• 1 reply
  • Latest Post - ‏2012-10-09T20:04:32Z by Jeff Saxton
1 Post

Pinned topic Question about baselines, fixlets, exceptions, and remediation

‏2012-09-21T00:18:42Z |
I am very new to BigFix but have spent the last 5 years or so working with a competitors product, which I am very happy to not be working with now, in the DoD space. I have been digging into BigFix and I 'believe' I am getting an understanding of how things work but before I start taking all the code I have written to work around the other guys product, I would like to know how much I need to port.

From what I have gathered from these forums, the exception capability is a work in progress. What I am curious about are any ideas on how to acomplish the following in the BigFix app.

Take the DISA STIG for Unix. One of the vulnerabilities has to do with a baseline of sgid/suid binaries. The high level use case would be:
1. Define a baseline of acceptable binaries for a given OS variant and apply it to the systems.
2. Create a fixlet that produces a list of sgid/suid binaries. The binaries that are in the baseline would be filtered out. Optimally the fixlet would be simple. All it would do is produce a list of sgid/suid binaries, making it very easy to maintain leaving the actual compliance logic to the app, which appears to me to be what the relevance code does.
3. The IAO views the list of binaries in the baseline and, somehow, creates exceptions for any that are not in the baseline but are documented.
4. The list of binaries that are not listed as exceptions and are not in the baseline is passed to the action for remediation.
This same basic process would work for cron/at/ftpusers, can be used to identify system and application accounts for both unix and windows, and other list values like those in REG_SZ registry values.

Since the exceptions are only tied to the reports, perhaps a deploy task that lets the end user input their exceptions into a parameter which is then converted to a local exception file in a format the scripts understand? That way the user does not need to know how the file is formatted and where the file is on the system? Thing is, how would one report on those exceptions without having to input them twice? Also not sure how the baseline would handle the exceptions and vice versa.

I have been through the forums but perhaps I am asking a question that has already been answered somewhere else?

Thanks in advance.
  • Jeff Saxton
    Jeff Saxton
    21 Posts

    Re: Question about baselines, fixlets, exceptions, and remediation

    Hi, I'm the lead developer for Unix SCM content.

    You are correct that the exception capability is at the reporting layer. Also exceptions can only be applied with a minimum granularity of a single fixlet on a single endpoint.

    Some of the fixlets however do allow you to set a parameters of "things to ignore" when performing the check on the endpoint.

    For example let's look at the AIX 6.1 DISA content:

    GEN000340 allows you to set a list of accounts that should be considered "system" accounts which should be alloowed to have UID < 100
    GEN000540 (minimum password age) allows you to set a list of accounts that should not be checked for a minimum password age
    GEN000580 same as GEN000540 except for minimum password length

    Although the coverage of this type of "hard exception", that is an exception that is accounted for at check time rather than report time
    is not very complete we can add this capability to the checks you require it for.

    We currently have a monthly maintenance release cycle, so generally the longest you'd have to wait for this type of enhancement is 2 months maximum.

    Please feel free to open an APR/PMR for the checks where you need this capability, also feel free to contact me directly
    if you'd like to discuss this further are there are some limitations.

    Jeff Saxton
    CELL: +US 650.235.0776