More on relevance checks in ILMT and BFI IBM LICENSE METRIC TOOL AND BIGFIX INVENTORY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by accessing the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: http://ibm.biz/webexoverview_supportopenmic 23 August 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.
Panelists Piotr Kalandyk Presenter ILMT/BFI L2 support member Sherrie Clarke ILMT/BFI L2 support member Leslie Popow ILMT/BFI L2 support member Hope Maxwell-Daley Moderator ILMT/BFI L2 support team leader 2 IBM Security
Goal of session IBM License Metric Tool and IBM BigFix Inventory applications in version 9.x reuse IBM BigFix infrastructure. Instructions to deploy so-called VMMAN tool, run hardware scans on virtualization hosts or uninstall VMMAN tool are propagated to endpoints by means of designated fixlets. Those fixlets contain sets of conditions specifying prerequisites for a particular fixlet task to be performed on the endpoint. The goal of this session is to present steps which allow ILMT/BFI users to verify why the VM managers category fixlets are not relevant for a particular endpoint. 3 IBM Security
Agenda Checking the fixlet site version Updating the fixlet site Checking fixlet relevance Install VM Manager Tool 1.5.6.1 fixlet Install Additional VM Manager Tool 1.5.6.1 (OPTIONAL) fixlet Uninstall VM Manager Tool fixlet Update VM Manager Tool to version 1.5.6.1 fixlet Schedule VM Manager Tool Scan Results Upload fixlet Force VM Manager Tool Scan Results Upload fixlet Run Capacity Scan on Virtualization Hosts fixlet Remove Capacity Scan Data from Virtualization Hosts fixlet 4 IBM Security
Checking the fixlet site version
Checking the fixlet site version 6 IBM Security ILMT: http://sync.bigfix.com/cgi-bin/bfgather/ibmlicensereporting Recent Version: 102 BFI: http://sync.bigfix.com/cgi-bin/bfgather/ibmforsua Recent Version: 93
Checking the fixlet site version ILMT: http://sync.bigfix.com/cgi-bin/bfgather/ibmlicensereporting Recent Version: 102 BFI: http://sync.bigfix.com/cgi-bin/bfgather/ibmforsua Recent Version: 93 7 IBM Security
Updating the fixlet site
Updating the fixlet site The content of the ILMT/BFI fixlet site can be periodically modified. New fixlets, tasks, and analyses can be added. The existing ones can be changed or might become obsolete due to functionality changes. If the BigFix server is installed on a computer with the Internet access, the ILMT/BFI fixlet site is updated automatically whenever the updates are available. However, if the BigFix server is installed on a computer without the Internet access, user must update the ILMT/BFI fixlet site manually. The process is described in detail under the Updating the fixlet site chapter of ILMT/BFI documentation: ILMT https://www.ibm.com/support/knowledgecenter/ss8jfy_9.2.0/com.ibm.lmt.doc/inventory/planinconf/c_updating_action_sites.html BFI https://www.ibm.com/support/knowledgecenter/en/sskllw_9.5.0/com.ibm.bigfix.inventory.doc/inventory/planinconf/c_updating_action_sites.html Note: All the open fixlet actions started before the fixlet site update will remain running with that old definition until they expire. You need to stop and re-run a fixlet for the new definition to be used. 9 IBM Security
Checking fixlet relevance
Checking relevance In order to see all the fixlets under ILMT/BFI site, click on the Show Non-Relevant Content button: 11 IBM Security
Checking relevance 12 IBM Security
Checking relevance Starting from ILMT/BFI 9.2.1 it is possible to use a feature called Analyze the Relevance of a Fixlet or Task to evaluate relevance conditions of fixlets available under ILMT/BFI site. 13 IBM Security
Checking relevance From the drop-down list choose from among ILMT/BFI fixlets. A result is creation of a new analysis which covers all the endpoints subscribed to ILMT/BFI site. The new analysis gets created under Master Action Site of BigFix. It can be reviewed under Analyses section. Its name pattern is Relevance Check for the Task/Fixlet: source fixlet name. 14 IBM Security
Checking relevance After a short moment, required for endpoints to receive instructions from BigFix server and return information on relevance conditions evaluation, the newly created analysis gets populated with results: 15 IBM Security
Checking relevance Under analysis Results tab, every column named Relevance # maps to the source fixlet relevance condition with the same number under fixlet Details tab. Exemplary relevance conditions will be explained in the following slides. If a particular condition is met on the endpoint, then its analysis result column entry shows True. Otherwise the False value is displayed. Note: If a particular fixlet condition is not met it does not indicate an error. It may also mean that it is a temporary state, e.g. due to a scan operation already running, scanner already installed in the same version, etc. All the fixlet conditions must show True for the fixlet to be relevant. The relevance check process is covered in ILMT/BFI documentation at: ILMT https://www.ibm.com/support/knowledgecenter/ss8jfy_9.2.0/com.ibm.lmt.doc/inventory/probdet/t_checking_fixlet_relevance.html BFI https://www.ibm.com/support/knowledgecenter/en/sskllw_9.5.0/com.ibm.bigfix.inventory.doc/inventory/probdet/t_checking_fixlet_relevance.html 16 IBM Security
Checking relevance Common files and locations evaluated by relevance conditions of the VM Managers category fixlets: BigFix client location, e.g. - C:\Program Files (x86)\bigfix Enterprise\BES Client\ - /var/opt/besclient/lmt/cit ILMT/BFI VM Manager tool folder under BigFix client directory, e.g. - C:\Program Files (x86)\bigfix Enterprise\BES Client\LMT\VMMAN - /var/opt/besclient/lmt/vmman 17 IBM Security
Install VM Manager Tool 1.5.6.1
Install VM Manager Tool Relevance 1 (check proxy) (if (name of it as lowercase starts with "win") then (true) else ((name of it as lowercase starts with "linux") OR (name of it as lowercase starts with "aix") OR (name of it as lowercase starts with "mac") OR (name of it as lowercase starts with "hp-ux" AND ((architecture of it as lowercase contains "ia64") OR (family name of main processor as lowercase contains "pa-risc") OR (exists match (regex "^PA8[0-9]{3}(\s+)?$") of (family name of main processor)))) OR (exists match (regex "sunos 5\.(8 9 10 11)") of (name of it as lowercase)) of operating system)) of operating system AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) Since the release of the IBM Endpoint Manager for Mobile Devices that supports Android, Apple ios and other devices, BigFix installations may include proxy agents in order to support these new devices. Many fixlets contain the relevance above in order to exclude proxy agents from executing. This ensures that proxy agents will not try to execute the fixlet. 19 IBM Security
Install VM Manager Tool Relevance 2 (check OS) (if (name of it as lowercase starts with "win") then (true) else ((name of it as lowercase starts with "linux" AND ((exists match (regex "^i[0-9]86$") of it) of (architecture of it as lowercase) OR architecture of it as lowercase = "x86_64")) of operating system)) of operating system This condition checks if the endpoint is running an operating system type supported by ILMT/BFI. Please refer to Supported operating systems documentation chapter. Relevance 3 exists running service "BESRootServer" This condition checks if on the endpoint there is BESRootServer service running at the moment of VMMAN installation attempt. This ensure central type installation for VM Managers. 20 IBM Security
Install VM Manager Tool Relevance 4 (check library) if (name of operating system as lowercase starts with "win") then (true) else if (name of operating system as lowercase starts with "linux") then ((exists package "glibc" whose (version of it >= "2.4" as version) of rpm) AND (exists package "unzip" of rpm)) else false This condition checks if there is glibc 2.4 or grater library installed and if unzip package is available for Linux OS. Relevance 5 (check folder) if (name of operating system as lowercase starts with "win") then (not exists folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\VMMAN") whose (exists file "vmman.bat" of it)) else (not exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/VMMAN") whose (exists file "vmman.sh" of it)) This condition checks if VMMAN is not yet installed by installation folders verification. 21 IBM Security
Install VM Manager Tool Relevance 6 (check space) if (name of operating system as lowercase starts with "win") then (free space of drive of (if (version of client >= "9" as version) then (parent folder of data folder of client) else (parent folder of regapp "besclient.exe")) > 314572800) else (free space of drive of (if (version of client >= "9" as version) then (parent folder of data folder of client) else (parent folder of parent folder of client folder of site "actionsite")) > 314572800) This condition checks if the endpoint has at least 300MB of free space in BigFix client location. 22 IBM Security
Install Additional VM Manager Tool 1.5.6.1 (OPTIONAL)
Install Additional VM Manager Tool (OPTIONAL) Relevance 1, 2, 4, 5, 6 The relevancies are the same as for Install VM Manager Tool fixlet (previous chapter). Relevance 3 (check service) not exists running service "BESRootServer" This condition checks if on the endpoint there is NO BESRootServer service running at the moment of VMMAN installation attempt. This ensure distributed type installation for VM Managers described here: https://www.ibm.com/support/knowledgecenter/ss8jfy_9.2.0/com.ibm.lmt.doc/inventory/admin/c_scattered_approach.html 24 IBM Security
Uninstall VM Manager Tool
Uninstall VM Manager Tool Relevance 1, 2 (check proxy, check OS) The relevancies are the same as for Install VM Manager Tool fixlet. Relevance 3 (check folder) if (name of operating system as lowercase starts with "win") then (exists folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\VMMAN") whose (exists file "vmman.bat" of it)) else (exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/VMMAN") whose (exists file "vmman.sh" of it)) This condition checks if VMMAN is already installed by verification of VMMAN folder existence. 26 IBM Security
Update VM Manager Tool to version 1.5.6.1
Update VM Manager Tool to version Relevance 1, 2 (check proxy, check OS) The relevancies are the same as for Install VM Manager Tool fixlet. Relevance 3 (check library) The relevance is the same as relevance 4 for Install VM Manager Tool fixlet. Relevance 5 (check space) The relevance is the same as relevance 6 for Install VM Manager Tool fixlet. Relevance 4 (check version) ((if (name of operating system as lowercase starts with "win") then (key "VMMAN_Tool_Version" of file "version.txt" of folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\VMMAN\properties")) else (key "VMMAN_Tool_Version" of file "version.txt" of folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/VMMAN/properties"))) < "1.5.6.1") false This condition checks if the installed VMMAN s version is below than the one to be installed. 28 IBM Security
Schedule VM Manager Tool Scan Results Upload
Schedule VM Manager Tool Scan Results Upload Relevance 1, 2 (check proxy, check OS) The relevancies are the same as for Install VM Manager Tool fixlet. Relevance 3 (check folder) if (name of operating system as lowercase starts with "win") then (exists folder ((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of regapp "besclient.exe")) & "\LMT\VMMAN") whose (exists file "vmman.bat" of it)) else ((exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/VMMAN") whose (exists file "vmman.sh" of it)) OR (exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/vtech") whose (exists file "run_vtech_scan.sh" of it))) This condition checks if VMMAN is installed or not and also Run Capacity Scan on Virtualization Hosts fixlet was performed. Relevance 4 (check package) if (name of operating system as lowercase starts with "win") then (true) else if (name of operating system as lowercase starts with "linux") then ((exists package "tar" of rpm) AND (exists package "gzip" of rpm)) else false This condition checks if tar and gzip are installed for the Linux systems. 30 IBM Security
Force VM Manager Tool Scan Results Upload
Force VM Manager Tool Scan Results Upload Relevance 1, 2 (check proxy, check OS) The relevancies are the same as for Install VM Manager Tool fixlet. Relevance 3, 4 (check folder, check package) The relevancies are the same as for Schedule VM Manager Tool Scan Results Upload fixlet. 32 IBM Security
Run Capacity Scan on Virtualization Hosts
Run Capacity Scan on Virtualization Hosts Relevance 1 (check proxy) The relevance is the same as for Install VM Manager Tool fixlet. Relevance 2 (check folder) not exists settings whose (name of it equals "CIT_Deny" AND value of it = "1") of client This condition checks if the endpoint has a setting named CIT_Deny set to 1. To verify it, right-click on the computer name and choose Edit Computer Settings.... It is set if the Add Targeting Exception fixlet was run earlier to prevent the endpoint from being targeted by the scanner actions. To revert this change run Remove Targetting Exception fixlet. Relevance 3 (check OS) ( ( name of it as lowercase starts with "linux" AND ( ( exists match ( regex "^i[0-9]86$" ) of it ) of ( architecture of it as lowercase ) OR architecture of it as lowercase = "x86_64" OR architecture of it as lowercase starts with "ppc" ) ) of operating system ) of operating system This condition checks if the endpoint is Linux only. 34 IBM Security
Run Capacity Scan on Virtualization Hosts Relevance 4 (check file) exists file "/usr/bin/virsh" OR exists file "/usr/local/sbin/virsh" OR exists file "/usr/local/bin/virsh" OR exists file "/sbin/virsh" OR exists file "/bin/virsh" OR exists file "/usr/sbin/virsh" OR exists file "/usr/bin/xl" OR exists file "/usr/local/sbin/xl" OR exists file "/usr/local/bin/xl" OR exists file "/sbin/xl" OR exists file "/bin/xl" OR exists file "/usr/sbin/xl" OR exists file "/opt/xensource/bin/xl" The relevance is looking for virsh or xl executable files in expected locations for virtualization hosts. The virsh and xl enable managing VM guests. Relevance 5 (check shell) exists file "/bin/bash" This condition checks if bash shell is installed on the endpoint. Relevance 6 (check file) exists file "/usr/bin/xmllint" OR exists file "/usr/local/sbin/xmllint" OR exists file "/usr/local/bin/xmllint" OR exists file "/sbin/xmllint" OR exists file "/bin/xmllint" OR exists file "/usr/sbin/xmllint" The relevance is looking for xmllint executable file in expected locations for virtualization hosts. The xmllint is command line XML tool. 35 IBM Security
Remove Capacity Scan Data from Virtualization Hosts
Remove Capacity Scan Data from Virtualization Hosts Relevance 1 (check proxy) The relevance is the same as for Install VM Manager Tool fixlet. Relevance 2 (check OS) The relevance is the same as relevance 3 for Run Capacity Scan on Virtualization Hosts fixlet. Relevance 3 (check folder) exists folder (((if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))) & "/LMT/vtech") This condition checks if the Run Capacity Scan on Virtualization Hosts fixlet was already performed on the endpoint. 37 IBM Security
Troubleshooting
Troubleshooting Additional troubleshooting steps: Restart BigFix client process on the endpoint In BigFix console right-click on the endpoint computer name and click Send Refresh 39 IBM Security
Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forums for ILMT: https://developer.ibm.com/answers/topics/ilmt.html BigFix Inventory: https://developer.ibm.com/answers/topics/bigfix-inventory.html 40 IBM Security
Where do you get more information? License Metric Tool wiki: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/ibm%20license%20metric%20tool Security Learning Academy training roadmap for BigFix Inventory and ILMT: https://www.securitylearningacademy.com/local/navigator/index.php?level=emil01&roadmaps=true More articles you can review: IBM developerworks articles: - ILMT 9.2.x https://ibm.biz/bdiqhc - BFI 9.2.x https://ibm.biz/bdseqq IBM Knowledge Center: - ILMT 9.2.x https://ibm.biz/bdrjdp - BFI 9.2.x https://ibm.biz/bdiqhg Useful links: Get started with IBM Security Support IBM Support Portal Sign up for My Notifications Follow us: 41 IBM Security
THANK YOU FOLLOW US ON: https://www.facebook.com/ibmsecuritysupport/ youtube/user/ibmsecuritysupport @askibmsecurity securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.