Welcome to the next installment of “Things that I didn’t know BigFix could do for me”.
Most of us have talked about IBM BigFix and how very simple it is to patch an environment, or to just report patch compliance if they still want to use other tools to deploy them plus many other things, but this is one of the areas that I am not sure that everyone is aware of in relation to BigFix.
What is one of the hardest things to do in IT related to security? How about stand up a server or workstation, configure it securely – and then make sure it stays properly configured for the life of that machine. This can be a HUGE pain – I promise you. This is also a never ending pain. Anyone who has to deal with this headache probably hates it. Think of all of the requirements to stay in compliance with Federal Regulatory guidelines. Think CIS, DISA STIG, PCI, etc. Security teams often use these guidelines as starting points even if they don’t have to actually be in compliance with those checklists. Every customer that processes credit cards is required to be in compliance with PCI for at least portions of their infrastructure. IBM BigFix makes this kind of work very simple.
BigFix has content for a lot of these checklists out of the box. Over 110 distinct checklists and over 9,000 checklist line items – all out of the box. Here is the current list:
All of this content is simple – for each checklist line item there is a question that I ask the computer. Like everything else BigFix, these questions are simply added to a list and I constantly ask you those questions forever. Anytime something changes on the box, BigFix knows within seconds and minutes and reports the changes. There are NO SCANS to run. If your computer is powered on, you are gathering updated data as soon as things change. I always know my compliance – even for machines that have left the office. As long as you have a network (or internet) connection, I am actively managing you.
When I turn on a checklist, I know what my compliance is across the board within minutes – literally. This allows me to identify configuration drift automatically – for most operating systems and most of the specific roles as seen above. I can also create specific checklists for different areas of the network. Inside my data center, an IIS server should look like X, but inside my DMZ, it must look like Y. I can easily create those custom checklists. I can also change the value of things that I check for – Password Length should be set to 23 characters on AIX servers in my world – easy. I can also create checklist line items from scratch to cover things that only exist in their specific world.
So, within an hour of standing up a BigFix server and deploying the agent (single lightweight agent – 2% CPU, 10MB Ram), I can tell you your compliance with any of these checklists – including your compliance over time. I can give you information that is easy to digest. This is an extremely simple tool to use for this type of work.
So, that’s half the battle – identifying where things aren’t configured properly. Now, the hard part (not hard for BigFix) – we need to come up with a way to enforce compliance automatically. I don’t care where the machine is, I don’t care what the machine is. We took the time to identify the things that we are looking for, now let’s keep the machines configured properly.
Now, back to the basics of how BigFix works – a single agent that is always asking questions without impacting performance on that machine. The way that the BigFix agent works, we can literally ask thousands of questions in a couple of minutes. When we get to the end of our list of questions, we loop back to the beginning and ask those exact same questions again, and again, and again. When data changes, we tell the BigFix server immediately and then go back to the loop. If something changes and there is an action to take that is enabled, we can automatically take that action when we see change. Again, change is typically identified in seconds and minutes – not hours or days.
When it comes to these regulatory checklists, I can also remediate many things automatically. If your password length isn’t set to 23 characters, I can forcibly set it there. Within BigFix, I create a container called a Baseline, and I place the items I want to remediate in there. When I'm ready, I take an action against that baseline and tell the machines to move into compliance for each of the items in that baseline and keep moving it into compliance whenever it drifts. Simple and powerful.
We are in the process of setting up BigFix Proof Of Technology (POT) events in many major cities over the second half of the year. These are hands on technical events in a stress free environment. Looks for more details to follow on those.
If you want to learn even more, be sure to check out our other blog posts about IBM BigFix: