Baselines - check for "out of sync" fixlets and duplicate fixlets

(imported topic written by SystemAdmin)

I wrote these two session relevance queries and figured they might come in handy. (I find it interesting that when I initially looked into these issues I thought the resulting relevance might be quite long and awkward, but in fact they are fairly straightforward.)

Now, I know there are a few other threads in regards to these issuse dotted around, but I figured it would be helpful (just for myself, if not anyone else) to have them listed here for future use. (If these problems have already been solved elsewhere, then apologies for the redundancy and wasting two minutes of your valuable surfing time.)

The first check creates a list of fixlets in baselines and then compares the source fixlet name against the current name. In the majority of cases (from what I’ve seen), the name of the fixlet changes in some form when it gets updated, such as being applicable to both SP1/SP2 but then a later patch makes the SP2 portion unecessary. The other common change is when a patch is no longer needed and the name is appended with (Superseded).

If you wanted to have even better coverage, you could compare the relevance and/or action as well, to ensure you’d be notified for any reason that you might want to update your baseline.

Note: You will probably need to modify the filter piece in the relevance to ensure you block any test (or known duplicate/out of sync) baselines.

• • Fixlets in Baselines that are out of sync - -

unique values of (item 0 of it) of (name of it, name of source fixlet of it) of it whose (name of source fixlet of it != name of it) of (components of component groups of bes fixlets whose (baseline flag of it AND name of it starts with “Base OS patches”))

Now, I can imagine that a comment will spring to mind almost immediately for some of you, in that you’d like to know what Baseline they are in. I may come up with that one later, but if someone else wants to do that, that’s fine. (Something along the lines of what I’m doing below might point you in the right direction.)

The next statement handles checking for fixlets that have been used in more than once, either in the same or different baselines. This doesn’t happen too often, but it’s nice to be aware of it. Obviously, if you use duplicate fixlets on purpose (to manage the actions of a baseline), then you will want to filter the names of those out. Or make your filter more specific to which fixlets you want to look for.

• • Duplicate fixlets in Baselines - -

unique values of (item 1 of it &" - "& name of item 2 of it) of it whose(item 0 of it contains item 1 of it) of (( set of ((item 0 of it) of it whose (item 1 of it > 1) of (it, multiplicity of it) of unique values of (names of (components of component groups of bes fixlets whose (baseline flag of it AND name of it starts with “Base OS patches”)))) ), names of components of component groups of it,it) of (bes fixlets whose (baseline flag of it AND name of it starts with “Base OS patches”))

I hope you find this useful.

-Jim

(imported comment written by SystemAdmin)

Updated relevance for doing some helpful baseline ‘maintenance’ checks.

(number of elements of item 0 of it as string & " out of sync", number of elements of item 1 of it as string & " duplicate fixlets", number of elements of item 2 of it as string & " missing source fixlets

“;(”

Out of sync fixlets:

"&(concatenation "

" of ((elements of it) of item 0 of it)),"

Duplicate fixlets:

"&(concatenation "

" of ((elements of it) of item 1 of it)),"

Missing source fixlets:

"&(concatenation "

" of ((elements of it) of item 2 of it)))) of ( (set of unique values of (item 0 of it) of (name of it, name of source fixlet of it) of it whose (relevance of source fixlet of it != relevance of it OR name of source fixlet of it != name of it) of (components of component groups of bes fixlets whose (baseline flag of it AND name of it starts with “Base OS”))), ( set of unique values of (item 1 of it &" - "& name of item 2 of it) of it whose(item 0 of it contains item 1 of it) of (( set of ((item 0 of it) of it whose (item 1 of it > 1) of (it, multiplicity of it) of unique values of ((names of it) of (components of component groups of bes fixlets whose (baseline flag of it AND name of it starts with “Base OS”))))), names of components of component groups of it,it) of (bes fixlets whose (baseline flag of it AND name of it starts with “Base OS”))), (set of(names of components whose(not exists source fixlet of it) of component groups of bes fixlets whose (baseline flag of it AND name of it starts with “Base OS”))) )

( Note: Just change the four locations of the “Base OS” string to match the baseline(s) you want to check or just remove it to check them all.)

Changes:

• I didn’t like having just the two, so I made it three and also combined them to save time.

• It now also compares the relevance, which is an interesting coincidence in that Bigfix had just modified MS10-044 in just that way (only the action and relevance changed, not the name).

• Displays any fixlets which no longer exist (pulled by Bigfix) but are still sitting in my baseline. If Bigfix doesn’t think it needs to be there, then I’m not sure why I’d want to have it in my baseline(s).

• Added a breaks (html) so that it looks better (set to html in debugger). Or perhaps it could be used in a report?

OUTPUT

1 out of sync, 2 duplicate fixlets, 2 missing source fixlets

Out of sync fixlets:

MS10-044: Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install),

Duplicate fixlets:

MS10-077: Vulnerability in .NET Framework Could Allow Remote Code Execution - Microsoft .NET Framework 4.0 - Windows XP/2003/Vista/2008/7/2008 R2 (x64) - Base OS patches - 2010 - Q4

MS10-077: Vulnerability in .NET Framework Could Allow Remote Code Execution - Microsoft .NET Framework 4.0 - Windows XP/2003/Vista/2008/7/2008 R2 (x64) - Base OS patches - 2010 - Q4 (x64),

Missing source fixlets:

MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution - Windows Media Player 11 - Windows Server 2008 Gold/SP2 (x64) (Korean)

MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege - Windows XP SP2/SP3 (Korean)

(imported comment written by SystemAdmin)

Looks like I’m just talking to myself in this thread, but I was curious if anyone else has used this (and if so, was it helpful?).

I know it detected a number of issues (between 4-40) at different times in the previous two months, but just today it popped up with 4 out of sync items listed.

Out of sync fixlets:

MS10-041: Vulnerability in Microsoft .NET Framework Could Allow Tampering - Microsoft .NET Framework 2.0 SP2 / 3.5 SP1 - Windows 2000/XP/2003

MS10-045: Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install)

MS10-045: Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution - Office XP SP3 (Local/Network Install)

MS10-103: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution - Microsoft Publisher 2010 - Office 2010

-Jim

(imported comment written by PaulPhillabaum)

Jim,

You aren’t talking to yourself. I’ve been watching this thread with interest since you started it but lost track of time. I had been hoping someone else would quickly post my question so I didn’t have to admit my ignorance. But here goes.

How do you use these?! I’ve tried in QNA but I get "the operator “bes fixlets” is not defined. I’ve got it sort of working in the web reports but since this isn’t in the custom reports forum and it doesn’t look like report code, I assumed it wasn’t that. Comparing your code to one of the baseline reports BES support has released in the fourms, I think I see how your relevance could be made into a report. I might try that. But I was curious to hear how you use this.

thanks,

Paul

(imported comment written by NoahSalzman)

Any time you see “baselines”, “bes fixlets” or “bes computers” you are dealing with “Session Relevance”… a flavor of Relevance meant to be run against the Server database rather than an Agent end-point. So, you run it in Web Reports, in the Console debugger, or via the SOAP API.

(imported comment written by SystemAdmin)

I haven’t put this into a proper report myself (yet), so in the meantime it is actually a relevance I leave in the Presentation Debugger (activated via the console), as it always saves the last relevance query that was run.

To get the option to load the Presentation Debugger, first you need to press “Ctrl” + “Alt” + “Shift” + “d” to activate the debug menu and then tick “Show debug menu” and close it. Then just select the 2nd option under the Debug menu item that is now available in the console.

-Jim

(imported comment written by PaulPhillabaum)

Thanks guys. Jim, to answer your question regarding how useful this is. Yes! I found several out of sync fixlets in baselines that I hadn’t found with the web reports.

Also, being able to re-run your ‘report’ as I change baselines and get real-time feedback is useful.