Benefit of Bigfix along with Satellite and Ansible

Hi,

I am just trying to understand , I have RH satellite servers and Linux clients (end points) , does deploying BigFix do any benefit to my environment ? like help with patching , configuration management , etc etc ?

please dont reply related to MS Windows , i dont have Windows servers or clients and I know BF is good for Windows machines, but I am looking for an answer to manage Linux machines efficiently from BigFix

please advise.

We’ll, I guess that depends a lot on what you want BigFix to do.

As far as I know, neither Satellite nor Ansible handles these functions that BigFix is pretty good at -

  • Bare-Metal OS deployment (Lifecycle)
  • Discovery of unmanaged systems (Lifecycle)
  • Management of hypervisors and Cloud hosts
  • Software Discovery, Tracking, and License Auditing (Inventory) - including recent features to discover things inside your Docker containers
  • Curated update management for a variety of third-party applications, databases, and middleware (Patch, Remediate)
  • Reporting and enforcement of security policies (CIS, DISA, PCI-DSS, etc. & custom checklists) (Compliance)
  • Fine-grained Hardware inventory
  • Orchestrating update management, reboots, etc. across cluster nodes (Server Automation)
  • Bi-directional reporting / correlation to ServiceNow
  • Correlation / remediating reported network scan vulnerabilities (Tenable)
  • Automatic optimization on the network bandwidth / download paths (automatic relay discovery & balancing)
  • Manage off-site systems, through a single, secure network port (no VPN required)
  • Highly-customizable & flexible to handle non-standard tasks (recent memory includes scans for embedded OpenSSL, Apache Commons-Text, Spring Boot, Log4J, SolarWinds, and that HP SSD Firmware bug that bricks drives after 32k hours usage)

You specified Linux-only, so I’ll stay away from Windows, but … If you have some iOS, Android, or Mac floating around, we can MDM those things too.

This is just what comes to mind off the top of my head. You should probably have a conversation with your Tech Advisor, who can take some time to understand your environment and let you know what you’re missing out on. If you don’t know your TA, send a message to @DanPaquette and/or @mhayden and they should be able to help you out.

@mushtaq

Where in the world are you located so I can help align resources?

Dan
HCL - BigFix Technical Advisors

Thanks for a detailed reply @JasonWalker

We do have a Tech Advisor as well as BigFix ambassadors who love to promote BigFix over other Linux based tools.

As i mentioned we have internal repository management through RH Satellite , which also does patching , OS deployment templates are available, it does bare-metal os deployment , vulnerability scanning and suggesting the patches for each RH products, Ansible, Puppet , and other tools, which cover all the mentioned features in your reply.

If i says, what are the possible ways i can integrate BigFix with my current RH toolset and slowly move to use BigFix completely ? what will be your suggestion ?

Speaking from a Big Fix customer point of view, we have RH Satellite to provide packages/patches to our Red Hat systems. We looked at the Satellite patching options a while ago and didn’t like them. Haven’t looked at many of the other features of Satellite. Frankly, we constantly have issues with Satellite so we use it minimally. We use Ansible for configuration management and patching our servers, but are slowly shifting more to Big Fix for those.

You mentioned you have Linux clients/endpoints. Are these servers (i.e. always on and running) or user controlled clients, (i.e. I turned off my system while I was on vacation)? We initially used Ansible to try to manage our clients and quickly discovered it assumes the systems are always available, which doesn’t work for this environment. We then moved to puppet and while it handled configuration management well, not so much patch management as it prefers to bring systems up to a defined baseline for everything.

I should mention we also manage Ubuntu clients, so we needed something that would work with both RHEL and Ubuntu. That’s when we found Big Fix. We have both Patch and Inventory and it’s been a game changer for us. We still maintain our Satellite (and Ubuntu Landscape server) for local mirrors, but all of our configuration management is handled by Big Fix. We use Big Fix for client patching, setting up multi-package baselines to apply the Red Hat patches. Ubuntu is just a task to do the patches (Wish Big Fix had the multiple-package option for Ubuntu)

Inventory has been wonderful. Last year I was able to generate reports on the log4j vulnerability quicker than the Mac or Windows teams and just last week I was able to give our Vendor Management Office what Linux systems were running a software package for an audit.

6 Likes