SCM Checklist for DISA STIG

(imported topic written by symbios91)

Have a question regarding the SCM module.

Some of our servers are running specific applications that requires them not to comply to the policies. We would normally have them under suppression list as we do not want to constantly go through them. How do i achieve this with Bigfix? I can’t find any suppression feature and editing the fixlets is going to be very messy.

(imported comment written by clementine91)

Same problem here while evaluating SCM. Bigfix is aware of it. As far as I know, if not wrong, they have plans to provide such feature.

(imported comment written by Jim_Hansen91)

Hi Symbios,

There are a couple of different ways for you to achieve what you are trying to do using the SCM content.

Option 1: Custom Site Creation

The SCM content is designed to allow you to create custom sites for exactly this purpose. If you have specific systems or groups of systems (web servers, domain controllers, mail servers) or other classifications of systems, you can create custom sites and copy the needed Fixlets into those sites and subscribe the custom site to requisite systems. Depending on the number of exceptions that you have, this may be a reasonable approach. You can read more about exactly how to do this in the SCM Deployment Guide, which can be found on our support site - here:

Option 2: Include / Exclude

Each SCM Fixlet also includes a corresponding task that has an action that allows you to enable or disable the evaluation of the given Fixlet on one or more computers. The action is taken just like any other BigFix action and it tells the client to essentially ignore the configuration check. If you have a high degree of variability, this might help as well. For more information, reference the “Disabling Windows Controls” and “Enabling Windows Controls” section of the above-noted document. Note that this feature works the same for both Windows and Unix content.

As Clementine mentioned, we also have plans to provide a more extensive exception management feature set as well. If you would like to discuss this in more detail or if you would like to share with me some additional details of what you are doing, feel free to contact me: