I want to create custom security fixlet for Windows

Content Authoring
2

Greetings @sandhya692

You can create new Fixlets to check these types of compliance. The first thing you should do is check to see if you already have a Fixlet in your BigFix Compliance content, such as the Checklist sites for DISA STIG or CIS.

If you want to try your hand at creating a custom Fixlet for this check, I would start with the relevance inspectors for Access Control Lists.
https://developer.bigfix.com/relevance/reference/access-control-list.html
https://developer.bigfix.com/relevance/reference/security-descriptor.html

Here are a couple of samples of these inspectors to get you started.

q: (trustee of it, generic read permission of it, generic execute permission of it, list permission of it, grant type of it) of entries of dacl of security descriptor of system folder
A: NT SERVICE\TrustedInstaller, True, True, True, True
A: NT SERVICE\TrustedInstaller, False, False, False, True
A: NT AUTHORITY\SYSTEM, True, True, True, True
A: NT AUTHORITY\SYSTEM, False, False, False, True
A: BUILTIN\Administrators, True, True, True, True
A: BUILTIN\Administrators, False, False, False, True
A: BUILTIN\Users, True, True, True, True
A: BUILTIN\Users, False, False, False, True
A: CREATOR OWNER, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, False, False, False, True
T: 7.999 ms
I: plural ( security identifier, boolean, boolean, boolean, boolean )

This would check to see if BUILTIN\Users was granted the Generic Write permission on the System folder.
q: exists entries whose (account name of trustee of it = "BUILTIN\Users" and generic write permission of it and grant type of it) of dacl of security descriptor of system folder
A: False
T: 2.778 ms
I: singular Boolean

This post has some guidance around SACL instead of DACL, but the concept is the same:

3 Likes