OVAL - Compatibility Questionnaire: BigFix, Inc. (BigFix Enterprise Suite for Vulnerability and Security Configuration Management)

Compatibility Questionnaire: BigFix, Inc. (BigFix Enterprise Suite for Vulnerability and Security Configuration Management) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

General Capability Questions | Accuracy Questions | Documentation Questions | Capability Specific Questions

Organizational Information

Name of Your Organization:

BigFix, Inc.

Web Site:

http://www.bigfix.com

Product Information

Product/Service Name:

BigFix Enterprise Suite for Vulnerability and Security Configuration Management

Compatible Categories:

OVAL Definition Consumer

Product/Service Home Page:

http://www.bigfix.com

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):

Through a repository of vulnerability assessment policies, BigFix provides its customers with the ability to assess their managed computers against OVAL vulnerability definitions using real-time evaluation based on the data elements of each definition. These assessment policies reflecting each OVAL definition are automatically retrieved by the BigFix Enterprise Suite (BES) server within an organization's network. Once validated for authenticity, the policies are made available to the BigFix agent installed on each managed computer and added to its local library of configuration policies. The agent, quietly and continuously evaluates the state of the machine against each policy so that any instance of non-compliance can be immediately reported to the BES Server for review by an administrator. If pre-authorized by an administrator, the appropriate corrective action will be applied to the computer immediately upon misconfiguration detection—even to remote or mobile users who are not connected to the organization's network.

Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):

The BES console displays a message to an administrator for each OVAL definition that includes the OVAL-ID, CVE number, definition description, and OVAL Schema version number as well as a link to the OVAL site for the complete vulnerability definition.

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):

Changes to the OVAL Schema will affect only the process by which the BigFix content development team converts the definition files to the BigFix policy format; it will not affect any BigFix software component deployed at a customer site. If the event an update to the BigFix platform is necessary, customers will be able to upgrade their installation seamlessly through its built-in self-updating features.

BigFix anticipates that any relevant changes to the underlying OVAL Schema can be incorporated into its process to generate BigFix vulnerability assessment policies within a very short time after the new schema has been published.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):

Platform	Definition Type	OVAL Category
Windows	We support Vulnerability class definitions. All subtests required to assess the "software" section of the criteria block are supported, except the following: "ukn unknown_test", "wet fileeffectiverights_test", and "wat activedirectory_test"	OVAL Systems Characteristics Producer (planned) OVAL Definition Consumer OVAL Results Producer (planned) OVAL ID Output and Searchable
Solaris	We support Vulnerability class definitions. All subtests currently in use, except "ukn unknown_test", "TFT textfilecontent_test", and "SIT inetd_test," are supported as well	OVAL Systems Characteristics Producer (planned) OVAL Definition Consumer OVAL Results Producer (planned) OVAL ID Output and Searchable
Red Hat	We support Vulnerability class definitions. All subtests currently in use, except "RLT inetlisteningservers_test " tests, are supported as well	OVAL Systems Characteristics Producer (planned) OVAL Definition Consumer OVAL Results Producer (planned) OVAL ID Output and Searchable
HP-UX	Support planned.	OVAL Systems Characteristics Producer (planned) OVAL Definition Consumer (planned) OVAL Results Producer (planned) OVAL ID Output and Searchable (planned)

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):

Customers experiencing an issue with or having questions about the BigFix OVAL capabilities can use the standard support options, based on their current support agreement with BigFix. Anyone who suspects an error in the BigFix OVAL capabilities can submit an issue via any of the support options, with escalation based on severity.

Current support includes the following options:

BigFix Support Website
- Searchable knowledgebase with common issues and FAQ's
- Product Documentation
- Implementation and configuration options
Current Telephone and email support contact information
Telephone support (Standard Business hours or 24x7)
Email Support

If an error is confirmed, BigFix will simply update the policy definition corresponding to the OVAL definition, test the new policy, and post the update it to our internal repository, typically in a few hours. The BES Server configured at each customer site will check in for new content or updates on a regular interval, thus enabling the system to propagate the correction in a few minutes or hours. If the error lies in the OVAL definition, BigFix would notify OVAL of the discrepancy and update the corresponding policy as described above.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):

BigFix publishes all documentation electronically and makes that available to customers via the on-line support site: http://support.bigfix.com

Descriptions of OVAL, OVAL compatibility and OVAL-ID compatibility are published in the following knowledgebase article:

What is OVAL?

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=328

BigFix OVAL and OVAL-ID compatibility

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=329

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):

BigFix publishes all documentation electronically and makes that available to customers via the on-line support site: http://support.bigfix.com

Documentation to describe the specific details of finding individual security elements within the BigFix Console and Web Reports by using OVAL definitions and/or through the use of OVAL-IDs is published in the following knowledgebase article:

Searching for OVAL data elements within the BES Console

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=330

Searching for OVAL data elements within the BES Web Reports

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=331

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):

Although planned for a future release, the BigFix platform does not currently produce output in OVAL Results Schema

Documentation Indexing of OVAL-Related Material

If your documentation includes an index, provide a copy of the items and resources that you have listed under "OVAL" in your index. Alternately, provide directions to where these "OVAL" items are posted on your web site (recommended):

BigFix publishes all documentation electronically and makes that available to customers via the on-line support site: http://support.bigfix.com

A list of all OVAL related topics can be generated using the following keywords for search within the on-line support knowledgebase.

OVAL
OVAL-ID
NVD
MITRE
vulnerability
baseline
standard

Capability Specific Questions

OVAL Definition Consumer

Configuration and Software Usage Explanation

If your capability does not use both the configuration and software sections of definitions where do you describe to your customers how your capability deviates from the logic of the definitions that have both sections (required):

All OVAL definitions converted for use within the BES Platform use both the software and configuration sections of the definition.

OVAL Definition Information Process Explanation

If your capability does not support consuming OVAL Definitions at runtime explain where you have documented the process by which customers can submit OVAL Definitions for interpretation by the capability, including how quickly Definitions submitted are made available to the capability in use by your customers (required):

When BigFix receives the new definition, we will be able to update our repository to reflect those changes within a week; consequently, the local repository at each BigFix customer will be updated shortly thereafter. To enable customers who wish to assess their managed computers against an OVAL definition that is not already part of the repository, BigFix Professional Services can create custom policies for them. The turnaround for this service will vary based on the service agreement in place, but typically within a business day.

OVAL-ID Output and Searchable

Finding Elements Using OVAL-ID

Give detailed examples and explanations of how a user can locate security elements in the capability by looking for their associated OVAL-ID(s) (required):

The BigFix Enterprise Suite for Vulnerability and Security Configuration Management provides full search capabilities for a security element based on its OVAL-ID within the Console as well as HTML based Web Reports. Within the Console, the "Find" feature from the Edit pull-down menu will enable the user to specify an OVAL-ID.

From the Console

From the "Fixlet Messages" tab of the Console, select Edit | Find. In the Find dialog, set the search field to "Any," the search operator to "Contains," and the search value to the OVAL ID in the form OVAL##, e.g. OVAL98 or OVAL1032.

From the "Search Results" group, double click on the policy message corresponding to the OVAL ID to open it in the console and select "Show Message Properties" from the View menu to display the security elements that make up the specific OVAL definition.

Finding OVAL-ID Using Elements in Reports

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated OVAL-IDs for the individual security elements in the report (recommended):

From within the Console, each policy message for an OVAL definition includes the OVAL-ID number, both in policy message name and description. Likewise, any OVAL definition that makes up a report from the Web Reports facility will include the OVAL ID number in its name.

To locate a specific policy related to an OVAL definition within the Web Reports interface, select the "Create" tab. From the list of report templates, choose "All Fixlets," and press "Next."

At the "...starts with" parameter, enter the OVAL ID in the form OVAL##, e.g. OVAL98 or OVAL1032 and press "Next"

The Web Reports interface will display an entry for the designated OVAL definition.

To display more details about the OVAL vulnerability definition, including a complete list of all relevant computers, click the OVAL definition name link.

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:		Gregory Toto
Title:		Vice President, Product Management

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:		Gregory Toto
Title:		Vice President, Product Management

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."