Forgive my lack of knowledge here as I have never tried this via Bigfix.
I have a customer we are trying to build an automation plan for. After disabling specific services related to their application, we need to place that application in read only mode. Is running a command like the below from a specific folder possible with Bigfix? And if so, is there any kind of error checking that can be done? What might the syntax be? Any assistance would be greatly appreciated.
• Run the following:
o NPCXCMD executable
Located in C:\Program Files\LRS\PageCenterX\Bin
• pcxcmd -p=1234 -usr=jdoe -pwd=[redacted] -cmd=config -readonly=y
o Config Syntax examples:
o To put PageCenterX into read-only mode:
• C:\Program Files\LRS\PageCenterX\Bin>
npcxcmd -usr=admin -pwd=[redacted] -cmd=config -readonly=y
Absolutely, you can execute any command, executable, object via BigFix that you can from the keyboard. In this case, I believe you’ll want to implement the waithidden command within your Action Script. A ruidementary example would be as follows:
Please note that secure parameters are highly recommended when dealing with secure transport of credentials. An example fixlet with secure parameters can be found here on the BigFix.me website.
I found this https://www.bigfix.me/fixlet/details/2593 on Bigfix.me as well. As I understand it, when you type text in the “secret” field on that fixlet it deploys a c:\secret file to the client which can then be called as you did above. I’m just a little confused as to the proper values that should be typed in that “secret” filed? Would it be:
Secure parameters is a big topic. I’ve been meaning to write up a blog on it but priorities keep getting in the way.
The discussion at Secure Parameters may be helpful on how you’d use a secure Parameter.
The general way it works is that you enter your password in the Description tab, and when you take an action that parameter is encrypted so only the targeted machine can read the value. In ActionScript you just reference it as {parameter "secret" of action}
“Secret” is just a parameter name. You can have different names or more than one of them.
The Console does not give a user interface for changing the input display, you have to edit the .BES file with a text editor directly to use different parameter input names or to add more than one secure Parameter.
Circling back on this, apologies I don’t seem to wrapping my head around this. So would my action script look like the following? I have successfully used the dirstribute secret task.
If I understand you correctly, you have run the task that drops a file on the target that contains your secret value?
You absolutely do not want to be doing that - your secret is no longer a secret.
The whole point of a secret parameter is that it is never stored at rest, only gets transmitted to the client in encoded form (and will only decode on that one client), and is used by that client for the one purpose and discarded.
That sample script you have been looking at was just a demo - and it wrote the value out so you can see it in action.
So, bearing that in mind, the first thing to do is change your password - it as been sitting around in a file on your endpoint.
Then, to use it in a fixlet or task
//
// any setup/preable stuff can go here
// stuff like disabling 32-bit redirection....
//
// don't write everything to the client log
action log command
//
// run your command using the secret parameter
waithidden “C:\Program Files\LRS\PageCenterX\Bin\npcxcmd” -usr=admin -pwd={parameter “secret1” of action} -cmd=config -readonly=y
//
// can now you can log everything again
action log all
// remainder of script (if anything) can follow on here
The secure parameter is located in the Description of the Fixlet that you take the action from.
Check out the sample fixlet again and be sure to check on the javascript tag inside of the Fixlet Description. https://www.bigfix.me/fixlet/details/2593
So these are two separate tasks. One to distribute the secret and the other task has the above command in it that is placed in an automation plan. Should these tasks be combined?
The Secrets Task/Fixlet does not “distribute” the secret, so much as it carries it along temporarily, encrypted. to be used only in the accompanying action script, then discards it.
So yes, you will want to start with the “Secret” fixlet and add in your action script that uses the secret. 1 Task, 1 Action. Very secure.
To use in a server automation plan, I think you would have to use the Hardcoded secret instead of the TextBox secret, which would expose the secret to people who could see the Fixlet Description in the BigFix console. Perhaps not ideal, but a lot better than leaving the passwords around on the endpoint in a file.
You would edit the Fixlet, Description page - find the SCRIPT icon and you could adjust the HardCodedSecret-42{} string to be your own secret string. The BES File will have this detail available as well, but is less friendly for edits.
All lines of the action script completed, however status stated it failed. I’d have to check with the application owner in the morning if the command worked.
dos echo {parameter “secret” of action} > "{(pathname of parent folder of data folder of client) & “\secret.txt”}"
dos echo {parameter “secret2” of action} >> “{(pathname of parent folder of data folder of client) & “\secret.txt”}”
action log command
waithidden “C:\Program Files\LRS\PageCenterX\Bin\npcxcmd” -usr=admin -pwd={parameter “secret2” of action} -cmd=config -readonly=y
action log all
EDIT: I’m assuming if the application owner states all worked well, I just need to edit the custom success criteria and set to this is successful when all lines of the action script complete.
