BigFix - Concepts

IBM Tivoli Endpoint manager - Points To Know.

IBM Tivoli Endpoint manager (TEM, also known as IEM), formerly BigFix is a systems management software product by IBM for managing large group of computer systems. TEM manager is used for patch management, power management, software distribution, operating system deployment and manages software and hardware inventory.

How it starts
When supported vendor releases a new patch, IBM Tivoli Endpoint manager publishes an equivalent Fixlet for the patch which includes the relevance and the action template.
Once a day IBM Tivoli Endpoint Manager contacts IBM TEM content delivery service servers.
Server notifies the connected relays of new content by TCP ping and using Port 52311.
When relay receives the ping, it contacts the server and downloads the new content.
Relay notifies the downstream relay about new content by TCP ping and using port 52311.
Relay notifies downstream client about new content by UDP ping and port 52311.
Client contacts Parent Relay once a day (by default).

Gathering
Gathering is the process of collecting new content.
__BESData folder stores all the gathered content.
Relay gathers latest site on startup, refresh and every 6 hrs by default. Relay checks download cache for specific site and version. Server gathers from server.
Relay gathers from server/upstream relay. Relay gathers latest site on startup, refresh and every 6 hrs by default. Relay checks download cache for specific site and version.
Client gathers from relay/server. Client establishes http connection to relay/server

Following sites are gathered: Actionsite, Opsite, All Fixlet and Action Site.
Fullsite: If client has never gathered contents, it requests fullsite. Fullsite is a compressed file of all site information.
Diffsite: If client has gathered contents, it requests diffsite. Diffsite is a compressed file of all site differences.

Tivoli Endpoint Manager Roles and activities
**Non-Master Operator:
Deploy actions
Create custom content
Changes or deletes computer settings

**Master Operator:
Manages non-master operator management rights.
Creates computer settings, RP and custom sites.
Globally hiding or showing Fixlet messages.
**Site Administrator:
Manages overall IBM TEM server mgmt. features.
Creates, edits or deletes users.
Note:A user’s status as operator or master operator is permanently assigned with the user name and cannot be changed.

Use of TEM Administration tool
User mgmt.
Masthead mgmt.
Globally IBM TEM settings.
Distributed System Architecture Replication.
Encryption.

Masthead File:
It is file generated during installation and extension is afxm. It acts as a configuration file with parameters such as ip address, server name and port no.
Masthead file verify the private key signature and authenticate us to take action.

Fixlet debugger earlier known as QNA tool installed by default along with the console.
Test Fixlet/task locally using Fixlet debugger.
Q: Question.
A: Answer
T: Time taken to evaluate (in ms)
QNA|Single Clause|Graphical|Action

SHA1.exe:
SHA1.exe is used to generate an action command that will verify the size and checksum of a file.
It allows BES server and BES relay to maintain a persistent cache of downloaded file.
How to generate SHA1 value:
Open cmd>drag sha1.exe to it>sha1.exe -r -c

Gathering interval option:
Higher gather time only slightly affects the performance because client usually collects only the differences.

Initial Action lock:
Specifies initial action lock state for IBM TEM clients. By default unlocked.

Minimum refresh interval:
Minimum console refresh value for entire TEM enterprise. Default is 15seconds. To reduce database load you can raise it.

Default Fixlet visibility:
Fixlets, tasks and analyses globally visible.
Fixlets, tasks and analyses globally hidden until master operator marks them as visible.

Relevance:
Relevance language is an object oriented query language. It inspects most of the relevant information like:
*S/W, H/W, N/W configuration
*File info such as existence, attributes, size
*Windows reg keys and values
*TEM client configuration settings
Basic components of TEM
**Fixlet: Fixlet detects vulnerabilities and are no longer applicable when relevance is lost. Relevance expression for a Fixlet implies that machine is in a remediable state. To establish success criteria, relevance should become false for a Fixlet. Fixlet contributes to the baseline relevance and also to the group action execution.
**Task:
Task are sequence of actions to adjust settings or perform maintenance and typically stays relevant. Relevance expression for a task implies that action can be run in this context. To establish success criteria, action runs to completion for a task. Task does not contribute to the baseline relevance and neither the group action execution.
Note:
We can write tasks as Fixlets so that it does not remain relevant after completion.
Fixlets normally show fixed as status and tasks normally show completed as status.
Action are scripts which do stuff.
Relevance is a query. It does not do stuff.
If actions done it will say completed but if you use applicability relevance evaluates to False, then it checks to see relevance post performing action.

How to create Fixlet/Tasks:
Tools>Create new Fixlet or Task OR Select desired Fixlet Edit>Create Custom copy
Options while creating a Fixlet:
Create in site
Create in domain.
Actions:
Script type- BigFix
Relevance:
>>All computers
>>Computers which match the condition below
>>Computers which match all the relevance clause below
Properties:
Category, download size, date and severity.

Analyses: Analyses retrieve data. It is like relevance but instead of true/False it returns data.
How to create Analyses:
Tools>Create new analysis
Description
Properties- Add the RP that form the core of your analysis
Relevance- Which computers are selected.

Baselines: Baselines are collection of Fixlet messages and Tasks. They provide a powerful way to deploy a group of actions across an entire network with a single command
Baselines are useful for updating system to a common standard.
How to create Baseline:
Tools>Create New baseline
Description
Components: Add components to group, select fixlet messages, tasks and other baselines.
Relevance
Properties

Web report: Web report is to allow authenticated users to connect through a web browser to view all information about computers, vulnerability, actions and more.
To launch web reports:
Tools>Launch web reports.

About Commands:
File System:-
Copy, Move, Delete
Download, Prefetch, Extract
Createfile, Appendfile
Execution:-
Run, Runhidden
Wait, Waithidden
Appendfile, CreateFile until
Flow:-
If, Else
Continueif
Pause while
Restart
Shutdown
Note:
Run: Invokes specified executable and immediately proceed to the next line.
Wait: Would suspend the action script until the invoked process is completed.

Action States:
Running- Action is still running
Evaluation- Evaluating relevance
Failed
Cancelled
Download Failed
Locked- Computer is locked
Offers disabled
Waiting- Waiting for user response
Pending downloads
Pending message
Pending login
Not Relevant
Not Reported
Fixed
Error

Take Action:
Target|Execution|Users|Messages|offer|Post Action|Applicability|success criteria|Action Script.
Target: On which machine the action is taken.
Execution: Start time, end time etc.

Fixlet:
Description|Details|Applicable Computers|Action History.

Computer:
Summary|Relevant Fixlet and Tasks|Relevant Baselines|Baseline Component applicability|Action History

Messagebox options:
Take all actions
Cancel Action
Take action
Snooze

IEM Client Deploy Tool:
IEM client deploy tool can be used to remotely deploy clients to windows platform machines. For UNIX, MAC and other unsupported OS, there is an unsupported NIX Client deploy tool.
IEM Client deploy tool is included in TEM installation generator and gets installed along with the server to \BigFix Enterprise\BES Installers\BESClient Deploy directory.
The location of this folder is stored in the following registry:
HKLM\Software\Wos6432Node\BigFix\BES Installation Generator.

To start the tool on Win Server machine:
Start>All Programs>IBM Endpoint Manager>IBM Endpoint Manager Client Deploy
*Find computers using Active Directory (recommended)
*Find computers using NT 4.0 domains
*Find computers specified in the list
The first 2 options scans for computers within the Active Directory or within NT 4.0 domains.
The third option provides a text area to manually paste a list of known hostnames, IP addresses or an IP range or a button to load a file to provide the same.
To run it through command line:
Save the file with computer name of IP address (one per line) as computerlist.txt to the same location \BigFix Enterprise\BES Installers\BESClient Deploy.
From command prompt- BESClientDeploy.exe /use computerlist.txt
Enter username and password. The user needs to be a domain admin user with local admin rights on endpoints.

IEM CDT will:
*Contact the domain controller
*Retrieve the list of computers in the domain
*Attempt to contact each computer to see if TEM client is installed
User will be presented with a list of computers in N/w and whether IEM client is installed or not or report if the computer was not responding and then user can choose on which the client has to be installed.

Requirements:
1) The computer you are deploying to and the computer running the IEM client from must be part of an AD domain.
2) You must be logged in with domain administrator with all the required permissions.
3) You must type in domain password after you choose to deploy.
4) The remote computer you wish to deploy must be Win2000, XP, 2003 Server, Vista, and so on.
5) The remote computer must have the following services running: workstation, server, netlogon, Remote registry.
6) The remote computer must have file and print sharing enabled.
7) No network or security policies in place that would prevent the application from running a service that will use domain admin credential to copy files locally.
8) The remote computer must be reachable using RPC protocols.

How a software is installed:
1) Download file
2) Unpack (in a temp location)
3) Install (or copy)
4) Cleanup

Troubleshooting:
Go to console>Go to action script
Each step it says completed or failed.
Log File location: BigFix/BES Agent/__BESData/Global/Logs
Look for exit codes within the log file.

TEM for security compliance and analytics:
TEM for SCA is a web based application for security and risk assessment.
SCA provides reporting tools for managing security configuration management checks.
Each computer in your deployment evaluates the appropriate SCM checks that you have activated using the Tivoli endpoint manager console and reports back as pass, fail and not applicable status for each check.

Upload and Archive manager:
You can collect multiple file from endpoint manager clients into an archive and move them through the relay system to the server.
Archive manager has been added to the endpoint manager which can collect files periodically or on command.

About Relays:
Choose relay that is fewest hopes away. One relay per 500-1000 computers for optimal performance. There is a task to install Tivoli Endpoint manager Relay.
To avoid use of bandwidth, install IBM TEM Relay on a computer in nearby location. Relay also groups and compresses communication other than downloads from servers to clients.
IBM TEM client also send heartbeat periodically to IBM TEM Relay.
Default is 5 seconds. Relay has a bufferdir file. Client and other relays posts data (using HTTP POST operation) to relays which stores results as files in bufferdir.
Relay compresses bufferdir every 3seconds and then sends the information to parent relay/server.
Two types of relay selection possible:
Manual Relay Selection (default).
Automatic Relay Selection>
Select a group of computers>Edit computer settings>Select Relay Selection method
For manual- Check the box labelled Primary Relay and choose from the dropdown.

Miscellaneous:
1) TEM can work in very low bandwidths
2) TEM console users have SQL login accounts for database access.
3) No additional cost for each console operator.
4) If simultaneous console operator connects to server then performance may degrade.
5) For users to have access to TEM console, assign NT users or groups the SQL database role bes_console_users.
6) Relay failover to backup server when primary server fails.
7) When establishing Distributed server Architecture be sure to have all IBM TEM operators to create ODBC connections to both the servers.
8) TEM console communicates with IBM TEM server via ODBC using DSN connection to SQL database and http connection via defined TCP port.
9) License.pvk, license.crt and publisher.pvk are critical to the security nd operation of IBM TEM. Private key files (.pvk) if lost cannot be recovered.
10) Fixlet data sent to the client is not treated as sensitive.
11) Only upstream data is considered sensitive.
12) Relevance read from right to left.
13) Service that decrypts the encrypted data on the server is FillDB.
14) Sites are collection of Fixlet messages.
15) Under execution tab is distribute the action over __ minutes to reduce network load. This prevents all the clients from downloading a file from server/relay continuously.
16) Actions are either in open, closed or stopped state. Close unwanted open actions. Delete closed and expired actions to save memory and load time of console.
17) Reporting tools are dashboard and web reports. Dashboard provide graphical data and links to various controls.
18) TEM reports all S/w installed, regardless of it being installed by TEM or not.
19) Action options: Stop, restart, Export, Remove
20) Bandwidth throttling.