A customer asks … let’s presume that BigFix Compliance finds an server is out of compliance for a particular condition. Let’s further assume that an Admin made a modification that caused the server to be out of compliance. Does BigFix have any functionality that is able to pick this up and identify the specific admin and the action that made the modification? If not, what is our recommendation for how a customer can correlate this modification?
Another question … if a customer uses SolarWinds for patching, is there any integration between SolarWinds and BigFix?
I don’t think Bigfix Compliance can do this. If a particular check is non-compliant, you could create a measured value to show what is the value currently on system. However its not possible to accurately pinpoint what or who caused the change.
Bigfix action history can be used to determine if a particular action caused the server to be non-compliant.
But it looks to me like BigFix Action History is designed to capture an audit of what actions were taken from within BigFix. If an action was taken by an admin outside the scope of BigFix, I’m guessing the best way to capture that would be using a SIEM?
From my point of view, BigFix Actions history is a good tool to have a look what happened within BigFix. As administrators might be able to edit the history, it’s suitable as an auditing or siem system.
If the change was made through BigFix, then it would be reflected in the action history, yes.
However, if a system is changed from a Compliant to a non-Compliant state, it is usually more likely that the change would have been made outside of Bigfix.
Take as an example some application that failed to install with UAC prompting turned on. It’s much more likely that a client administrator would turn off UAC in the local machine’s Control Panel, than thaflt they would call your administration and ask that it be disabled through BigFix. In that case BigFix will detect that UAC was disabled, and will report that through the Compliance module.
The Compliance interface would report the day on which it became non-compliant, Web Reports could have a report within a few minutes of when it became non-compliant (using the “last became relevant of fixlet ‘X’” report), but BigFix would not know who made the change.
You’d need to retrieve that through the Windows Auditing/event logs, usually through a SIEM such as QRadar, Splunk, etc.
Thank you. So the bottom line is if an Administrator chooses to do something that causes a device to become non-compliant outside of BigFix, BigFix cannot detect who did it and how.
Well, yes, that’s true. BigFix is not a logging/auditing tool. We do integrations with several SIEM products but BigFix itself isn’t one.
What we can do is enforce continual compliance - so if your local administrator changes the system to a noncompliant state, we put it right back the way it should be.