Fixlets number in one Baseline

Usage and Config Platform
1

(imported topic written by wolverine23)

Hi,

I have a baseline with about 250 fixlets ( 2003,2004,2005,2006 security updates )

Is there a problem if I have a lot of fixlets in 1 baseline ?.

Actually it is working fine because if one computer is connected, the bigfix client is installed and all security patches are installed if necessary.

However.

Is there a problem if I have a lot of fixlets in 1 baseline ?.

Relay performance is affected ?

This generate a lot of network traffic ?

BesClient process in the computers is affected ?

I have 3 relays, and each one has about 1000 computers reporting it normally.

Regards.

Thanks

Wolverine.

2

(imported comment written by BenKus)

Hey wolverine,

It is generally more efficient to break up baselines that are that big. Can you make one baseline for each year with around ~50 Fixlets each?

  • There is negligible performance impact on the relays and the network.
  • The server and the console are minimally affected (close to negligible).
  • The BES Client has more work to do when it has big baselines (in particular with actions taken from baselines).

See this post for more information:

http://forum.bigfix.com/viewtopic.php?id=448

Ben

3

(imported comment written by jr6591)

Is it better or more advisable to have one Open Action per Fixlet rather than use Baselines for say all MS06, 1 for MS05, etc.

It would be nice to have an option to select baseline or fixlets by O/S.

So, for example, I have to chose all my Windows XP fixlets for the MS05 year and create 1 baseline.

4

(imported comment written by wolverine23)

Thanks Ben and JR.

Now if I use some baselines with 50 fixlets, what is better way to that those baselines work all the time catching computers accesed to the network for first time and all necessary security patches are installed ?.

What I need to do ?.

Active those baselines at same time ?

Active those baselines once by week ?

Active first 1 baseline, 24 hours later anhoter ?

I appreciate your help.

Thanks.

regards.

wolverine.

5

(imported comment written by BenKus)

Hey jr,

It is easier on the system to have the individual Fixlets open, but as long as your baselines are not too big, you can send actions from the Baselines to save yourself time from individually activating actions.

wolverine,

Here is an approach some of our customers use to help manage new builds by applying many actions, but not affect the rest of their users:

  • Create a separate operator account called “NewBuilds”. Set this user to manage computers with a “newbuild” registry key set somewhere.
  • Build all the appropriate baselines with this “NewBuilds” operator account and send actions that don’t expire to all computers.
  • When a new computer comes online for the first time, set the “newbuild” registry key (you can even set it in the image). This will make the agent on the computer look at all the actions for the “NewBuilds” operator and install all the needed patches.
  • As a final step in the build process, remove the “newbuild” registry key.

With this method, the newbuild computers will be able to automatically install everything needed, but the other agents in the system will not have any adverse affects from the large baseline actions because they will never be looking at the “NewBuilds” operator site.

Ben