BigFix 10.0 Patch 8 is now available!

The BigFix Team is pleased to announce the release of version 10 Patch 8 (10.0.8.37) of BigFix Platform.

The main features in this release are as follows:

  • Optionally disable local operators to comply with most recent Cyber Security guidelines

    Starting from BigFix Platform 10.0.8, you can decide to optionally disable all local operators from logging into the BigFix Console, Web Reports and WebUI, in favour of the LDAP-based operators. This feature may be used to comply with most recent cybersecurity guidelines and standards.
    Click here for more info

  • Enhance audit capabilities of your BigFix deployment with new audit logs

    BigFix Platform 10.0.8 introduces a new audit log file which tracks every access and action performed using the BigFix Administration Tool when used via the GUI on Windows or when used via the command line on Windows/Linux. For details, see Server audit logs and Logging

  • Get more flexibility in writing relevance statements with regular expressions by leveraging the Perl Regular Expressions standard

    BigFix Platform 10.0.8 makes available a new client inspector which allows writing regular expressions based on the Perl Regular Expressions standard. This capability is available on Windows only. Click here for more info.

  • BigFix Agent supports RHEL systems with FIPS mode enabled

    You can now install the BigFix Agent on Red Hat systems where FIPS mode is enabled. This is possible as the RPM package delivered with BigFix Platform 10.0.8 supports the sha256 digest in the RPM header, adding another level of security, required to deal with systems in FIPS mode. Click here for more info

  • Enhanced flexibility for handling Linux BigFix services via full systemd support

    BigFix Platform 10.0.8 introduces full support for the systemd services for all main Platform components while still supporting init.d for backward compatibility. Click here for more info

  • Simplify troubleshooting via new installation logs

    BigFix Platform 10.0.8 makes available new installation log files for fresh Windows/Linux installations and upgrades. This release also improves logging capabilities for CDT installations. Click here for more info

  • Enhanced prefetch actionscript command to deal with sites implementing the HTTP to HTTPS redirection

    BigFix Platform 10.0.8 adds the capability for the prefetch actionscript command to deal with HTTP to HTTPS redirect requests. The prefetch command will handle the redirections both for server/relay and client. Click here for more info.

  • Upgrade from SQL Server Native Client to ODBC Driver

    BigFix Platform 10.0.8 moves from supporting and shipping SQL Server Native Client 2012 to supporting and shipping the ODBC Driver. Click here for more info

  • BigFix Console logging and diagnostics

    Improvements have been made in logging and diagnostic approaches for the console, to better understand system capability and bottlenecks. A future publication will provide guidance on leveraging this capability.

Cloud

  • Get a more current view of your infrastructure via the new automatic clean-up approach for proxied endpoints

    The Plugin Portal now implements a clean-up process for proxied endpoints, allowing to automatically delete proxied endpoints that are no longer discovered by the plugins (both cloud and MDM). This will help you to get a more up-to-date status of your infrastructure. Click here for more info.

  • Use the Computer Remover to implement different clean up policies for native and proxied endpoints

    The Computer Remover is now able to deal with both native and proxied endpoints. You can use Computer Remover to specify the type of endpoint and implement different clean up policies based on that. Additionally, the new version of the Computer Remover reduces to 7 days the minimum value accepted for the ā€œRemove Deleted Computersā€ option. Click here for more info

Defect Articles (DA), defect fixes and Serviceability enhancements

Added support for

  • Amazon Linux 2 on ARM Graviton 64-bit (Agent)
  • Rocky Linux 8 x86 64-bit (Agent)

Upgrade of the following libraries:

  • The libcURL library was upgraded to Version 7.86.0
  • The libssh2 library was upgraded to Version 1.10
  • The ICU library was upgraded to Version 54.2
  • The JQuery UI library was upgraded to Version 1.13.2
  • The SQLite library was upgraded to Version 3.39.3

For details, see the technical specification section below.

Additional information about this release

  • The standalone BigFix tools are published under the 10.0 Utilities section in BigFix Enterprise Suite Download Center.
  • A Non-Functional Requirements checklist, covering both performance and security management of your BigFix deployment, is available at BigFix Performance & Capacity Planning Resources

References

Pre-Upgrade Considerations

  • This release includes all the BigFix Platform components. It also includes the Plugin Portal that enables the Multicloud and Modern Client Management capabilities.
  • The unixODBC RPM package is a prerequisite for the Server components on Linux systems (see Server Requirements). This applies to version 10.0.2 and later.
  • Upgrade paths to BigFix 10 begin with v9.5.10 or later. For details, see Upgrade paths (Windows) and Upgrade paths (Linux).
  • For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 10, see Detailed system requirements.
  • Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as Web Reports, WebUI, BigFix Inventory, or BigFix Compliance).

Useful links

Upgrade Fixlets are available in BES Support version 1475 (or later).

HCL BigFix ā€“ Platform Team

3 Likes

A post was split to a new topic: Perl Regex in BigFix 10.0.8

With the database connection changes in patch 8, detailed here, https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_iem_odbc_configuration.html when do we change the settings?

Before, during or after the setup.exe execution?

1 Like

The upgrade process (setup execution) will take care of making all the needed changes to move from SQL Server Native Client to ODBC driver, the user is not expected to have to do any manual steps. Only in case the default configuration of the BigFix ODBC data sources had been modified by the user, the recommendation is to review and verify the consistency and effectiveness of the BigFix ODBC data source configurations after the upgrade to 10.0.8 has completed (this is because there are some differences in how SNAC and ODBC drivers can be configured).

Thank you for that response. Assuming patch 8 makes DB changes, we will know right away if the connection setup is bad or wrong during the setup.exe run.

In case the default configuration of the BigFix ODBC data sources was changed by the user at some point before upgrading to 10.0.8, it is recommended to review the consistency and effectiveness of the post-upgrade configuration in any case because, for example, some configuration parameters that were suitable for SNAC may no longer be effective with ODBC drivers.

Will Rocky linux 9 support? And will it follow support for compliance and inventory?

Has anyone saw an issue with 10.0.8 where the Master serverā€™s BESclient can no longer connect? Error " RegisterOnce: Relay does not support secure registration."

I first had this happen in our Dev environment (single server, 10.0.7 to 10.0.8).
I then also see it happening in our QA environment (master & DSA, 10.0.4 to 10.0.8).

I also have degraded DSA now, though some things are replicating as I see Actions & updated last report times. Replication error "Replication error: ā€œAmbiguous column name ā€˜tablenameā€™ (3700: 209)ā€

For DSA replicationā€¦ found this in KB, could be related. https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102334

Do your SSL Certs happen to be self-signed and/or not CA generated?

SSL certs are generated through Entrust

I think you are on to something, since https://127.0.0.1:52311 cert is an Entrust cert.

Just to validate the client connect, you can set _BESRelay_HTTPServer_UseSSLFlag = 0
on the BES Client on the BES Server (through the registry and restart both Root and Client service) and see if the client registers. That will validate itā€™s the SSL Cert issue.

Thanksā€¦ Setting _BESRelay_HTTPServer_UseSSLFlag = 0 does allow the BigFix client on the Master to check in, and HTTPS port 52311 switches back to to the BigFix self signed cert.

Mind you, the Entrust cert I have, has been in use for a year now. Upgrading to BigFix 10.0.7 did not have this issue, but 10.0.8 does. Putting back the setting and restarting services, recreates the issue I have.

It has to do with the security updates in 10.0.8 and how theyā€™re validating SSL Certs that were not validated before.

Itā€™s related to - https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_managing_downloads.html

Iā€™m waiting on more information from Development on how theyā€™ll proceed on this going forward.

1 Like

I ran across this post by JGStew. Note: My environments all started fresh with 10.0.1 back in 2019ish.

I was/am considering trying it, but probably will just open a support ticket here.

This topic was automatically closed after 30 days. New replies are no longer allowed.