False, True
A: NT AUTHORITY\SYSTEM, True, True, True, True
A: NT AUTHORITY\SYSTEM, False, False, False, True
A: BUILTIN\Administrators, True, True, True, True
A: BUILTIN\Administrators, False, False, False, True
A: BUILTIN\Users, True, True, True, True
A: BUILTIN\Users, False, False, False, True
A: CREATOR OWNER, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, False, False, False, True
T: 7.999 ms
I: plural ( security identifier, boolean, boolean, boolean, boolean )

This would check to see if BUILTIN\Users was granted the Generic Write permission on the System folder.
q: exists entries whose (account name of trustee of it = "BUILTIN\Users" and generic write permission of it and grant type of it) of dacl of security descriptor of system folder
A: False
T: 2.778 ms
I: singular Boolean

This post has some guidance around SACL instead of DACL, but the concept is the same:

3 Likes
3

Thank you for your suggestion.