Baseline Applicability

system · May 5, 2009, 5:09pm

(imported topic written by cstoneba)

In order for a computer to be applicable for a baseline, does it need to be applicable for all tasks within the baseline? I’m having a problem in which only 8 computers are applicable for a baseline (relevance is all computers though), however each of the individual tasks within the baseline have far more applicable computers.

BenKus · May 6, 2009, 10:07am

(imported comment written by BenKus)

Hey cstoneba,

When you edit a baseline, note there is a checkbox “include relevance in baseline relevance”. You can use this to control which tasks influence the baseline applicability relevance… Note that Tasks default to NOT be included in the baseline relevance, but Fixlets do default to be included.

Ben

system · May 6, 2009, 3:45pm

(imported comment written by cstoneba)

I’m not seeing that checkbox when I edit the baseline. Which tab is it on?

thanks

BenKus · May 7, 2009, 11:20am

(imported comment written by BenKus)

Should be in the “components” tab (you need to click on the little “+” to expand each component). The option is:

“Baseline will be relevant on applicable computers where this component is relevant”

Ben

system · May 7, 2009, 3:56pm

(imported comment written by cstoneba)

That’s what I was looking for. Thanks Ben.

system · December 4, 2009, 7:53pm

(imported comment written by SystemAdmin)

Ben,

I do have a question on this topic. If I am patching(all default fixlets) a Windows machine with a baseline that contains 100 different patches (all of the checkboxes for applicability are checked by default), what happens if the machine has one of those patches? Will it automatically skip all other patches and consider the baseline not relevant to that machine even though some of the patches might be applicable in reallity? And if that’s the case doesn’t it make more sense that the default for fixlets to be “unchecked” just like it is for tasks?

Also, a quick question on the way the different components are being executed. If I have 5 tasks/fixlets within the same component group of the baseline and take an action against the baseline are these tasks/fixlets being executed in the order they are listed within the component group or they are run in parallel?

BenKus · December 4, 2009, 10:48pm

(imported comment written by BenKus)

When an agent runs a baseline, it checks each component to see if it is relevant and then each component only if it is relevant (regardless of if you check the box or not). So if you have 10 patch Fixlets in a Baseline and the computer only needs two, then only the two that are needed will run. This is the nice behavior of baselines.

The baseline runs the components in order and runs them one at a time.

The reason why that check-box exists is to control the overall relevance of the baseline. A simple example will illustrate why it is important: Imagine you have 10 patches in a baseline and at the end you have a custom Task to restart the computer if it needs a restart. In this case, you want the baseline to run if any of the 10 patches or needed, but you do NOT want the baseline to run if the computer has all the patches and doesn’t need a restart. In this case you uncheck the “include in baseline relevance” box for the Task, but leave it checked for all the Fixlets.

Ben

system · December 4, 2009, 11:07pm

(imported comment written by SystemAdmin)

Ben,

Thank you for the clarification on the applicability checkboxes.

I do have a weird observatio with regards to the component execution/evaluation within the same baseline. I created a Baseline that contains all different McAfee components (VirusScan Engine; AntiSpyware; Host Intrusion Prevention; Framework). The AntiSpyware and Host Intrusion Prevention tasks were defined such that they required the server to have the current version of the VirusScan Engine, so naturally they were not applicable to servers. Originally, I had all 4 components in one component group and what kept happening was that the VirusScan Engine and Framework would install and it would be missing the tasks that have pre-requisites and I couldn’t figure out why. Eventually, I separated all 4 tasks in different component group each and that made everything work as expected.

Based on that observation I could think of two logic explanations:

The components within the same component group are being executed in parallel to each other, so since the VirusScan Engine was the biggest component and it took the longest to complete it was finishing the AntiSpyware and Host Intrusion Prevention prior to its completion and treating them as “Not Relevant”.
The components within the same component group are being executed in order but there is no reevaluation after each component to determine if the previous component has made the next “Relevant”.

As I mentioned, I found a way around it but I just wanted to gather better understanding to this unexpected behavior.

Thanks.