Question about baselines, fixlets, exceptions, and remediation

(imported topic written by ajfasano)

I am very new to BigFix but have spent the last 5 years or so working with a competitors product, which I am very happy to not be working with now, in the DoD space. I have been digging into BigFix and I ‘believe’ I am getting an understanding of how things work but before I start taking all the code I have written to work around the other guys product, I would like to know how much I need to port.

From what I have gathered from these forums, the exception capability is a work in progress. What I am curious about are any ideas on how to acomplish the following in the BigFix app.

Take the DISA STIG for Unix. One of the vulnerabilities has to do with a baseline of sgid/suid binaries. The high level use case would be:

  1. Define a baseline of acceptable binaries for a given OS variant and apply it to the systems.

  2. Create a fixlet that produces a list of sgid/suid binaries. The binaries that are in the baseline would be filtered out. Optimally the fixlet would be simple. All it would do is produce a list of sgid/suid binaries, making it very easy to maintain leaving the actual compliance logic to the app, which appears to me to be what the relevance code does.

  3. The IAO views the list of binaries in the baseline and, somehow, creates exceptions for any that are not in the baseline but are documented.

  4. The list of binaries that are not listed as exceptions and are not in the baseline is passed to the action for remediation.

This same basic process would work for cron/at/ftpusers, can be used to identify system and application accounts for both unix and windows, and other list values like those in REG_SZ registry values.

Since the exceptions are only tied to the reports, perhaps a deploy task that lets the end user input their exceptions into a parameter which is then converted to a local exception file in a format the scripts understand? That way the user does not need to know how the file is formatted and where the file is on the system? Thing is, how would one report on those exceptions without having to input them twice? Also not sure how the baseline would handle the exceptions and vice versa.

I have been through the forums but perhaps I am asking a question that has already been answered somewhere else?

Thanks in advance.

A.J.

(imported comment written by Jeff Saxton)

Hi, I’m the lead developer for Unix SCM content.

You are correct that the exception capability is at the reporting layer. Also exceptions can only be applied with a minimum granularity of a single fixlet on a single endpoint.

Some of the fixlets however do allow you to set a parameters of “things to ignore” when performing the check on the endpoint.

For example let’s look at the AIX 6.1 DISA content:

GEN000340 allows you to set a list of accounts that should be considered “system” accounts which should be alloowed to have UID < 100

GEN000540 (minimum password age) allows you to set a list of accounts that should not be checked for a minimum password age

GEN000580 same as GEN000540 except for minimum password length

Although the coverage of this type of “hard exception”, that is an exception that is accounted for at check time rather than report time

is not very complete we can add this capability to the checks you require it for.

We currently have a monthly maintenance release cycle, so generally the longest you’d have to wait for this type of enhancement is 2 months maximum.

Please feel free to open an APR/PMR for the checks where you need this capability, also feel free to contact me directly

if you’d like to discuss this further are there are some limitations.

Jeff Saxton

jsaxton@us.ibm.com

CELL: +US 650.235.0776