Compatibility Questionnaire: BigFix, Inc. (BigFix Enterprise Suite) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Organizational Information

Name of Your Organization:

BigFix, Inc.

Web Site:

Product Information

Product/Service Name:

BigFix Enterprise Suite

Compatible Categories:

OVAL Definition Consumer

Product/Service Home Page:

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public:

Through a repository of vulnerability assessment policies , BigFix provides its customers with the ability to assess their managed computers against OVAL vulnerability definitions using real-time data tracking based on the data elements of each definitions. These policies are automatically retrieved by the BigFix Enterprise Suite (BES) within an organization's network. Once validated for authenticity, the policies are made available to the BigFix client installed on each managed computer and added to their local library of configuration policies. The agent, quietly and continuously evaluates the state of the machine against each policy so that any instance of non-compliance can be immediately reported to the BES Server for review by an administrator. If pre-authorized by an administrator, the appropriate corrective action will be applied to the computer immediately upon misconfiguration detection — even to remote or mobile users who are not connected to the organization's network.

Accuracy Questions

Language Version Indication

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content:

The BES console displays a message to an administrator for each OVAL definition that includes the OVAL-ID, CVE number, definition description, and OVAL Schema version number as well as a link to the OVAL site for the complete vulnerability definition.

Approach for Correction of Errors

Indicate how a user who discovers an error in the capability's use of OVAL can report the error:

Customers experiencing an issue with or having questions about the BigFix OVAL capabilities can use the standard support options, based on their current support agreement with BigFix. Anyone who suspects an error in the BigFix OVAL capabilities can submit an issue via any of the support options, with escalation based on severity.

Current support includes the following options: BigFix Support Website
- Searchable knowledgebase with common issues and FAQ’s
- Product Documentation
- Implementation and configuration options
Current Telephone and email support contact information
Telephone support (Standard Business hours or 24x7)
Email Support

Describe the approach to responding to the above error reports and how applicable fixes will be applied:
If an error is confirmed, BigFix will simply update the policy definition corresponding to the OVAL definition, test the new policy, and post the update it to our internal repository, typically in a few hours. The BES Server configured at each customer site will check in for new content or updates on a regular interval, thus enabling the system to propagate the correction in a few minutes or hours. If the error lies in the OVAL definition, BigFix would notify OVAL of the discrepancy and update the corresponding policy as described above.
Documentation Questions

Compatibility Documentation

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Compatibility for any customers:
BigFix publishes all documentation electronically and makes that available to customers via the on-line support site: http://support.bigfix.com Descriptions of OVAL, OVAL compatibility and OVAL-ID compatibility are published in the following knowledgebase articles:

What is OVAL?

BigFix OVAL and OVAL-ID compatibility

Language Support

Indicate the component schemas and/or individual OVAL Tests that the capability does not support for each category of OVAL Compatibility being applied for:

BigFix does not support the <unknown_test> in the OVAL schema. Given the nature of these tests, there are no plans to support detection using these tests.

Capability Specific Questions

Finding Elements Using OVAL

Provide details regarding how users can identify and find individual OVAL content (through OVAL-IDs) that is being consumed by the capability. For example, how can a user determine which definitions have been consumed and what the result of each definition is:

BigFix publishes all documentation electronically and makes that available to customers via the on-line support site: http://support.bigfix.com

Documentation to describe the specific details of finding individual security elements within the BigFix Console and Web Reports by using OVAL definitions and/or through the use of OVAL-IDs is published in the following knowledgebase articles:

Searching for OVAL data elements within the BES Console

Searching for OVAL data elements within the BES Web Reports

The user can also view all defintions that are being evaluated by BES Clients in a list view via the BES Console or BES Web Reports. These views will show clients that are relevant for the given issue.

OVAL Content Importation Process Explanation

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability:

When BigFix receives the new definition, we will be able to update our repository to reflect those changes within a week; consequently, the local repository at each BigFix customer will be updated shortly thereafter. To enable customers who wish to assess their managed computers against an OVAL definition that is not already part of the repository, BigFix Professional Services can create custom policies for them. The turnaround for this service will vary based on the service agreement in place, but typically within a business day.

Statements

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:   Gregory Toto
Title:   VP, Product Management

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:   Gregory Toto
Title:   VP, Product Management

Statement on Follow-on Correctness Testing Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:   Gregory Toto
Title:   VP, Product Management

Page Last Updated: December 17, 2009