(imported topic written by ajfasano)
I am very new to BigFix but have spent the last 5 years or so working with a competitors product, which I am very happy to not be working with now, in the DoD space. I have been digging into BigFix and I ‘believe’ I am getting an understanding of how things work but before I start taking all the code I have written to work around the other guys product, I would like to know how much I need to port.
From what I have gathered from these forums, the exception capability is a work in progress. What I am curious about are any ideas on how to acomplish the following in the BigFix app.
Take the DISA STIG for Unix. One of the vulnerabilities has to do with a baseline of sgid/suid binaries. The high level use case would be:
-
Define a baseline of acceptable binaries for a given OS variant and apply it to the systems.
-
Create a fixlet that produces a list of sgid/suid binaries. The binaries that are in the baseline would be filtered out. Optimally the fixlet would be simple. All it would do is produce a list of sgid/suid binaries, making it very easy to maintain leaving the actual compliance logic to the app, which appears to me to be what the relevance code does.
-
The IAO views the list of binaries in the baseline and, somehow, creates exceptions for any that are not in the baseline but are documented.
-
The list of binaries that are not listed as exceptions and are not in the baseline is passed to the action for remediation.
This same basic process would work for cron/at/ftpusers, can be used to identify system and application accounts for both unix and windows, and other list values like those in REG_SZ registry values.
Since the exceptions are only tied to the reports, perhaps a deploy task that lets the end user input their exceptions into a parameter which is then converted to a local exception file in a format the scripts understand? That way the user does not need to know how the file is formatted and where the file is on the system? Thing is, how would one report on those exceptions without having to input them twice? Also not sure how the baseline would handle the exceptions and vice versa.
I have been through the forums but perhaps I am asking a question that has already been answered somewhere else?
Thanks in advance.
A.J.