BigFix/HCL Endpoint Manager - TYCHON Quantum Readiness

Integration Overview

BigFix / HCL Endpoint Manager Integration

Deploy and execute the TYCHON cryptographic scanner across Windows, macOS, and Linux endpoints using BigFix. The integration enables centralized deployment and scheduling with scan results posted directly to Elasticsearch for analysis and visualization.

🚀 Centralized Deployment

Upload binaries to BigFix site Files tab and automatically distribute to endpoints

📊 Direct Elastic Integration

Scan results post directly to Elasticsearch for dashboards and reporting

🔒 Cross-Platform

Support for Windows (x64), macOS (Intel/ARM64), and Linux (x64)

Key Capabilities

Full System Scan: Filesystem, network, VPN, IPSec, SSH, memory, and active connections
Direct Elastic Posting: Results sent directly to Elasticsearch with no local file storage
Quantum Readiness: Track PQC adoption and quantum readiness scores across infrastructure

File Distribution: Binaries automatically staged to custom site directory on each endpoint
Scheduled Scanning: Recurring actions with configurable intervals (daily, weekly, monthly)
Maintenance Windows: Restrict scan execution to specific days and time ranges

Quick Start

1. Upload Scanner Binaries to BigFix

Upload the scanner binaries to your BigFix server so they can be distributed to endpoints.

Required Binaries

cryptographic-analyzer-windows-amd64-X.X.X.X.exe - Windows x64
cryptographic-analyzer-darwin-amd64-X.X.X.X - macOS Intel
cryptographic-analyzer-darwin-arm64-X.X.X.X - macOS Apple Silicon
cryptographic-analyzer-linux-amd64-X.X.X.X - Linux x64

Where X.X.X.X is the version number (e.g., 1.0.0.0)

Upload to BigFix Site Files

In BigFix Console, select the site where you'll create the task (e.g., Master Action Site or custom site)
Right-click on the site and select Add File
Browse and upload each scanner binary:
- cryptographic-analyzer-windows-amd64-X.X.X.X.exe
- cryptographic-analyzer-darwin-amd64-X.X.X.X
- cryptographic-analyzer-darwin-arm64-X.X.X.X
- cryptographic-analyzer-linux-amd64-X.X.X.X
IMPORTANT: For each uploaded file, select it and check the "Send to clients" checkbox to ensure files are distributed to endpoints
BigFix automatically calculates SHA hashes and stages the files to endpoints

Verify File Upload

After uploading files to the site:

In BigFix Console, navigate to the site's Files tab
Verify all four binaries are listed
Confirm each file has the "Send to clients" checkbox enabled
Note the exact filenames - you'll reference these in your action script

⏱️ Wait for File Distribution

IMPORTANT: After checking "Send to clients", wait 20-30 minutes before deploying the task to allow BigFix to distribute files to endpoints.

BigFix automatically synchronizes files to relay servers
Relays then distribute files to client agents based on polling intervals
Files are staged to each agent's custom site directory (e.g., __BESData/CustomSite_TYCHON_Lab/)
Once distributed, files remain cached on endpoints for the action to execute

⚠️ Critical Timing Note: Do NOT deploy the task immediately after uploading files. The binaries must finish distributing to endpoints first (20-30 minutes). If you deploy too early, the action will fail with "file does not exist" errors because the continue if {exists file ...} checks will evaluate to false.

2. Create a New Task

Open BigFix Console
In the left navigation pane, select the appropriate Site where you want to create the task (e.g., Master Action Site or custom site)
Go to Tools menu → Create New Task
Name it: TYCHON Quantum Crypto Scanner
Provide a description (e.g., "Scans endpoints for cryptographic inventory and posts results to Elastic")

3. Create the Action Script

Use the form below to generate your customized action script. Enter your configuration details and copy the generated script into the Actions tab in the BigFix Create Task dialog.

Configuration Generator

BigFix Custom Site Name

The site where you uploaded the binaries

Binary Version

Version number of uploaded binaries

TYCHON License Key

Elastic API Key

Elastic IP Address

Elastic Port

Insecure (Skip SSL verification)

Privacy Note: No information is collected or transmitted. All configuration is generated locally in your browser.

Generated Action Script

✅ How This Works:

All configuration is defined once at the top using parameter statements
BigFix conditional logic (if blocks) automatically selects the correct binary for each endpoint's OS
One task deploys to Windows, macOS (Intel & ARM64), and Linux endpoints
The -insecure flag skips SSL certificate verification (useful for self-signed certificates)

⚠️ Security Note: The license key and Elastic API key will be visible in the task definition. For enhanced security, consider storing sensitive values as BigFix secure settings or using environment variables on endpoints.

4. Save and Deploy the Task

Click OK to save the task
In BigFix Console, find your newly created task
Right-click the task and select Take Action
Select target computers or computer groups
Configure execution schedule (immediate or scheduled)
Click OK to deploy the action to selected endpoints

5. Verify Results in Elastic

After the scan completes (typically 2-15 minutes depending on system size), verify data in Elastic:

Log into your Elastic instance
Navigate to Discover
In the dataview dropdown, type inside "Find a data view" type this index pattern: tychon-pqc*
You should be see a Explore X Matching Indexes - click that button
Look for events with fields like:
- observer.hostname - Endpoint hostname
- tychon.cipher_negotiation.cipher_suite - The primary cipher
- tychon.cipher_negotiation.intel.security_category - Secuirty Level of a cipher

Scan Coverage

The -fullscan flag triggers a comprehensive cryptographic inventory scan. Results are sent directly to your Elastic instance in real-time:

cryptographic-analyzer -mode local -fullscan -posttoelastic -elasticnode "https://elastic:9200" -elasticapikey "..." -insecure

🔍 Direct Elastic Posting: The -posttoelastic flag sends scan results directly to your Elastic instance. Results are indexed to tychon-pqc and are immediately available for search and analysis. No local files are created.

✅ Execution: The scanner runs from BigFix's __Download directory with no custom installation or directories required.

Scan Type	Flag	Description
Filesystem	`-scanfilesystem`	Scans OS certificate stores and discovers certificates, private keys, and keystores
Cipher Enumeration	`-cipherscan`	Comprehensive TLS/SSL cipher suite enumeration on active connections, includes protocol versions, key exchange algorithms, and PQC support detection
VPN Clients	`-detect-vpn-clients`	Detects 19+ enterprise VPN clients with PQC readiness assessment
IPSec	`-detect-ipsec`	Discovers IPSec tunnel configurations and cryptographic settings
Memory	`-scanmemory`	Identifies certificates and keys loaded in process memory (Windows/Linux)
Outlook Archives	`-scanoutlookarchives`	Scans for encrypted Outlook archives (.pst, .ost, .pab)

BigFix Execution Model

Custom Site File Distribution

Binaries are uploaded to your custom BigFix site's Files tab and automatically distributed to endpoints. Files are staged in each agent's custom site directory (__BESData/CustomSite_<SiteName>/).

Windows

Binary Location:

C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\CustomSite_TYCHON_Lab\cryptographic-analyzer-windows-amd64-2.0.0.169.exe

Results Destination:

Posted directly to Elastic (no local files)

macOS

Binary Location:

/Library/BESAgent/__BESData/CustomSite_TYCHON_Lab/cryptographic-analyzer-darwin-arm64-2.0.0.169

Results Destination:

Posted directly to Elastic (no local files)

Linux

Binary Location:

/var/opt/BESClient/__BESData/CustomSite_TYCHON_Lab/cryptographic-analyzer-linux-amd64-2.0.0.169

Results Destination:

Posted directly to Elastic (no local files)

📋 File Distribution Process:

Upload binaries to your custom site's Files tab
Check "Send to clients" for each file
Wait 20-30 minutes for BigFix to distribute files to endpoints
Files are automatically staged to custom site directory on each agent
Action script verifies file exists before execution
Scanner runs and posts results directly to Elastic

Scheduling Recurring Scans

Schedule the TYCHON scanner to run automatically on a recurring interval using BigFix's reapplication behavior.

Configuring Recurring Scans

When you right-click the task and select Take Action, configure the Execution tab:

1. Enable Reapplication

Under Behavior section, check "Reapply this action"
Select the radio button: "while relevant, waiting..."
Set your desired interval in the dropdown (e.g., 7 days, 30 days, 1 hour)
Type "between reapplications" appears after the dropdown

2. Configure Wait Interval

Common intervals:

7 days (168 hours) - Weekly scans for high-security environments
30 days - Monthly scans for most environments
90 days - Quarterly scans for low-risk systems

3. Optional: Set Maintenance Window

To restrict scans to specific days/times:

Check "Run between" and set time range (e.g., 1:00 AM - 3:00 AM)
Check "Run only on" and select days (e.g., Saturday only)

4. Enable Staggering (Recommended)

Check "Stagger action start times over"
Set to 10-20 minutes to prevent all endpoints from scanning simultaneously
This reduces load on BigFix relays and Elastic

Example Configuration

Monthly scan on Saturday nights:

✓ Reapply this action: Checked
✓ Policy: "while relevant, waiting..." → 30 days
✓ Run between: 2:00 AM and 4:00 AM
✓ Run only on: Saturday only (uncheck all other days)
✓ Stagger action start times over: 15 minutes

⚠️ Important: The "while relevant, waiting..." method requires the task to always be relevant. Our action script automatically handles this - the scanner will run every X days as configured, regardless of system state.

📅 Recommended Schedules:

High-security environments: Weekly (7 days)
Standard environments: Monthly (30 days)
Low-risk systems: Quarterly (90 days)
After major changes: Manual execution via "Take Action"

Troubleshooting

Action Fails: "File Does Not Exist"

Symptom: Action log shows continue if {exists file ...} evaluated to false

Cause: Files haven't finished distributing from BigFix server to endpoints yet

Solution:

Wait 20-30 minutes after uploading files and checking "Send to clients" before deploying the task
Verify files were uploaded to the custom site's Files tab
Confirm "Send to clients" checkbox is enabled for each file
Check BigFix Client logs on endpoint for file synchronization status

⏱️ Timing is critical: BigFix needs time to synchronize files to relays and then to endpoints. Deploying the action too early will result in file not found errors.

Scan Not Completing

Check endpoint has sufficient CPU and memory resources (scan can be resource-intensive)
Verify file permissions for custom site directory (e.g., __BESData/CustomSite_TYCHON_Lab/)
Review scan timeout settings (default: no timeout)
Check antivirus is not blocking scanner execution or quarantining the binary
On macOS/Linux, verify the binary has execute permissions (chmod +x runs in action script)

No Data Appearing in Elastic

Symptom: Scan completes but no data visible in Elastic

Troubleshooting:

Verify Elastic URL is accessible from endpoints (test with curl https://elastic-ip:9200)
Confirm Elastic API key is valid and has write permissions to indices
Check if -insecure flag is needed for self-signed certificates
Review BigFix action logs for any Elastic connection errors
Test scanner manually on an endpoint to verify Elastic connectivity
Check Elastic firewall rules allow incoming connections from endpoints

Manual Testing

To test the scanner manually on an endpoint from the custom site directory:

Windows

cd "C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\CustomSite_TYCHON_Lab"
.\cryptographic-analyzer-windows-amd64-2.0.0.169.exe -license-key "YOUR-KEY" -mode local -fullscan -posttoelastic -elasticnode "https://elastic:9200" -elasticapikey "YOUR-API-KEY" -insecure

macOS

cd /Library/BESAgent/__BESData/CustomSite_TYCHON_Lab
chmod +x ./cryptographic-analyzer-darwin-arm64-2.0.0.169
./cryptographic-analyzer-darwin-arm64-2.0.0.169 -license-key "YOUR-KEY" -mode local -fullscan -posttoelastic -elasticnode "https://elastic:9200" -elasticapikey "YOUR-API-KEY" -insecure

Linux

cd /var/opt/BESClient/__BESData/CustomSite_TYCHON_Lab
chmod +x ./cryptographic-analyzer-linux-amd64-2.0.0.169
./cryptographic-analyzer-linux-amd64-2.0.0.169 -license-key "YOUR-KEY" -mode local -fullscan -posttoelastic -elasticnode "https://elastic:9200" -elasticapikey "YOUR-API-KEY" -insecure

💡 Tip: Replace YOUR-KEY, elastic:9200, and YOUR-API-KEY with your actual credentials. Remove -insecure if using valid SSL certificates.

Viewing BigFix Client Logs

To troubleshoot action execution, review BigFix Client logs:

Windows

C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__Global\Logs\

macOS

/Library/BESAgent/__BESData/__Global/Logs/

Linux

/var/opt/BESClient/__BESData/__Global/Logs/

Look for action execution details, file existence checks, and command output in the client log files.

Additional Resources

TYCHON Documentation

BigFix Resources

✅ Deployment Checklist

☐ Upload all 4 scanner binaries to custom site's Files tab
☐ Check "Send to clients" for each uploaded file
☐ Wait 20-30 minutes for files to distribute to endpoints
☐ Create new task via Tools → Create New Task
☐ Use configuration form to generate action script
☐ Paste action script into task's Actions tab

☐ Deploy to pilot group (1-2 endpoints per OS)
☐ Review BigFix Client logs to verify scan completed
☐ Verify data appears in Elastic index tychon-pqc*
☐ Deploy task to remaining endpoints
☐ Schedule recurring scans (weekly/monthly)
☐ Create Elastic dashboards for visualization and monitoring