Hi Bigfixers,
I have been stuck on this problem for quite some time now. We have deployed Bigfix and Bigfix inventory to a few servers, for testing purposes. We are able to see in the what software that are installed or is identified in the Bigfix Inventory web GUI. However, we would like to use this information in a relevance check for a custom Fixlet.
Example:
if (DB2 == installed)
Then true;
Is this possible with the relevance script? Could it be done through APIs or database queries?
Hi,
You can try to check for a running service, like below:
You can also search for a specific key in registry. As an example check Initiate Software Scan fixlet for string "keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall”. The trick is that Uninstall stores installed products.
Regards,
Andrzej
Another approach would be to review the BFI report for Installed Software filtered for DB2. In this way you can find the signatures that BFI uses to identify DB2 in your environment. The challenge that you face using relevance is the variety of ways in which DB2 may have been installed. In the case of DB2, BFI uses a file-based signature, which happens to be fairly easy to use in relevance.
For example, BFI detected DB2 on one server using this signature:
IBM DB2 Enterprise Server Edition OEM Limited Use Publisher
IBM
Product
IBM DB2 Enterprise Server Edition OEM Limited Use
Version
IBM DB2 Enterprise Server Edition OEM Limited Use 10
Release
IBM DB2 Enterprise Server Edition OEM Limited Use 10.5
Component
IBM DB2 Enterprise Server Edition OEM Limited Use 10.5
GUID
b7c73be6-2658-4cec-a841-1f4baf67bc1b
IBM DB2 Enterprise Server Edition OEM Limited Use was detected because the following condition was met:
The signature was last modified at 12/18/2013 09:16 AM
A computer has:
A signature that uses: File Signature
"<MultipleInstance><Iterator name=\"INSTALL_PATH\"><FindFilePathEx name=\"IBM_DB2_Enterprise_Server_Edition_OEM_Limited_Use-10.5.0.swtag\"/></Iterator><Instance><Variable name=\"IS_INSTALLED\" export=\"true\"><FileExists absolutePath=\"$(INSTALL_PATH)IBM_DB2_Enterprise_Server_Edition_OEM_Limited_Use-10.5.0.swtag\"/></Variable><Condition withVariable=\"IS_INSTALLED\"><Action do=\"SKIP\" onValue=\"false\" /></Condition></Instance></MultipleInstance>"
Discovered matches:
Installation Path:
C:\IBM\SQLLIB\properties\version`
The Installation Path contains the full path to the Software ID Tag file defined in this the File Signature. I found three unique file path/file signature combinations which are associated with various versions of DB2 in my environment
The relevance looks like this:
exists file "C:\IBM\SQLLIB\properties\version\IBM_DB2_Enterprise_Server_Edition_OEM_Limited_Use-10.5.0.swtag" or exists file "/opt/ibm/db2/V10.5/properties/version/IBM_DB2_Enterprise_Server_Edition_OEM_Limited_Use-10.5.0.swtag" or exists file "/opt/ibm/db2/V10.5/properties/version/IBM_DB2_Workgroup_Server_Edition_OEM_Limited_Use-10.5.0.swtag"
Most of IBM’s software uses a .swtag file for discovery, which is convenient for this particular approach.
Hi Andrzej,
Thanks for your reply. Yes, a registry check would be sufficient if we were only going to address af few software products. However, we are dealing with 1000+ software products running on Wintel and Power. Instead of copying the Software signatures from the Bigfix inventory catalog and use our own custom relevance check then I believe it would be a better approach to rely on the Bigfix inventory DB. However, I’m open for ideas.
What is your use case? BFI has fairly comprehensive reporting built-in, and it provides a REST API. See here: REST API for retrieving software and hardware inventory (v2) (note that this is available from version 9.2.8 onwards).
Hi Itsmpro92,
The use case here is a security patch check. It’s quite a simple use case:
First we would like to determine if the software product is installed. If the software product is installed then we would like to check if the security patch is installed. There is a different between software versions/patches and security patches.
So first relevance would be
if (sofwareIsInstalledForComputerInBFI({SOFTWARE})):
True
The next relevance check would be:
if (securityPatchDoesNotExsist({SECURITY-PATCH})):
True
Some of the signatures that are used by Bigfix inventory could be directly ported to a relevance check, for example the DB2 as you mentioned. However, some software signatures are a little more complex and can’t be easily ported. Furthermore, copying the signature checks would be very redundant as these scans would be done twice for both Bigfix and then BFI. Also, Bigfix Inventory supports various settings for which folders that should be included or not, this would serve as global/central settings and is really useful for us instead of us altering all the custom fixlex to accomidate a new settings change.
I’m not sure how you would do this within the BigFix console. You might be able to accomplish this with a custom web report that uses java to parse the JSON returned by the BigFix REST API query for the software in question to get the computer IDs, and then pass that into a relevance statement that looks for the security patch.
How do you plan to identify the security patch? Will you be developing your own detection logic?
Perhaps you should consider implementing custom signatures in BFI for the security patches.