Audit for machines missing BigFix

I understand there are many ways to do this, but, in your experience, what is the best way to audit whether all your hosts have the BigFix agent up and running, in a scheduled and automated way?

In a multi OS environment with transient devices, I haven’t found any one way to audit this. And I personally do not find the asset discovery wizard helpful (there’s a lot of probable false positives in there and other devices such as routers which I do not care for).

We’ve got an AD environment with Windows, Linux and MacOS devices. Does anyone have something in place that takes care of this?

For reference and example, what I do find useful (albeit manual) is the Client Deploy Tool which IBM does not recommend for use anymore, which allows me to target a specific OU in AD, then lets me know which machines are up but are not running the BESClient service or the agent is not installed on. But as said before it is manual and also Windows only.

Is there maybe a tool one can buy that has this functionality? Since resolving this issue goes further than BigFix…AV, Anti Malware and other services one would like to monitor.

A server monitoring tool would not work as it would trigger an alert when a machine is down. I realize there’s manual ways for Windows like the sc command or powershell but they involve way too much work and are again, only Windows.

At the very least I’d be looking for a cross-platform solution that can manage the BigFix process, then I can manage the rest of the processes via BigFix itself.

The asset discovery tool is driving the nmap network scanner under the hood. It should be possible to run nmap separately, using the task content as a guide. You can limit your results to OS Fingerprinting to only log Linux and Windows systems, ignoring routers/switches/unknowns, and then (like the asset scanner) check whether Bigfix is running by pinging UDP 52311.

I’m not sure the Client Deployment Tool is deprecated, rather I think it’s being upgraded and should now be managed from inside the BES Console rather than as a standalone executable. I think there are more enhancements coming as well.

I know some environments are using Nessus, Forescout, Solarwinds, ServiceNOW Discovery, etc. but generally these sites are interested in the routers/switches/IoT devices.

1 Like

So, can I target an AD OU from within the console using the Client Deploy Tool? Our network equipment is managed by a different group, that’s why it’s of no concern in this case, at least for my team.

The problem with using nmap is that port 52311 appears as filtered, therefore causing this to (maybe) be a false positive.

If port 52311 is filtered, you may have clients installed, but they may have trouble communicating with the Server and the Relays. Clients need to be able to communicate with the Relays and the Server on TCP/52311 and the Relays and Server(s) need to be able to reach your clients on UDP/52311 (unless you plan to just use Command Polling).

When we were first deploying BigFix, we used the original Client Deploy Tool. We exported a list of all the Servers in our AD, by OU. Then we broke that list into several smaller lists and had 3 or 4 people pushing the clients to approved systems.

I have not tried the new Client Deployment Tool (CDT) yet. I suppose I should give it a try just to understand how it works.

1 Like

Is your environment Windows only? I’m not so much worried about servers, but mostly about transient laptops in and out of the network. I can’t afford not patching machines due to something as simple as them not having the agent (or the agent wasn’t running) given what’s out there these days. I’ve already used a scheduled task which checks the BF service on Windows once a day and starts it if it’s stopped. Not doing it for Unix systems yet.

I just wish there was an easier solution to this given the power/importance of BigFix. If IBM comes out with a CDT that is cross platform, AD OU based and one that we can automate/schedule (e.g. set it to run every 4 hours and report back machines w/o BigFix and/or install it), it would would be perfect.

FYI it is my understanding there are 2 CDTs. One is standalone, one is within the BigFix console (meant to be used with v9.5.7 and up). Once I launch the standalone one, I get this:

“Do not use the interface of the Client Deploy Tool, because it is obsolete. To install clients use the wizard or the Fixlet from the BigFix console.” However, once I click past that it still allows me to use it.

It is also my understanding that the Console version of the CDT does not allow AD integration.

Remember, BigFix only knows about AD and its OS’s because Endpoints report their OU. There really is no AD integration in BigFix at all. Only awareness.

And, in answer to the question about my environment, we have a broad collection of OS’s. Windows, Macintosh, Linux, UNIX, Solaris. My BigFix servers are Windows based, and my Relays are soon going to all be Linux based.

Understood. I really hope IBM does something to address this. The standalone CDT is a great tool, it just needs to be automated and support Unix.

The Client Deploy Tool built into the console now is kind of a mixed bag. I’ve had plenty of times where it refused to deploy to a particular server the first time, but then worked an hour later against the same target. You also need to specify which system to push out the client FROM. This ideally should make the process more flexible compared to the standalone one, but I haven’t always found it to be so. The other big complaint is that the integrated CDT is very unintuitive. It took me looking through a few walk throughs online before I finally understood how it works. (It first prompts you to install the CDT tool onto an endpoint that it already knows about. This is the system that the BigFix Client gets pushed out FROM to your target(s), but that is NOT obvious.)

2 Likes

Also be advised the CDT requires Remote Registry access to the endpoint, which is disabled by default on Win10 1709.

If your know for a fact these clients are in AD, why not use a GPO to push the client to them?

2 Likes

I would just like to piggyback on what @JasonWalker said above. Forescout does have integration with BigFix to discover and profile managed/unmanaged endpoints and also automate the enrollment of endpoints that can be managed with BigFix. Below is a link to the pdf highlighting this integration. Thanks to @Aram for sharing this on the webinar today.

Forescout Extended Module for BigFix

3 Likes

Windows clients in AD is the easiest use case, which like I said I currently manually do via the standalone CDT (around 5 devices discovered each month on average with BigFix not running or not installed). Yes a GPO push would make that process easier, but it’s still not a complete solution as it only applies to Windows.

I was looking at whether something exists that automated auditing cross platform.

This.

Thank you @mhayden! I had no idea FS and BF integrated. This seems like a great solution.

Out of curiosity, how did you sign up for the webinars? Is there a mail list for this? Had I been attending these I wouldn’t have this question :slight_smile:

Thanks again!