Harden Your Servers with BigFix Compliance

The Challenge of Server Hardening

When we think of keeping any kind of system secure, the first thing that springs to mind is patching. However, Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment.

For servers, there are a lot of elements – possibly hundreds of elements — that need to be monitored to make sure that potentially sensitive data, or access to potentially sensitive data, is not exposed or compromised. Typical elements include:

• Are password requirements stringent enough to withstand brute-force hacks?
• Are file permissions or file ownership settings on non-Windows servers properly set on key system files, or have they been compromised?
• Is antivirus software running?

There can be tens or hundreds of items like these that may need to be monitored on EACH SERVER. Since an average systems administrator is possibly responsible for up to 100 (or more) servers, you quickly see how unmanageable and unrealistic it is to think they can manually audit/monitor each server. BigFix Compliance can automate these checks for system administrators, thus making your servers more secure.

Understanding Your Overall Compliance Posture

One of the functions of BigFix Compliance, in addition to auditing and enforcing hardening elements, is to provide a view of your overall compliance.  It provides a dedicated reporting engine that periodically collates all the audit results from your endpoints into a set of graphs and reports that show trends. Using the dashboard and reports, management, application teams, and auditors can quickly understand the state of endpoint compliance across the enterprise.

The Compliance Analytics and Reporting engine provides a variety of report views. The Compliance Overview report shown in Figure 1 allow authorized report consumers to quickly drill down into any compliance aspects of interest. Role Based Access Controls (RBAC) insure that users are only allowed to see compliance data that fits their job role.

Figure 1: Example of Compliance Overview report

How are Compliance Statistics Calculated?

Compliance statics, such as the compliance percentage, are calculated from the results of the ongoing compliance audits applied to endpoints using custom checklists. A custom checklist is a specific set of individual checks drawn from the extensive library of checks. Figure 2 is a sample of available checklists available in BigFix Compliance. The library includes checks for different operating systems and applications and come from organizations like the Center for Internet Security (CIS), the Défense Information Systems Agency (DISA) and the Payment Card Industry (PCI). Although each check includes a default, recommended audit value, most can be changed to fit individual needs.

Figure 2:  Sample of available compliance checks

Within a checklist, there are individual, specific checks available.  Figure 3 depicts a sampling of CIS checks for Windows 10 (on the left) and checks for Red Hat Enterprise Linux 7 (on the right).

Figure 3: Sample CIS Windows 10 and RHEL 7 checks

BigFix supplies a set of wizards which are used to easily create and maintain custom checklists. In Figure 4, a wizard is being used to create a custom checklist called, Windows 10 Password Checks.

Figure 4: Example of building a custom checklist using a wizard

After a checklist is built, the default, recommended values for each check can be changed as desired before the checklist is applied to a specific set of endpoints. Once the custom checklist is applied to a set of endpoints, each endpoint agent continually assesses itself against the audit checks. Initially, the agent reports back the compliance status for each check. Afterwards, the agent only reports on any changes in compliance status, thus minimizing bandwidth traffic. The BigFix Compliance Analytics server uses the results of these checks to generate the Compliance reports.

Using BigFix terminology, a check is implemented as a Fixlet™. A Fixlet is comprised of a set of targeting rules to identify which endpoints it applies or is relevant to, and a set of BigFix Actions that define what action is to be taken by the agent.

Each Targeting Rule is a Boolean test which defines a condition for a fixlet is applicable or relevant to an endpoint. All specified Targeting Rules or conditions must be ‘true’ before the fixlet is considered relevant. Similarly, BigFix Actions are used to take virtually any action on an endpoint. For example, a BigFix action could initiate a reboot of the endpoint or change a registry value on a Windows endpoint.

How is Non-compliance Remediated?

The BigFix agent reports out-of-compliance conditions (checks) as described above. By default, the BigFix agent only reports non-compliance conditions. However, in most cases, it is also desirable for the agent to remediate an out-of-compliance condition, either one time or continuously, returning the endpoint to the desired state.  A BigFix Administrator can enable remediation actions for any Fixlet using BigFix’s Take Action wizard.  Using remediation actions, systems are always kept in compliance without manual intervention.

Can Multiple Checklists be Combined?

More than one set of checks may apply to any given set of endpoints. Multiple checklists can be bundled together into a Baseline and deployed as single action, minimizing the effort of system administrators. Each check in the baseline will be evaluated and potentially remediated independent of any other checks in the deployed baseline. By deploying a baseline, a single action by an administrator can continuously audit and remediate hundreds of audit checks, ensuring compliance of all endpoints.

Summary

Server Hardening is the process of enhancing server security to create a secure server operating environment that is less prone to security attacks and data breaches.  Hardening servers and keeping them in compliance can be a daunting task for system administrators since there are often hundreds of elements that need to be monitored.  When servers experience configuration drift, through malicious or unintentional actions, they can fall out of compliance. Checking for compliance and remediating non-compliance can be very time consuming and a seemingly, endless task. With BigFix Compliance, continuously monitoring of compliance and automatic remediation is easy. Additionally, BigFix Compliance reports on the state of endpoint compliance through a set of dashboards and reports – providing critical information to all stakeholder who are responsible for enterprise security.

Author: David Tamillow.  Editor:  Cy Englert.

Learn more by joining the Harden Your Servers with BigFix Compliance webinar on October 2nd, 2019. Register now!