I’m trying to build logic for scanning the infrastructure on a monthly basis. (SUA software scanning)
I have 28 groups that are populated evenly with computers (via a randomizing task which sets a random number between 1 and 28 for each endpoint). I want to scan each computer once a month by scanning one group every day for 28 days.
I’m thinking about creating a setting for example “scan_eligibility” which will equal to 1 when a computer needs a scan, and 0 if it’s scanned within the last 28 days. However, I’ve come stuck at to what logic I will use. I started creating a task that would run once a day and set the “scan_eligibility” to 1 if it’s scan group is equal to the date, and if it has not scanned within the last 28 days. I cannot find a good way to get the second statement to work as there is no nice way of determining if a scan has completed - the built in analysis retrieves the information from a couple of CIT files on the endpoint, which I want to avoid as it’s not the most consistent.
Is there a way of finding out the ‘last time a specific action was taken on the endpoint’, and also the output of that action - Completed, Failed, etc…
then I could use that date for my ‘last 28 days’ statement.
Eventually I will have some systems in maintenance mode during the week etc, so I would have an additional line to set “scan_eligibility” to 1 if a scan was supposed to have completed in the last 7 days but it hasn’t. Like a cleanup task to capture the ones that might have been off/in maintenance mode on their scan day - this would only be eligible on the weekend and capture the last weeks worth of missed computers.
I’m looking for some advice to see what others have done in this space to manage their scanning on large environments.
The agents provide a “snapshot” view of the current state of the machine and aren’t really that great at time base things like you are trying to do.
The best thing I could think of is that your scan could set a client setting when it runs and that could be used with time comparisons to determine if the 28 days has elapsed. This could then be used in fixlet relevance even in a perpetual action that would just run the scan.
I think setting a custom setting in the software scan is probably the most consistent way to do it. The capacity scan does set a custom setting with a time stamp, so it’s a pity that the software scan is set up differently out of the box.
What I might do is introduce a couple of custom setting. One that extracts the ‘status’ out of the CIT log after each scan. Then I can work out what’s tried to scan, what’s actually completed a scan and what’s failed. And then another setting for the time stamp.
The only problem is trying to keep it consistent over time. The software scan task is updated from BigFix from time to time - usually when there’s a new scanner for example.
You can use Relevance based on the last active time of the Action. So as a Fixlet it’s relevant, but as an Action it becomes not relevant after running, until the timeout is reached. You’d run the Action with parameters to “reapply whenever it becomes relevant again”.
(not exists last active time of it or (now - last active time of it) > (28 * day)) of action
I haven’t tried this, but I think it should work. You could make a Baseline of two items - one with the Bigfix provided scan, marked to “do not include this in baseline relevance”, and another component with the relevance that you want to use. Then you just sync the baseline when Bigfix changes their scanning fixlet.
If a machine is offline on the day it’s supposed to scan, do you want it to catch-up when it comed back online, or wait for the next month?
You could combine the earlier ideas. If you are using a client setting “clientgroup” to populate your 1-28 integers, how about some variant of
(not exists last active time of it or (now - last active time of it) > (28 * day)) of action
AND
day_of_month of now as integer = value of setting “clientgroup” of client as integer
I’ve gone down a route which is very similar to what you explain - but do it using a custom setting for the scan task instead of last active time of action - I figured that I will have to change the scan task anyway to accommodate for some stuff BigFix have missed, i.e. to check the size of the file-system for space etc. Although I could ad this to my ‘scan eligible’ task too I suppose. But it’s neither here nor there. This is how I’ve worked the relevance - pretty much same concept to yours which is reassuring to know.
I have task that sets a ‘scan relevant’ setting that runs every day with the relevance of 'if today is our scan group day then =1, otherwise =0. I modify the scan task relevance to check each time it runs.
Then to catch computers that were off/maintenance, I run a ‘cleanup’ every weekend looking back over the last 7 days which sets ‘scan relevant’ =1 if the scan group is within the last 7 days and it has not scanned int he last 28 days:
I have to do it every 7 days because of the number of endpoints in the system - keeping the ETL process to a minimum.
I do wish there was a more elegant way to do this in general.
I don’t think this option works well when targeting a group:
Though if you have enough endpoints, you’d probably want to have the ETL kick off twice a day or something like that if it is going to run every 7 days.