Security Configuration Management: New Features Available

Usage and Config Security
1

(imported topic written by Jim_Hansen91)

We are pleased to announce the release of a new set of Security Configuration Management functionality and features.

Content Updates

  • Support for DISA STIG on AIX 6.1 - BigFix has expanded it’s Unix SCM support to include the AIX 6.1 platform. Based on the DISA Standard Technical Implementation Guide (STIG) configuration guidance, the controls will allow system administrators to control the configurations of their IBM AIX systems from within the BigFix Unified Management Console.

This is delivered as a new masthead called “SCM Checklist for DISA STIG on AIX 6.1” and can be obtained by contacting licensing@bigfix.com.

  • Support for FDCC 1.2.1.0 - The National Institute of Standards and Technology (NIST) released this update to the Federal Desktop Core Configuration on June 16, 2009. This release didn’t alter the FDCC settings, but resolved a number of existing issues within the SCAP-expressed data stream. This content stream is now available as the default FDCC guidance provided by BigFix out of the box. A list of the specific changes can be found on the NIST web site here:

http://nvd.nist.gov/fdcc/changeLog-20090408.cfm

The BigFix checklist content has been updated and replaces the previous FDCC 1.1 content. The sites that are impacted include:

  • SCM Checklist for FDCC on Windows XP

  • SCM Checklist for FDCC on Windows XP Firewall

  • SCM Checklist for FDCC on Windows Vista

  • SCM Checklist for FDCC on Windows Vista Firewall

  • SCM Checklist for FDCC on Internet Explorer 7

If you are subscribed to these sites, your BigFix server should automatically gather this new content and make it available to you.

  • Support for Windows 2003 64-bit - BigFix has augmented the ‘Checklist for DISA STIG on Windows 2003’ to include support for 64-bit version of Windows 2003. This change primarily affects the registry checks, which would return an erroneous result on 64-bit platforms prior to this release. It now uses the “native registry” inspector to ensure that the appropriate registry location is checked regardless whether the operating system is running 32-bit or 64-bit.

If you are subscribed to this site, your BigFix server should automatically gather this new content and make it available to you.

  • Support for OVAL 5.5 and lower - BigFix has expanded it’s SCAP support to include OVAL 5.5 and lower. This allows the BigFix SCAP tools to consume SCAP-expressed data streams written to use OVAL 5.3, 5.4, or 5.5 in order to generate content. The support is limited to Windows-based content at this time.

  • Support for DISA STIG Categories - BigFix has augmented all existing DISA STIG-based content to include the Category reference within the Source Severity field. The content is represented as “Cat I, II, III, IV” and represents the severity of the check as defined by DISA as part of their STIG guidance. This update has been made for all Windows and Unix-based DISA STIG checklists.

New Dashboards and Wizards

  • New Exception Management Dashboard - A new exception management dashboard has been created to allow administrators to generate exceptions against specific misconfigurations identified within the environment. Exceptions within the dashboard are considered “soft exceptions” and will only impact the reporting. When an exception is created, the control will continue to be evaluated on the endpoint. Specific features of this dashboard include:

  • Self-contained administrative dashboard to create and manage exceptions directly from the BigFix Unified Management Console.

  • Edit or delete existing exceptions with full audit history

  • Set an expiration date on an exception or create permanent exceptions

  • Annotate exceptions and provide additional context and audit around defined exceptions

  • Flexible targeting to generate exceptions against a single system, group of systems, or by system property

  • Generate SCM compliance report and either use, use and show, or ignore exceptions

  • New SCAP Import Wizard - A new wizard has been developed to provide administrators with the ability to import any Windows-based SCAP-expressed data stream and produce one or more Fixlets. Many SCAP-expressed data streams can be found on the NIST managed National Checklist Program (NCP) web site:

http://web.nvd.nist.gov/view/ncp/repository

These data streams can be downloaded and converted into BigFix Fixlets by using the SCAP Import Wizard. This enables organizations to more fully leverage their SCAP tools to generate content and assess their systems against defined industry benchmarks such as FDCC and others.

    • New SCAP Report Creation Wizard+ - A new wizard has been developed to enable users to generate a highly granular XCCDF report export. The XCCDF file is used by federal agencies to provide proof of compliance to FDCC and also enables organizations to export computer properties and results to more easily integrate with other SCAP enabled tools. Customers can use the wizard to select the benchmark, target the system(s) for export, and select any BigFix computer property to export. The result is placed on the file system as individual computer files.

Release Notes

A critical issue was identified in the BigFix Windows agent that causes a memory leak when using the “set” inspector. The Privilege Rights and Permissions checks within the SCM content uses these inspectors. To avoid this memory leak, we have updated the Fixlets to require version 7.2.5.21 or higher of the BigFix agent. This agent will will be made available within the next two weeks as a Patch to version 7.2. No content updates will be required, but customers should upgrade their agents to the patched release to eliminate this memory leak issue.

Please see the release notes for more information on this issue and other known issues with the SCM content. The release notes can be found here:

http://support.bigfix.com/product/documents/SCM_Release_Notes.pdf

Documentation

And for those of you who are checking out the new SCM release, check out some cool new documentation that’s now available on our support website to help you get started installing, using, and customizing SCM for your deployment. Docs include:

  • SCM Setup Guide
  • SCM User’s Guide
  • SCAP QuickStart
  • SCAP User’s Guide
  • Guide to Using UNIX and Windows Benchmarks

The documents can be found here:

http://support.bigfix.com/resources.html

Where to Get More Information:

2

(imported comment written by HugeFix-ed91)

Where is the information stored for the exception information created in the new exception management dashboard?

Is it adding a property that can be retrieved to the underlying fixlets that can be queried using relevance?

If not, does that mean that exceptions will remain working if all the fixlets for a site with FDCC SCM content is updated (all fixlets deleted, then new fixlets copied in)?

Thanks in advance.

3

(imported comment written by jessewk)

Great username!

The information is stored in what we call the ‘Dashboard Datastore’. Basically they are stored in the database and are not directly tied to the underlying fixlet.

I believe the exception is indentified by site name and control id so as long as those stay the same the exception will continue to apply.

Jesse

4

(imported comment written by HugeFix-ed91)

Is there a way to access the SCM exception information for a site using session relevance?

5

(imported comment written by Jim_Hansen91)

Hi Huge-fixed,

Sorry for the delay on this. Yes, there is. I don’t have the specific session relevance expressions handy, but some of the smart, more technical folks at BF can. I’ll hunt them down. In the meantime, what types of things are you trying to extract and what do you want to use the information for?

Thanks.

Jim

6

(imported comment written by SystemAdmin)

Hey HugeFix-ed,

You can access the stored scm exception data pretty easily. Open the presentation debugger in the console and run this expression:

shared variables 
"SCMExclusions" of bes wizards

However, the results you get for this may be a little cryptic. Basically, we take the array of Objects that represents the exceptions, and convert it to a string using JSON (http://en.wikipedia.org/wiki/JSON) so that we can store it a special spot of the BES Database.

The results will looks something like this

[ 
{ 
"exceptionID":7251255138984, 
"compRule":
{
"value":
{
"name":
"everycomputer",
"id":
"877",
"isAutomatic":true,
"site":
"ActionSite"
},
"type":
"group"
}, 
"hasExpired":false, 
"expiresOn":null, 
"comments":[
{
"issuer":
"bigfix",
"date":
"Sat Oct 10 01:43:14 2009 UTC",
"comment":
"asdasdasdasd"
}], 
"creationDate":
"Sat Oct 10 01:43:14 2009 UTC", 
"issuer":
"bigfix", 
"controlID":51061, 
"controlName":
".Xauthority file permissions - AIX 5.1", 
"site":
"SCM Checklist for DISA STIG on AIX 5.1" 
} ]

If you are familiar with javascript this may look familiar to you. The properties that are probably interesting to you are the “controlID” feild, which denotes the fixlet id, and the “site” field, which denotes the site the fixlet came from. Additionally, there is “compRule”, which specifies some criteria for selecting which computers the exception applies to, and is itself a potentially complicated javascript object.

If you have a specific task in mind, i may be able to help decode some of this stuff for you.

-Zak

7

(imported comment written by HugeFix-ed91)

Hey Zak,

Thanks for the reply. That definately gets me in the right direction. I’ll do a little testing next week and reply with any questions I may have.

Thanks again,

8

(imported comment written by jlenaeus91)

The severity tag in certain xccdf files seems to not import correctly.

When we import SCAP files available here: http://iase.disa.mil/stigs/os/windows/xp.html under SCAP automation benchmark. The source severity comes up as unknown. If you look at the xccdf files the severity is tagged.

I looked briefly at the xccdf specification and it appears to me that the DISA docs are correct. Do I need to tell BigFix to actually look for the severity tag?

Thanks.

9

(imported comment written by Eric Walker)

Hi jlenaeus, it looks like you may have found a bug. We’ll look into it. Thanks for raising the issue.

Eric

10

(imported comment written by sbauchan91)

I am unable to create any fixlets with the SCAP Import Dashboard in 8.1. I have been trying to import the DISA Windows 7 V1R5 xccdf.xml file and I keep getting the same error

*There was a problem creating policies: Error Code: (2)

I get the same error whe I try and import the Office 2007 V4R1.

Is the import wizaed broken or am I importing the wrong xml

I have been getting the XML files from here http://web.nvd.nist.gov/view/ncp/repository

Here is a SNAP of the error I get when I tried to import the XML

https://lh4.googleusercontent.com/-EAKiexILYZE/Tnq9-DD9vcI/AAAAAAAAA1k/pxJ4oAB27lQ/s800/Untitled.jpg

11

(imported comment written by SystemAdmin)

Hi sbauchan, it appears that the DISA Win 7 SCAP content is either buggy or uses some SCAP constructs that our importer can’t handle yet, or both.

Since it’s Tier III and “under review”, we haven’t yet fully evaluated it ourselves. To this point, we’ve been able to support Tier IV checklists pretty readily, including the USGCB checklist for Win 7.

– Jeff

12

(imported comment written by Eric Walker)

Hi sbauchan, you can find more information about this kind of thing at the following link:

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/SCAP%20import%20wizard

A long-term solution that will be able to consume this content is under active development.

Eric