Glossary

A

action

See Fixlet.
A set of Action Script commands that perform an operation or administrative task, such as installing a patch or rebooting a device.

Action Script

Language used to perform an action on an endpoint.

Action Site

The default site in BigFix where all Fixlets, Tasks, and Actions are stored before being assigned to specific endpoints.

Administrator Role

A user with full access to configure and manage BigFix Compliance Analytics settings, reports, and data imports.

Application Server Patching

The process of applying security updates and fixes to middleware components such as IBM WebSphere, JBoss, Tomcat, and Microsoft IIS.

agent

See BigFix agent.

Audit Log

A record of compliance checks and remediation actions performed on an endpoint.

Automated Patching

A BigFix feature that enables automatic deployment of middleware patches to reduce security risks.

automatic computer group

A dynamically managed group where endpoints are added based on predefined relevance conditions.

Authentication Settings

Security configurations that define user login methods, including LDAP, local accounts, and SAML.

B

baseline: A collection of actions that are deployed together. A baseline is typically used to simplify a deployment or to control the order in which a set of actions are applied. See also deployment group.
BigFix agent: The BigFix code on an endpoint that enables management and monitoring by BigFix.
BigFix client: See BigFix agent.
BigFix Compliance: The BigFix module responsible for security configuration management and compliance enforcement.
BigFix Compliance Analytics (BCA): A web-based reporting and analytics tool that collects, analyzes, and visualizes compliance data from endpoints.
BigFix console: The primary BigFix administrative interface. The console provides a full set of capabilities to BigFix administrators.
BYOD: Bring Your Own Device (BYOD) refers to employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data.

C

CIS Benchmarks (Center for Internet Security): A set of industry-recognized security guidelines for configuring operating systems, applications, and cloud environments securely.
Client Compliance Check: The process of evaluating an endpoint to determine if it meets security standards.
client: A software program or computer that requests services from a server. See also server.
client time: The local time on a BigFix client device.
client (endpoint): A device (workstation, server, or other managed asset) running the BigFix agent that receives and processes patches and configurations.
Cloud: A set of compute and storage instances or services that are running in containers or on virtual machines.
Common Vulnerabilities and Exposures Identification Number (CVE ID): A number that identifies a specific entry in the National Vulnerability Database. A vendor's patch document often includes the CVE ID, when it is available. See also National Vulnerability Database.
Common Vulnerabilities and Exposures system (CVE): A reference of officially known network vulnerabilities, which is part of the National Vulnerabilities Database (NVD), maintained by the US National Institute of Standards and Technology (NIST).
Compliance dashboard: A BigFix Console feature that provides an overview of compliance status across managed endpoints.
Compliance relevance: A set of conditions that determine whether an endpoint meets security and configuration requirements.
Compliance Patching: Ensuring that middleware components meet security and regulatory standards (e.g., PCI DSS, CIS benchmarks).
Compliance report: A document or dashboard summarizing endpoint compliance against defined security policies.
component: An individual action within a deployment that has more than one action. See also deployment group.
computer group: A group of related computers. An administrator can create computer groups to organize systems into meaningful categories, and to facilitate deployment of content to multiple computers. See also automatic computer group and manual computer group.
console: See BigFix console.
content: Digitally-signed files that contain data, rules, queries, criteria, and other instructions, packaged for deployment across a network. BigFix agents use the detection criteria (Relevance statements) and action instructions (Action Script statements) in content to detect vulnerabilities and enforce network policies.
Coordinated Universal Time (UTC): The international standard of time that is kept by atomic clocks around the world.
custom checks: User-defined compliance rules based on organizational security policies.
CVE: See Common Vulnerabilities and Exposures system.
CVE ID: See Common Vulnerabilities and Exposures Identification Number.

D

data stream: A string of information that serves as a source of package data.
data source: The external security standard or regulatory framework used for compliance checks (e.g., CIS, NIST, STIG).
Database Patch Set Update (PSU): A cumulative update containing security fixes and critical bug fixes for Oracle databases.
Dashboard Widgets: Customizable elements in the Compliance Dashboard that display specific compliance metrics.
default action: The action designated to run when a Fixlet is deployed. When no default action is defined, the operator is prompted to choose between several actions or to make an informed decision about a single action.
deployable content: Fixlets, Tasks, and Baselines that enforce security configurations and patching.
deployment: Information about content that is dispatched to one or more endpoints, a specific instance of dispatched content.
deployment group: The collection of actions created when an operator selects more than one action for a deployment, or a baseline is deployed. See also baseline, component, and multiple action group.
Deviation Report: A report listing endpoints that have failed compliance checks due to misconfigurations or missing security settings.
device: An endpoint, for example, a laptop, desktop, server, or virtual machine that BigFix manages; an endpoint running the BigFix Agent.
device holder: The person using a BigFix-managed computer.
device property: Information about a device collected by BigFix, including details about its hardware, operating system, network status, settings, and BigFix client. Custom properties can also be assigned to a device.
device result: The state of a deployment, including the result, on a particular endpoint.
Disaster Recovery Plan (DRP): A documented strategy detailing the steps to recover and restore BigFix Compliance Analytics after a system failure or disaster.
DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide: A set of cybersecurity configuration standards used by government and defense organizations.
Disaster Server Architecture (DSA): An architecture that links multiple servers to provide full redundancy in case of failure.
Domain: This define how compliance data is managed, applied, and enforced across different domains within an organization.
dynamically targeted: Pertaining to using a computer group to target a deployment.

E

Endpoint Compliance: The adherence of an endpoint (server, workstation, or device) to defined security policies.
Endpoint Management: Managing and monitoring middleware patching across all servers and devices using BigFix.
Evaluation Period: The frequency at which compliance checks are performed on endpoints.

F

filter: To reduce a list of items to those that share specific attributes.
Fixlet: A script-based security or patching instruction that identifies and remediates compliance issues.
Fixlet Debugger: A BigFix tool used to troubleshoot middleware patching scripts before deployment.
Fixlet Fields: Fixlet fields provide essential information about Fixlets, helping them assess the importance, relevance, and impact of deploying a particular Fixlet to their systems.
Full Disk Encryption: To reduce a list of items to those that share specific attributes.

G

group: A collection of endpoints defined by criteria (manual or automatic) to simplify deployment and reporting.
group deployment: A type of deployment in which multiple actions were deployed to one or more devices.
group policy enforcement: The application of security settings to multiple endpoints within a Computer Group.

H

HIPAA Compliance: Adherence to healthcare security regulations enforced through BigFix security policies.
Hybrid cloud: The utilization of distinct sets of cloud services (typically public and private) with integration and/or orchestration across them.

I

Interim Fixes: Released by software vendors to address critical security vulnerabilities, functional bugs, or stability issues before the next full update.
IPsec Framework: This ensures that Windows endpoints comply with IPsec security policies defined by industry standards. It continuously monitors, reports, and enforces security settings for secure communications using IPsec.

K

Keystores: A secure repository that stores private keys, public keys, and digital certificates used for authentication and encryption.

L

locked: An endpoint state that prevents most of the BigFix actions from running until the device is unlocked.

M

management rights: The limitation of console operators to a specified group of computers. Only a site administrator or a master operator can assign management rights.
manual computer group: A computer group for which membership is determined through selection by an operator. The set of devices in a manual group is static, meaning they do not change. See also computer group.
master operator: A console operator with administrative rights. A master operator can do everything that a site administrator can do, except creating operators.
masthead: A collection of files that contain the parameters of the BigFix process, including URLs to Fixlet content. The BigFix agent brings content into the enterprise based on subscribed mastheads.
Middleware: Middleware is software that connects applications, databases, and users to ensure seamless communication and integration between different systems. It acts as a bridge between an application and the backend database while managing security, transactions, and scalability.
Middleware Security Updates: Security patches specifically targeting vulnerabilities in middleware applications.
mirror server: A BigFix server required if the enterprise does not allow direct web access but instead uses a proxy server that requires password-level authentication.
Multicloud: The utilization of distinct sets of cloud services, typically from multiple vendors, where specific applications are confined to a single cloud instance.
multiple computer group: This allow administrators to categorize and manage endpoints efficiently for compliance monitoring, patching, and security enforcement. These groups enable targeted policy application, reporting, and automation based on predefined conditions.
.

N

National Vulnerability Database (NVD): A catalog of officially known information security vulnerabilities and exposures, which is maintained by the National Institute of Standards and Technology (NIST). See also Common Vulnerabilities and Exposures Identification Number.
NIST 800: This is a cybersecurity guideline from the National Institute of Standards and Technology (NIST) that defines acceptable cryptographic algorithms and key lengths to enhance data security. It mandates strong encryption standards to protect sensitive information in government and enterprise systems.
NVD: See National Vulnerability Database.

O

offer: A deployment option that allows a device holder to accept or decline a BigFix action and to exercise some control over when it runs. For example, a device holder can decide whether to install a software application, and whether to run the installation at night or during the day.
open-ended deployment: A deployment with no end or expiration date; one that runs continuously, checking whether the computers on a network comply.
operator: A person who uses the BigFix WebUI, or portions of the BigFix console.
Oracle Database: Oracle Database is a relational database management system (RDBMS) used to store, retrieve, and manage structured data.
Oracle WebLogic: Oracle WebLogic Server is a Java EE application server that functions as middleware to host, deploy, and manage enterprise applications. It allows applications to interact with databases, other applications, and external services.

P

PCI: See Payment card industry.
patch: A piece of code added to vendor software to fix a problem, as an immediate solution that is provided to users between two releases.
patch compliance: A measure of whether an endpoint has received and applied all necessary security patches.
patch category: A description of a patch's type and general area of operation, for example, a bug fix or a service pack.
Patch Rollback: The process of reverting an Oracle patch if it causes issues in production.
Payment Card Industry (PCI): This refers to adherence to the PCI DSS (Payment Card Industry Data Security Standard), a global security standard designed to protect cardholder data and prevent payment fraud.
Policy Enforcement: The process of ensuring compliance by applying security configurations and patches.
patch severity: The level of risk imposed by a network threat or vulnerability and, by extension, the importance of applying its patch.

Q

Quarantine: The process of isolating non-compliant or vulnerable endpoints from the network to prevent the spread of security risks.
Query: A request for information from endpoints, often used in BigFix to collect compliance data or check system configurations.

R

relay: A client that is running special server software. Relays spare the server and the network by minimizing direct server-client downloads and by compressing upstream data.
Relevance clause: A condition that determines whether a Fixlet, Task, or Baseline applies to an endpoint.
Remediation action: A security or patching action taken to bring a non-compliant endpoint back into compliance.
Report: A summary of patching status, compliance levels, and system health generated by BigFix Web Reports or Console.

S

SCA: See Security and Compliance Analytics.
SCAP: See Security Content Automation Protocol.
SCM: See Security Configuration Management (SCM).
SCAP check: A specific configuration check within a Security Content Automation Protocol (SCAP) checklist. Checks are written in XCCDF and are required to include SCAP enumerations and mappings per the SCAP template.
SCAP checklist: A configuration checklist that is written in a machine-readable language (XCCDF). Security Content Automation Protocol (SCAP) checklists have been submitted to and accepted by the NIST National Checklist Program. They also conform to a SCAP template to ensure compatibility with SCAP products and services.
SCAP content: A repository that consists of security checklist data represented in automated XML formats, vulnerability and product name related enumerations, and mappings between the enumerations.
SCAP enumeration: A list of all known security related software flaws (CVEs), known software configuration issues (CCEs), and standard vendor and product names (CPEs).
SCAP mapping: The interrelationship of enumerations that provides standards-based impact measurements for software flaws and configuration issues.
Scheduled Reports: Automated reports that are generated and emailed at set intervals to track compliance trends.
SCA (Security and Compliance Analytics): SCA provides security configuration monitoring, compliance enforcement, and reporting. SCA helps organizations track compliance against security frameworks like CIS, DISA STIG, PCI DSS, HIPAA, and NIST 800-53.
Security Content Automation Protocol (SCAP): A set of standards that is used to automate, measure, and manage vulnerability and compliance by the National Institute of Standards and Technology (NIST).
Security Configuration Management (SCM): The process of defining, monitoring, and enforcing security settings across endpoints.
Security Checklist: A predefined compliance framework (e.g., CIS Benchmarks, DISA STIGs) applied to endpoints.
server: A software program or a computer that provides services to other software programs or other computers. See also client.
signing password: A password that is used by a console operator to sign an action for deployment.
single deployment: A type of deployment where a single action was deployed to one or more devices.
site: A collection of BigFix content. A site organizes similar content together.
site administrator: The person who is in charge of installing BigFix and authorizing and creating new console operators.
site subscription: The process of assigning endpoints to specific content sites to receive relevant Fixlets and Tasks.
software package: A collection of Fixlets that install a software product on a device. Software packages are uploaded to BigFix by an operator for distribution. A BigFix software package includes the installation files, Fixlets to install the files, and information about the package (metadata).
SQL Server: A full-scale database engine from Microsoft that can be acquired and installed into the BigFix system to satisfy more than the basic reporting and data storage needs.
standard deployment: A deployment of BigFix that applies to workgroups and to enterprises with a single administrative domain. It is intended for a setting in which all Client computers have direct access to a single internal server.
Standardized Patch Policy: A set of rules defining how patches are applied to maintain compliance.
statistically targeted: Pertaining to the method used to target a deployment to a device or piece of content. Statically targeted devices are selected manually by an operator.
Supersedence: Supersedence is a property of Fixlets used in BigFix that provides multiple packages.
system power state: A definition of the overall power consumption of a system. BigFix Power Management tracks four main power states Active, Idle, Standby or Hibernation, and Power Off.

T

target: To match content with devices in a deployment, either by selecting the content for deployment, or selecting the devices to receive content.
task: A script that performs system configuration changes or remediation actions.
Threshold Alert: A notification triggered when an endpoint's compliance status falls below a defined percentage.

U

Unmanaged Device: An endpoint that is not currently enrolled in BigFix Compliance monitoring.
UTC: See Coordinated Universal Time.

V

virtual private network (VPN): An extension of a company intranet over the existing framework of either a public or private network. A VPN ensures that the data that is sent between the two endpoints of its connection remains secure.
VPN: See virtual private network.
vulnerability: A security exposure in an operating system, system software, or application software component.

W

Wake-from-Standby: A mode that allows an application to turn a computer on from standby mode during predefined times, without the need for Wake on LAN.
Wake on LAN: A technology that enables a user to remotely turn on systems for off-hours maintenance. A result of the Intel-IBM Advanced Manageability Alliance and part of the Wired for Management Baseline Specification, users of this technology can remotely turn on a server and control it across the network, thus saving time on automated software installations, upgrades, disk backups, and virus scans.
WAN: See wide area network.
Web Reports: A reporting module in BigFix that provides detailed insights on patch compliance, actions, and overall endpoint health.
wide area network (WAN): A network that provides communication services among devices in a geographic area larger than that served by a local area network (LAN) or a metropolitan area network (MAN).
Wizard: A guided interface in BigFix that simplifies complex tasks like patch deployment, automation, and policy creation.

Y

Yum transactions: BigFix Compliance ensures that Yum transactions are tracked and aligned with security policies.