I’m working on automating our HIPAA checklist and inputting it all in SCM. When using the wizard it creates a fixlet and an analysis for each entry you make in the wizard. The fixlet detects whether a machine is compliant or not, true means that the machine is non-compliant and you get the real version information from the analysis.
I’m getting mixed results when using various ways of detecting application version and determining whether a computer is compliant or not.
In an example adobe acrobat pro, I’ve tried the relevance below and machines with the correct version “11.0.11” still show up as true/non-compliant though no other versions were detected and the currently installed version is “11.0.11”. No other version were detected using QNA also.
Fixlet Relevance
exists application whose (name of it as lowercase contains “adobe acrobat” AND name of it does not contain “reader” and version of it != “11.0.11” as version)
also tried this one:
(if(version of it as string starts with “11”) then((if(version of it)!=“11.0.11” then(True) else(False))) else(if(version of it as string starts with “10”) then((if(version of it)!=“10.1.4” then(True) else(False))) else(False))) of applications whose (name of it as lowercase contains “adobe acrobat” AND name of it as lowercase does not contain “reader”)
and this one:
(if(version of it as string starts with “11”) then(exists application whose (name of it as lowercase contains “adobe acrobat” AND name of it does not contain “reader” and version of it != “11.0.1” as version)) else(if(version of it as string starts with “10”) then(exists application whose (name of it as lowercase contains “adobe acrobat” AND name of it does not contain “reader” and version of it != “10.1.4” as version)) else(False))) of applications whose (name of it as lowercase contains “adobe acrobat” AND name of it as lowercase does not contain “reader”)
The first example is stripped down because the first two didn’t seem to work at all even though when tested directly on the machine with QNA the result on my test computer was correct.
Analysis Relevance(seems to work fine):
(if(exists version of it) then(version of it as string) else(“N/A”)) of applications whose (name of it as lowercase contains “adobe acrobat” AND name of it as lowercase does not contain “reader”)
I’m wondering if anyone has experienced an issue like this or can help me with the relevance. Thank you
I’m not exactly sure what you are trying to do with the wizard, but could you just simplify it? -
exists folder "/Applications/Adobe Acrobat XI Pro/Adobe Acrobat Pro.app" whose (version of it < "11.0.11" as version)
I don’t really like the applications inspector because it is much much slower and for software deployment it typically isn’t useful to know that a piece of software is installed at a non-standard location unless you are also able (and for some reason want to) deploy patches to that location.
Maybe it would make more sense to split out your security and compliance stuff? Typically if someone has “rogue” software installed at a non-standard location it would be either on their desktop or in their downloads directory, and I’m not sure that the applications inspector even searches those locations.
##—>Update: this is wrong, see the discussion below.<—
I think it needs to be combined like this:
I think the essence of the relevance is that versions “11.0.11” & “10.1.4” are acceptable because they are fully up to date with current patches, while all other versions are not.
The issue with my relevance above is that 10.1.5 will fail compliance once released and patched even though it is even newer, while 11.0.12 won’t have the same issue.
Except v10 would be located at “/Applications/Adobe Acrobat X Pro” so you’d either have to abstract out that folder path or just check that specific path for that for the minimum (or undesired?) version of “10.1.4”. Second option seems better to me, since you’re really comparing two very similar but unique applications.
Good point about them being 2 separate applications. It really should be 2 separate compliance criteria, especially since you could have both or neither installed.
This is one of those cases where 2 is simpler than 1, which is often the case when it comes to relevance.
Thank you guys for all your help. AlanM, your relevance helped for situations where multiple versions are current. Hansen and Jgstew, thank you for another route using direct paths to get application versions. Thanks for all your help guys.