Frequently asked questions

Can I parameterize all checks?

Not all checks can be parameterized using the Fixlet user interface we provide. In cases where a check can be parameterized, the method depends on the type of content. See the Configuration Management Checklists Guide for more information.

Are remediation actions available for all checks?

Remediation actions are available for a subset of checks.

Where can I find a sample file containing UNIX parameters?

See the Configuration Management Checklists Guide.

Are there compliance evaluation reports/mechanisms that compare a laptop or server against FISMA/NIST/DISA standards?

Configuration Management checks assess servers, laptops, and desktops against a predefined set of configuration guidance such as DISA STIG and FDCC.

HCL BigFix also supports configuration standards from NIST, NSA, and other standards organizations. Regulatory compliance regulations such as FISMA, PCI, and others can easily be supported by customizing the checklists provided by HCL.

What happens if I subscribe sites incorrectly to a system?

Each Configuration Management site applies to a specific operating system or product. It is important that each computer subscribed to each site matches the correct operating system configuration. This ensures the accuracy of the compliance results for each Configuration Management site, and prevents potential performance issues. External sites contain site relevance to ensure that only applicable computers are subscribed. However, custom sites do not support site relevance, so you are responsible for maintaining accurate subscriptions.

When I run a remediation action on a UNIX endpoint, how do I ensure that a system is not remediated more than once?

When a remediation action is run, the remediation action reruns the detection script. When the detection script is run, it provides the validation of whether or not the remediation was successful. If successful, the Fixlet becomes non-relevant. If unsuccessful, the Fixlet remains relevant.

What does the letter designation mean on the end of some of the scripts within the UNIX content?

We used the DISA STIG unique identifiers as part of the naming convention for each DISA STIG control that was built. In the case where we had to separate a single control into multiple scripts, the scripts include a letter designator on the end that provides a unique ID for each control.

What is the security associated with the base parameter file that defines the parameters for the UNIX content?

The standard permissions for this file are 700 (RWE for the owner of the file). In this case, the owner must be root or whichever user is the owner of the BES Client.

When using the Create SCAP Compatible Report wizard, a warning displays stating that the data stream failed to be retrieved. What should I do?
You can safely ignore the warning which shows when the source content does not contain a data stream.