Interpreting relevance conditions in commonly used ILMT/BFI fixlets

Similar documents
More on relevance checks in ILMT and BFI

Analyzing Hardware Inventory report and hardware scan files

BigFix Query Unleashed!

How AppScan explores applications with ABE and RBE

HTTP Transformation Rules with IBM Security Access Manager

IBM Security Identity Manager New Features in 6.0 and 7.0

Deploying BigFix Patches for Red Hat

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

IBM BigFix Relays Part 1

QRadar Open Mic: Custom Properties

Introduction to IBM Security Network Protection Manager

What's new in AppScan Standard version

IBM Security Access Manager Single Sign-on with Federation

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

IBM BigFix Relays Part 2

What's new in AppScan Standard/Enterprise/Source version

Remote Syslog Shipping IBM Security Guardium

IBM Security Guardium: Troubleshooting No Traffic Issues

IBM Security Network Protection

Junction SSL Debugging With Wireshark

IBM Security Support Open Mic

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Security Support Open Mic: ISNP High Availability and Bypass

Configuring your policy to prevent appliance problems

Installing BigFix clients through self-update IBM

BigFix 101- Server Pricing

SWD & SSA Updates 2018

Disk Space Management of ISAM Appliance

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Enhancements and new features in ILMT/SUA IBM License Metric Tool & Software Use Analysis Questions and Answers Enablement Team

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

IBM Security Network Protection v Enhancements

IBM Threat Protection System: XGS - QRadar Integration

XGS & QRadar Integration

Let s Talk About Threat Intelligence

IBM Endpoint Manager Version 9.2. Software Use Analysis Installation Guide

XGS: Making use of Logs and Captures

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

ForeScout Extended Module for IBM BigFix

Understanding scan coverage in AppScan Standard

IBM License Metric Tool 9.0 Installation

Optimizing IBM QRadar Advisor with Watson

XGS Administration - Post Deployment Tasks

Security Support Open Mic Build Your Own POC Setup

Migration from version 7.5 to 9.0. IBM License Metric Tool & Software Use Analysis Questions and Answers ILMT Central Team

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

IBM. Migration Cookbook. Migrating from License Metric Tool and Tivoli Asset Discovery for Distributed 7.5 to License Metric Tool 9.

IBM Security Access Manager What s in the box : InfoMap Authentication Mechanism IBM SECURITY SUPPORT OPEN MIC. 13 Dec 2017

IBM Guardium Data Encryption

Security Support Open Mic Client Certificate Authentication

Configuring zsecure To Send Data to QRadar

ForeScout Extended Module for IBM BigFix

IBM Security Identity Governance and Intelligence Clustering and High Availability

IBM MaaS360 Kiosk Mode Settings

IBM UrbanCode Deploy V6.2 provides the tools needed to automate the application deployment pipeline

Identity Governance Troubleshooting

ISAM Advanced Access Control

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

IBM Endpoint Manager Version 9.0. Software Distribution User's Guide

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

IBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

IBM Security Access Manager v8.x Kerberos Part 2

How to properly deploy, configure and upgrade the NAB

IBM BigFix Version 9.5. Patch for Red Hat Enterprise Linux User's Guide IBM

IBM Endpoint Manager. OS Deployment V3.5 User's Guide

Securing communication between SDS VA and its remote DB2 DB

IBM License Metric Tool 9.0 Overview

IBM IBM Tivoli Endpoint Manager V8.1 Implementation.

Automated Bundling and Other New Features in IBM License Metric Tool 7.5 Questions & Answers

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Performing an ObserveIT Upgrade Using the Interactive Installer

Installing Client Proxy software

Patch Management using Dell Management Console v1.0

BigFix OS Deployment. Windows 7 Migration Guide

GX vs XGS: An administrator s comparison of the two products

Integrated, Intelligence driven Cyber Threat Hunting

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

May the (IBM) X-Force Be With You

Open Mic Webcast. IBM Sametime Media Manager Troubleshooting Tips and Tricks. Tony Payne Sr. Software Engineer May 20, 2015

IBM United States Software Announcement , dated February 17, 2015

IBM Endpoint Manager. OS Deployment V3.8 User's Guide - DRAFT for Beta V.1.0 (do not distribute)

IBM Security Directory Server: Utilizing the Audit.log

Tivoli Endpoint Manager for Patch Management - AIX. User s Guide

Let's talk about QRadar Apps: Development & Troubleshooting IBM SECURITY SUPPORT OPEN MIC

Tanium Discover User Guide. Version 2.x.x

IBM BigFix Compliance

How to Secure Your Cloud with...a Cloud?

Oracle Fusion Middleware Oracle WebCenter Collaboration

Dell Repository Manager Business Client Version 2.0 User s Guide

Simplifying Blade Server Update with Dell Repository Manager

Using ZENworks with Novell Service Desk

Deploying Lookout with IBM MaaS360

Creating Resources on the ZFS Storage Appliance

McAfee Host Intrusion Prevention Administration Course

Upgrading an ObserveIT One-Click Installation

HP-UX Software and Patching Management Using HP Server Automation

Patch Management for AIX

BigFix 2018 Roadmap. Aram Eblighatian. Product Manager IBM BigFix. 14 May, 2018

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

Transcription:

Interpreting relevance conditions in commonly used ILMT/BFI fixlets IBM LICENSE METRIC TOOL AND BIGFIX INVENTORY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by accessing the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: http://ibm.biz/webexoverview_supportopenmic 25 April 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

Panelists Michał Zalas Presenter ILMT/BFI L2 support member Leslie Gomba ILMT/BFI L2 support member Andrei Ionescu ILMT/BFI L2 support member Khalid Yahya ILMT/BFI L2 support member Hope Maxwell-Daley Moderator ILMT/BFI L2 support team leader 2 IBM Security

Goal of session IBM License Metric Tool and IBM BigFix Inventory applications in version 9.x reuse IBM BigFix infrastructure. Instructions to deploy so-called CIT scanner (module allowing to perform scans), run hardware scans or initiate software scans are propagated to endpoints by means of designated fixlets. Those fixlets contain sets of conditions specifying prerequisites for a particular fixlet task to be performed on the endpoint. The goal of this session is to present steps which allow ILMT/BFI users to verify why the most common fixlets are not relevant for a particular endpoint. 3 IBM Security

Agenda Checking the fixlet site version Updating the fixlet site Checking fixlet relevance Install or Upgrade Scanner fixlet Initiate Software Scan fixlet Run Capacity Scan and Upload Results fixlet 4 IBM Security

Checking the fixlet site version

Checking the fixlet site version 6 IBM Security ILMT: http://sync.bigfix.com/cgi-bin/bfgather/ibmlicensereporting Version: 95 BFI: http://sync.bigfix.com/cgi-bin/bfgather/ibmforsua Version: 86

Checking the fixlet site version ILMT: http://sync.bigfix.com/cgi-bin/bfgather/ibmlicensereporting Version: 95 BFI: http://sync.bigfix.com/cgi-bin/bfgather/ibmforsua Version: 86 7 IBM Security

Updating the fixlet site

Updating the fixlet site The content of the ILMT/BFI fixlet site can be periodically modified. New fixlets, tasks, and analyses can be added. The existing ones can be changed or might become obsolete due to functionality changes. If the BigFix server is installed on a computer with the Internet access, the ILMT/BFI fixlet site is updated automatically whenever the updates are available. However, if the BigFix server is installed on a computer without the Internet access, user must update the ILMT/BFI fixlet site manually. The process is described in detail under the Updating the fixlet site chapter of ILMT/BFI documentation: ILMT https://www.ibm.com/support/knowledgecenter/ss8jfy_9.2.0/com.ibm.lmt.doc/inventory/planinconf/c_updating_action_sites.html BFI https://www.ibm.com/support/knowledgecenter/en/sskllw_9.5.0/com.ibm.bigfix.inventory.doc/inventory/planinconf/c_updating_action_sites.html Note: All the open fixlet actions started before the fixlet site update will remain running with that old definition until they expire. You need to stop and re-run a fixlet for the new definition to be used. 9 IBM Security

Checking fixlet relevance

Checking relevance In order to see all the fixlets under ILMT/BFI site, click on the Show Non-Relevant Content button: 11 IBM Security

Checking relevance 12 IBM Security

Checking relevance Starting from ILMT/BFI 9.2.1 it is possible to use a feature called Analyze the Relevance of a Fixlet or Task to evaluate relevance conditions of fixlets available under ILMT/BFI site. 13 IBM Security

Checking relevance From the drop-down list choose from among ILMT/BFI fixlets. A result is creation of a new analysis which covers all the endpoints subscribed to ILMT/BFI site. The new analysis gets created under Master Action Site of BigFix. It can be reviewed under Analyses section. Its name pattern is Relevance Check for the Task/Fixlet: source fixlet name. 14 IBM Security

Checking relevance After a short moment, required for endpoints to receive instructions from BigFix server and return information on relevance conditions evaluation, the newly created analysis gets populated with results: 15 IBM Security

Checking relevance Under analysis Results tab, every column named Relevance # maps to the source fixlet relevance condition with the same number under fixlet Details tab. Exemplary relevance conditions will be explained in the following slides. If a particular condition is met on the endpoint, then its analysis result column entry shows True. Otherwise the False value is displayed. Note: If a particular fixlet condition is not met it does not indicate an error. It may also mean that it is a temporary state, e.g. due a scan operation already running, scanner already installed in the same version, etc. All the fixlet conditions must show True for the fixlet to be relevant. The relevance check process is covered in ILMT/BFI documentation at: ILMT https://www.ibm.com/support/knowledgecenter/ss8jfy_9.2.0/com.ibm.lmt.doc/inventory/probdet/t_checking_fixlet_relevance.html BFI https://www.ibm.com/support/knowledgecenter/en/sskllw_9.5.0/com.ibm.bigfix.inventory.doc/inventory/probdet/t_checking_fixlet_relevance.html 16 IBM Security

Checking relevance Common files and locations evaluated by relevance conditions of Install or Upgrade Scanner, Initiate Software Scan and Run Capacity Scan and Upload Results fixlets: CIT scanner configuration file from - %WINDIR%\cit\cit.ini - /etc/cit/cit.ini CIT scanner home directory specified by CIT_HomeDirectory key value in cit.ini configuration file BigFix client location e.g. - C:\Program Files (x86)\bigfix Enterprise\BES Client\ - /var/opt/besclient/lmt/cit ILMT/BFI scan data folder under BigFix client directory e.g. - C:\Program Files (x86)\bigfix Enterprise\BES Client\LMT\CIT - /var/opt/besclient/lmt/cit 17 IBM Security

Install or Upgrade Scanner

Install or Upgrade Scanner Relevance 1 (if (name of it as lowercase starts with "win") then (true) else ((name of it as lowercase starts with "linux") OR (name of it as lowercase starts with "aix") OR (name of it as lowercase starts with "mac") OR (name of it as lowercase starts with "hp-ux" AND ((architecture of it as lowercase contains "ia64") OR (family name of main processor as lowercase contains "pa-risc") OR (exists match (regex "^PA8[0-9]{3}(\s+)?$") of (family name of main processor)))) OR (exists match (regex "sunos 5\.(8 9 10 11)") of (name of it as lowercase)) of operating system)) of operating system AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) Since the release of the IBM Endpoint Manager for Mobile Devices that supports Android, Apple ios and other devices, BigFix installations may include proxy agents in order to support these new devices. Many fixlets contain the relevance above in order to exclude proxy agents from executing. This ensures that proxy agents will not try to execute the fixlet. Relevance 2 not exists settings whose (name of it equals "CIT_Deny" AND value of it = "1") of client This condition checks if the endpoint has a setting named CIT_Deny set to 1. To verify it, right-click on the computer name and choose Edit Computer Settings.... It is set if the Add Targeting Exception fixlet was run earlier to prevent the endpoint from being targeted by the scanner actions. To revert this change run Remove Targeting Exception fixlet. 19 IBM Security

Install or Upgrade Scanner Relevance 3 ((name of it as lowercase starts with "win") OR (name of it as lowercase starts with "linux") OR (name of it as lowercase starts with "aix") OR (name of it as lowercase starts with "hp-ux") OR ((name of it as lowercase starts with "sunos 5") AND NOT (name of it as lowercase contains "sunos 5.7")) OR (name of it as lowercase starts with "mac")) of operating system This condition checks if the endpoint is running an operating system type supported by ILMT/BFI. Please refer to Supported operating systems documentation chapter. Relevance 4 (NOT (((name of operating system as lowercase starts with "win") AND (exists folder "cit" of folder (value of variable "windir" of environment))) OR ((NOT (name of operating system as lowercase starts with "win")) AND (exists folder "/etc/cit")))) OR (... long text skipped...) This condtion evaluates if exists the scanner configuration folder named cit located in %WINDIR% directory of Microsoft Windows or /etc/cit in case of other plaftforms. If it is not present then installation can continue. If it turns out to be present, then this fixlet condition checks present configuration to retrieve information on current scanner home directory and scanner version to determine if a newer version should be deployed. Fixlet description always mentions scanner version meant to be installed (e.g. 2.8.0.3000) and user may verify current scanner version on endpoint by means of Scanner Information analysis in BigFix console. Alternatively, it can be read as the "CIT_Version" key value from the cit.ini configuration file on the endpoint. 20 IBM Security

Install or Upgrade Scanner Relevance 5 if (name of operating system as lowercase starts with "win") then ((free space of drive of (if (version of client >= "9" as version) then (parent folder of data folder of client) else (parent folder of regapp "besclient.exe")) > 20971520) and (if (exists (folder "cit" of folder (value of variable "windir" of environment)) whose (exists file "cit.ini" of it) and (exists folder (key "CIT_HomeDirectory" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)))) then (free space of drive of (folder (key "CIT_HomeDirectory" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment))) > 52428800) else (free space of drive of folder (value of variable "ProgramFiles" of environment) > 52428800))) else if (not(name of operating system as lowercase starts with "mac")) then ((free space of drive of (if (version of client >= "9" as version) then (parent folder of data folder of client) else (parent folder of parent folder of client folder of site "actionsite")) > 20971520) and (if (exists (folder "/etc/cit") whose (exists file "cit.ini" of it) and (exists folder (key "CIT_HomeDirectory" of file "cit.ini" of folder "/etc/cit"))) then (free space of drive of (folder (key "CIT_HomeDirectory" of file "cit.ini" of folder "/etc/cit")) > 52428800) else (free space of drive of (folder "/opt") > 52428800))) else true This condition checks if the endpoint has at least 20MB of free space in BigFix client location. Additionally at least 50MB of free space is required on the drive/filesystem with CIT scanner home directory. It is read from the cit.ini configuration file. If CIT scanner is not present, then this space condition is checked against the Program Files directory (Windows) or /opt (Linux). 21 IBM Security

Install or Upgrade Scanner Relevance 6 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "wscansw") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "wscansw"))) else (not exists process whose (name of it = "wscansw.exe" or name of it = "wscansw")) This condition checks if on the endpoint there is no wscansw process running at the moment of scanner installation attempt. That process is responsible for software scans and evaluation of software catalog repository of software discovery rules. In case of large filesystems SW scan may last a couple of hours preventing scanner upgrade. Relevance 7 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "wscanfs") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "wscanfs"))) else (not exists process whose (name of it = "wscanfs.exe" or name of it = "wscanfs")) This condition checks if on the endpoint there is no wscanfs process running at the moment of scanner installation attempt. That process is responsible for filesystem scans. In case of large filesystems scan may last a couple of hours preventing scanner upgrade. 22 IBM Security

Install or Upgrade Scanner Relevance 8 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "itsit") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "itsit"))) else (not exists process whose (name of it = "itsit.exe" or name of it = "itsit")) This condition checks if on the endpoint there is no itsit process running at the moment of scanner installation attempt. That is a legacy process from IBM SUA 2.x product line, responsible for filesystem scans. Relevance 9 if (name of operating system as lowercase contains "mac") then "SUA"="INV" else true This condition is checked only for Mac OS and is related to support of BES Inventory and License fixlet site. For more information on this site, refer to http://www.ibm.com/support/docview.wss?uid=swg21993340 23 IBM Security

Initiate Software Scan

Initiate Software Scan Relevance 1 (if (name of it as lowercase starts with "win") then (true) else ((name of it as lowercase starts with "linux") OR (name of it as lowercase starts with "aix") OR (name of it as lowercase starts with "mac") OR (name of it as lowercase starts with "hp-ux" AND ((architecture of it as lowercase contains "ia64") OR (family name of main processor as lowercase contains "pa-risc") OR (exists match (regex "^PA8[0-9]{3}(\s+)?$") of (family name of main processor)))) OR (exists match (regex "sunos 5\.(8 9 10 11)") of (name of it as lowercase)) of operating system)) of operating system AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) Since the release of the IBM Endpoint Manager for Mobile Devices that supports Android, Apple ios and other devices, BigFix installations may include proxy agents in order to support these new devices. Many fixlets contain the relevance above in order to exclude proxy agents from executing. This ensures that proxy agents will not try to execute the fixlet. Relevance 2 not exists settings whose (name of it equals "CIT_Deny" AND value of it = "1") of client This condition checks if the endpoint has a setting named CIT_Deny set to 1. To verify it, right-click on the computer name and choose Edit Computer Settings.... It is set if the Add Targeting Exception fixlet was run earlier to prevent the endpoint from being targeted by the scanner actions. To revert this change run Remove Targetting Exception fixlet. 25 IBM Security

Initiate Software Scan Relevance 3 (if (name of operating system as lowercase starts with "win") then (exists (folder "cit" of folder (value of variable "windir" of environment)) whose (exists file "cit.ini" of it) and (exists folder ((key "CIT_HomeDirectory" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)) & "\bin") whose ((exists file "wscansw.exe" of it) and (exists file "wscanfs.exe" of it)))) else (exists (folder "/etc/cit") whose (exists file "cit.ini" of it) and (exists folder ((key "CIT_HomeDirectory" of file "cit.ini" of folder "/etc/cit") & "/bin") whose ((exists file "wscansw" of it) and (exists file "wscanfs" of it))))) OR (name of operating system as lowercase starts with "mac") This condition checks for scanner configuration file (cit.ini) to read information on scanner home directory and locate binaries required to run a softwatre scan (wscansw, wscanfs). Relevance 4 name of operating system as lowercase starts with "mac") OR ((if (name of operating system as lowercase starts with "win") then (key "CIT_Version" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)) else (key "CIT_Version" of file "cit.ini" of folder "/etc/cit")) >= "2.7.0.2034") This condition checks for scanner configuration file (cit.ini) to read information on scanner version. It should be at least 2.7.0.2034. User may verify current scanner version on endpoint by means of Scanner Information analysis in BigFix console. Alternatively, it can be read as the "CIT_Version" key value from the cit.ini file on the endpoint. Run Install or Upgrade Scanner fixlet if CIT scanner version is obsolete. 26 IBM Security

Initiate Software Scan Relevance 5 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "wscansw") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "wscansw"))) else (not exists process whose (name of it = "wscansw.exe" or name of it = "wscansw")) This condition checks if on the endpoint there is no wscansw process already running. That process is responsible for software scans and evaluation of software catalog repository of software discovery rules. In case of large filesystems SW scan may last a couple of hours preventing subsequent runs. Relevance 6 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "wscanfs") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "wscanfs"))) else (not exists process whose (name of it = "wscanfs.exe" or name of it = "wscanfs")) This condition checks if on the endpoint there is no wscanfs process already running. That process is responsible for filesystem scans. In case of large filesystems scan may last a couple of hours preventing subsequent runs. 27 IBM Security

Initiate Software Scan Relevance 7 (if (name of operating system as lowercase starts with "win") then ((exists (folder "cit" of folder (value of variable "windir" of environment)) whose (exists file "cit.ini" of it)) and ((key "CIT_Exploiters" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)) contains "SUA:")) else ((exists (folder "/etc/cit") whose (exists file "cit.ini" of it)) and ((key "CIT_Exploiters" of file "cit.ini" of folder "/etc/cit") contains "SUA:"))) OR (name of operating system as lowercase starts with "mac") This condition checks for scanner configuration file (cit.ini) to read information on scanner exploiters (CIT_exploiters). ILMT/BFI tag is SUA:. It is set by the Install or Upgrade Scanner fixlet. The SUA: tag is required to run a scan. If it is missing run Install or Upgrade Scanner fixlet. Relevance 8 (name of operating system as lowercase starts with "mac") OR (if (name of operating system as lowercase starts with "win") then (exists file "catalog.xml.bz2" of folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT") or exists file "catalog.xml" of folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT")) else (exists file "catalog.xml.bz2" of folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT") or exists file "catalog.xml" of folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT"))) This condition checks if under LMT\CIT subfolder of BigFix client there is so-called software catalog present. Software catalog is a repository of software discovery rules used by scanner. If catalog is not present, run Catalog Download fixlet. It is described in Updating scanner catalogs chapter of ILMT/BFI documentation. 28 IBM Security

Initiate Software Scan Relevance 9 (name of operating system as lowercase starts with "mac") OR (if (name of operating system as lowercase starts with "win") then (exists file "bzip2.exe" of folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT")) else (exists file "bzip2" of folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT"))) This condition checks if under LMT\CIT subfolder of BigFix client there is bzip2 archiver present. It is required to compress scan results. It is deployed by the Install or Upgrade Scanner fixlet. Relevance 10 NOT (if (name of operating system as lowercase starts with "win") then (exists file ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT\cit_config.xml")) else (exists file (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT/cit_config.xml"))) OR (name of operating system as lowercase starts with "mac") This condition checks if under BigFix client directory, in LMT\CIT subfolder there is no cit_config.xml file. That is a legacy configuration file related to IBM SUA 2.x product line. If it is still present, then the Install or Upgrade Scanner fixlet should be run. 29 IBM Security

Initiate Software Scan Relevance 11 if (name of operating system as lowercase starts with "win") then (exists file "zip.exe" of folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT")) else if (((name of it as lowercase starts with "sunos 5") AND NOT (name of it as lowercase contains "sunos 5.7")) of operating system) then (exists pkginfo whose (pkginst of it contains "gzip") of pkgdb) else true This condition checks if under LMT\CIT subfolder of BigFix client on Microsoft Windows there is zip.exe archiver present. It is deployed by Install or Upgrade Scanner fixlet. In case of Solaris 5.x OS (except 5.7) the gzip package is required. Other OS types are not evaluated by this condition. Refer to Supported operating systems documentation chapter. 30 IBM Security

Run Capacity Scan and Upload Results

Run Capacity Scan and Upload Results Relevance 1 (if (name of it as lowercase starts with "win") then (true) else ((name of it as lowercase starts with "linux") OR (name of it as lowercase starts with "aix") OR (name of it as lowercase starts with "mac") OR (name of it as lowercase starts with "hp-ux" AND ((architecture of it as lowercase contains "ia64") OR (family name of main processor as lowercase contains "pa-risc") OR (exists match (regex "^PA8[0-9]{3}(\s+)?$") of (family name of main processor)))) OR (exists match (regex "sunos 5\.(8 9 10 11)") of (name of it as lowercase)) of operating system)) of operating system AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) Since the release of the IBM Endpoint Manager for Mobile Devices that supports Android, Apple ios and other devices, BigFix installations may include proxy agents in order to support these new devices. Many fixlets contain the relevance above in order to exclude proxy agents from executing. This ensures that proxy agents will not try to execute the fixlet. Relevance 2 not exists settings whose (name of it equals "CIT_Deny" AND value of it = "1") of client This condition checks if the endpoint has a setting named CIT_Deny set to 1. To verify it, right-click on the computer name and choose Edit Computer Settings.... It is set if the Add Targeting Exception fixlet was run earlier to prevent the endpoint from being targeted by the scanner actions. To revert this change run Remove Targetting Exception fixlet. 32 IBM Security

Run Capacity Scan and Upload Results Relevance 3 if (name of operating system as lowercase starts with "win") then (exists (folder "cit" of folder (value of variable "windir" of environment)) whose (exists file "cit.ini" of it) and (exists folder ((key "CIT_HomeDirectory" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)) & "\bin") whose (exists file "wscanhw.exe" of it))) else (exists (folder "/etc/cit") whose (exists file "cit.ini" of it) and (exists folder ((key "CIT_HomeDirectory" of file "cit.ini" of folder "/etc/cit") & "/bin") whose (exists file "wscanhw" of it))) This condition checks for scanner configuration file (cit.ini) to read information on scanner home directory ( CIT_HomeDirectory key) and locate binaries required to run a hardware scan (wscanhw). Relevance 4 if (name of operating system as lowercase contains "sunos") then (if exists file "/usr/bin/zonename" then (not exists process whose (name of it = "wscanhw") whose (zone of it as string =tuple string item 0 of concatenation ", " of names of zones as string)) else (not exists process whose (name of it = "wscanhw"))) else (not exists process whose (name of it = "wscanhw.exe" or name of it = "wscanhw")) This condition checks if on the endpoint there is no wscanhw process already running. That process is responsible for hardware capacity scans. 33 IBM Security

Run Capacity Scan and Upload Results Relevance 5 if (name of operating system as lowercase starts with "win") then ((exists (folder "cit" of folder (value of variable "windir" of environment)) whose (exists file "cit.ini" of it)) and ((key "CIT_Exploiters" of file "cit.ini" of folder "cit" of folder (value of variable "windir" of environment)) contains "SUA:")) else ((exists (folder "/etc/cit") whose (exists file "cit.ini" of it)) and ((key "CIT_Exploiters" of file "cit.ini" of folder "/etc/cit") contains "SUA:")) This condition checks for scanner configuration file (cit.ini) to read information on scanner exploiters (CIT_exploiters). ILMT/BFI tag is SUA:. It is set by the Install or Upgrade Scanner fixlet. The SUA: tag is required to run a scan. If it is missing run Install or Upgrade Scanner fixlet. Relevance 6 if (name of operating system as lowercase starts with "win") then (exists folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT")) else (exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT")) This condition checks if under BigFix client directory there is LMT\CIT subfolder where scan results are meant to be placed. It is created by the Install or Upgrade Scanner fixlet. 34 IBM Security

Run Capacity Scan and Upload Results Relevance 7 NOT (if (name of operating system as lowercase starts with "win") then (exists file ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\CIT\cit_config.xml")) else (exists file (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/CIT/cit_config.xml"))) This condition checks if under BigFix client directory, in LMT\CIT subfolder there is no cit_config.xml file. That is a legacy configuration file related to IBM SUA 2.x product line. If it is still present, then the Install or Upgrade Scanner fixlet should be run. Relevance 8 if (((name of it as lowercase starts with "sunos 5") AND NOT (name of it as lowercase contains "sunos 5.7")) of operating system) then (exists pkginfo whose (pkginst of it contains "gzip") of pkgdb) else true This condition checks if in case of Solaris 5.x OS (except 5.7) the gzip package exists. Other OS types are not evaluated by this condition. Refer to Supported operating systems documentation chapter. 35 IBM Security

Troubleshooting

Troubleshooting Additional troubleshooting steps: Restart BigFix client process on the endpoint In BigFix console right-click on the endpoint computer name and click Send Refresh 37 IBM Security

Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forums for ILMT: https://developer.ibm.com/answers/topics/ilmt.html BigFix Inventory: https://developer.ibm.com/answers/topics/bigfix-inventory.html 38 IBM Security

Where do you get more information? License Metric Tool wiki: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/ibm%20license%20metric%20tool Security Learning Academy training roadmap for BigFix Inventory and ILMT: https://www.securitylearningacademy.com/local/navigator/index.php?level=emil01&roadmaps=true More articles you can review: IBM developerworks articles: - ILMT 9.2.x https://ibm.biz/bdiqhc - BFI 9.2.x https://ibm.biz/bdseqq IBM Knowledge Center: - ILMT 9.2.x https://ibm.biz/bdrjdp - BFI 9.2.x https://ibm.biz/bdiqhg Useful links: Get started with IBM Security Support IBM Support Portal Sign up for My Notifications Follow us: 39 IBM Security

THANK YOU FOLLOW US ON: https://www.facebook.com/ibmsecuritysupport/ youtube/user/ibmsecuritysupport @askibmsecurity securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback