Home
Configuration Management (SCM)
BigFix Compliance Configuration Management (SCM) includes configurable content that is checks and checklists, which assess and manages the devices to ensure compliance standards are met.
Configuration Management for Console User Guide
Configuration management (SCM) is used to manage security configuration of devices using checklists which includes creating custom checklists, customize individual checks, synchronizing, deploying checklists to devices.
Configuring UNIX checklists
You can configure checklists for the superseded and non-superseded UNIX content.
Configuring checklists
Running checklists
Modifying global scan options
You can control the behavior of the global scan through the Configure Filesystems Scan Options task.

Configuration Management (SCM)
BigFix Compliance Configuration Management (SCM) includes configurable content that is checks and checklists, which assess and manages the devices to ensure compliance standards are met.
- Configuration Management for Console User Guide
  Configuration management (SCM) is used to manage security configuration of devices using checklists which includes creating custom checklists, customize individual checks, synchronizing, deploying checklists to devices.
  - Setting up Configuration Management
    Follow these steps to set up your Configuration Management deployment.
  - Using checks and checklists
  - Configuring Windows checklists
  - Configuring UNIX checklists
    You can configure checklists for the superseded and non-superseded UNIX content.
    - Configuring checklists
      - Select checks via task
        Follow these steps to run subsets of the checks on your own schedule.
      - Parametizing checks of UNIX content
        Use the task that is associated with a particular Fixlet to modify parameters for content from the console.
      - Running checklists
        Understanding the output
        With UNIX content, endpoint scans are accomplished by a series of UNIX Bourne shell scripts that provide greater accessibility to UNIX system administrators.
        Modifying global scan options
        You can control the behavior of the global scan through the Configure Filesystems Scan Options task.
        Scheduling specific checks
        You can create a custom action to run a subset of checks on your own schedule.
    - Analyses
    - Using the Create Custom Relevance SCM content wizard
      Follow these steps to incorporate custom checks into an existing SCM custom site.
    - Creating custom UNIX Security Configuration Management content
      Follow these steps to create custom check for UNIX Security Configuration Management.
  - Importing SCAP content
  - Configuration Management Reporting
    In previous releases, the primary reporting tools for the Configuration Management solution included the Configuration Management dashboard, Exception Management dashboard, and Web Reports.
  - Frequently asked questions
- Security Configuration Management for WebUI User Guide
  Security Configuration Management (SCM) App in WebUI continuously assess and manages the device for security misconfiguration and deviation, which enables operator to deploy remediation action to ensure the device meets compliance standards.

Modifying global scan options

You can control the behavior of the global scan through the Configure Filesystems Scan Options task.

UNIX content includes a global scan script that is used to do a full system scan. The results of this scan are used in a number of scripts. This script eliminates the need to run a full system scan multiple times when you are evaluating a set of checks on a single system. This feature allows Endpoint Manager to be more efficient and causes less impact on the system during a configuration scan.

The global scan script runs by default when you are using the Endpoint Manager Deploy and Run Security Checklist task. It is used by the Master Run script with the use of the –g option. The behavior of the global scan script can be controlled through the Configure Filesystems Scan Options task.

Table 1. Parameters and their descriptions
Parameter	Description
EXCLUDEFS	A list of specific file systems to exclude from scanning. This list must be a space-separated list of all the file system types to exclude from the search. By default, the global find script excludes the following file system types from its search: cdrfs procfs ctfs fd hsfs proc mntfs smbfs iso9660 nfs msdos
EXCLUDEMOUNTS	A list of specific mount points to exclude from scanning. This parameter must be defined as a space-separated list of all the file system mounts to exclude from the search. This prevents the shared file system from being scanned from multiple systems. For example, if several systems mount a shared directory on a Storage Area Network named /san, you might want to exclude them with a parameter such as: EXCLUDEMOUNTS="/san" By default, this parameter is not used and is represented as an empty value.
EXCLUDEDIRS	List of directories to exclude from scanning. Any directory names specified in EXCLUDEDIRS are omitted from the directory listing. By default, this parameter excludes the lost+found directory.

Note: When you exclude a directory, you exclude all directories with that name. For example, if you specify EXCLUDEDIRS="foo", you exclude /usr/foo and /var/opt/foo.