Exclude a Fixlet from being evaluted in all machines

jlpeppers · February 20, 2015, 1:39pm

I’m trying to exclude a Fixlet from being evaluated on endpoints because it is causing the service to fail. Any idea how to prevent fixlet evaluation?

Aram · February 20, 2015, 3:47pm

Where is the Fixlet being hosted? If it’s in a custom site, are you able to modify the Fixlet’s relevance to include a ‘FALSE’ clause? Or could the Fixlet be moved into a site that does not have Clients subscribed to it?

Is this a custom Fixlet? I’ve never heard of Fixlet evaluation causing the Agent to ‘fail’ (though poor custom relevance can certainly cause delays).

jlpeppers · February 20, 2015, 4:09pm

This is in the SANS Top Vulnerabilities to Windows Systems Site. Its the W05: Windows Configuration Weaknesses - SQL Server Authentication Logging is Not Enabled (Non-Default Instances). I have about 5 servers that stop the service whenever they evaluate this fixlet. Is there a way to tell endpoints to not evaluate a particular fixlet?

Aram · February 20, 2015, 5:24pm

There is not a way to configure an endpoint not to evaluate a particular Fixlet in a site to which it is subscribed, no. That said, I’m curious how you’ve determined that this particular Fixlet is causing the Agent service to stop? The relevance of the Fixlet appears to be two very simple registry checks:

(exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer” of registry) AND (value “AuditLevel” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer” of registry = 0)

I really wouldn’t expect these checks to cause the Agent service to stop. Are there perhaps strange permissions associated with these particular registry keys on the endpoints in question?

jlpeppers · February 20, 2015, 5:59pm

When we stopped SQL on the offending endpoint the service does not crash. Soon as you start it up, it fails and the last line in the log is the fixlet.

AlanM · February 20, 2015, 6:12pm

This may not be the fixlet being evaluated however. There is a client setting to show the fixlet that is about to be evaluated in the EMsg log (EvalLog) so if you had that on it is more likely. Most logs show the fixlet that just WAS evaluated

The subsequent fixlet for example (if your client is evaluating fixlets in order) has exists local mssql database in it which might be more likely having an issue.

AlanM · February 20, 2015, 7:57pm

This inspector does have some known issues on Windows 2003 SP2. You can try blacklisting that inspector

jlpeppers · February 20, 2015, 8:43pm

How would I do that?

Aram · February 20, 2015, 8:49pm

There’s a relatively new Client setting you can leverage for this purpose:

_BESClient_Inspector_Blacklist

In this case, I believe it’s value should be:

<local mssql database>

jlpeppers · February 23, 2015, 2:41pm

Is there a link that talks about this setting. I would like to read up on it.

AlanM · February 23, 2015, 7:30pm

There may not be much as its not a recommended thing to do very often. Blacklisting the wrong inspectors can cause the agent to malfunction as it uses inspectors internally as well.

The specification for the setting is:

_BESClient_Inspector_Blacklist
Type: String 
Version: 8.0 
Platform: All 
Default: None 
Requires Client Restart: YES 
Description: Blacklists an inspector list. for example "name of <operating system>"

So following the suggestion @Aram gave would be correct. This setting merely prevents the named inspector from working at all. Essentially it is removed from the language for functional reasons.

jlpeppers · February 23, 2015, 7:37pm

But am I able to target specific systems instead of all the endpoints?

AlanM · February 23, 2015, 7:41pm

Yes, this is a client setting so you can make it applicable to one or many endpoints

jlpeppers · February 23, 2015, 7:49pm

is not one of the evaluators of that fixlet

glbproject · April 21, 2015, 11:44am

Hi.
Just a question: is it possible to exclude the evaluation of a site ?
… and @AlanM: can you please quote me what IBM manual reports the client setting you quote ?

Thanks

AlanM · April 21, 2015, 5:40pm

I can’t find any public document with a quick search. I pulled that from my internal list of all settings.

To exclude evaluation of a site… unsubscribe from the site

glbproject · April 21, 2015, 6:32pm

Thanks Alan … but … I have over 80.000 computers to unsubscribe / subscribe again and this operation may overwhelm my infrastructure; if there’s another way to do that I prefer it
I need to stop evaluation to do some other tricks in the meanwhile, so that computer could “breath” instead of evaluating tons of relevance (I talk about Patches for Windows site)

AlanM · April 21, 2015, 11:52pm

So you want only some sites to stop processing or all sites? There is the “sleep” functionality to give the agent a “rest”

jgstew · June 23, 2015, 3:33pm

It would be much easier to have clients only evaluate a baseline some of the time, but it would be much harder for it to stop evaluating a site without unsubscribing.

You could increase your BES Client’s CPU usage so that it gets through the sites faster.

Do you have long evaluation loops on your clients caused by the Patches for Windows site?

This is related: