Has anyone ever used TEM to deploy an enterprise wide configuration management process? We want to use TEM to ensure our servers comply with a gold standard (i.e. trend av is configured for the right server and the right port, splunk is configured for the right server and the right version, etc.) I could make individual tasks with TEM to enforce the standards, but the challenge is associating a group of servers with a config management rule. The data should be stored in a database (somehow) preferably, rather than in the relevancy of each task, or a local file that resides on each endpoint.
Does anyone have any experience or best practices for deploying such a solution?
Basically we had a database of information for all servers that would run a early morning job to extract the required information to a CSV file. We would then process that CSV file and apply client settings to a system. We then had reports that would show us various pieces of information.
Taking that process, I could see you extracting the data and either using client settings or a flat text file that an analysis/task could reference for the settings for that system.
So it would be in a local file, but that file is not manually maintained. The data ultimately comes from a database, so you should be good.
We did not get into the automated remediation. But
Using that reference file, you could use it within a script to reset what is out of compliance. The problem here is that I need to understand what settings you are looking at to come up with a design, but that is not really something I can do in a forum
As an example though, say you were looking at the registry key HKLM\Software\BigFix\somekey. The “somekey” should be set to 1. The lookup file could be something like:
HKLM\Software\BigFix\somekey=1
Your fixlet could loop through the file checking each entry and if it is not as per the line, then the fixlet would set it accordingly.
This is a very high level idea, but maybe it could start you on a design.
right, but my concern isn’t with setting the configuration, but identying the configuration that each endpoint should receive. An external DB like you mentioned seems like the obvious choice, but my only issue is getting the data to the endpoints. My current plan is to have some webserver running that hosts some api/cgi. The client would use the download now command to hit the webserver, pass in the client hostname and some other parameters, and the webserver would know (based on the url) to go retreive the requested data from the database. Then the webserver passes the data back to the client in the form of a download file. That’s the plan anyways.
I really though IBM would have a product that already does Config Mgmt. Being as they are so good at enforcing OS level items, something like this should be easy for them to create.
That sounds like it could work. Again, I do not really know your environment, so it is hard to say for sure as it could depend on the number of configuration items you need to check and if this would need to be scalable if more settings are needed. I am not a big fan of the download now since it does not use the relays and does not work for DMZ/Internet devices (unless you are willing to open some big holes). The problem I guess is that since the other methods require size/hash checks, you are stuck.
I am wondering if there would be some way to involve the REST API in this, but I would need to think that out.
TEM does have some config management built in for the SCM stuff, but that requires some manual intervention. I guess it would be hard to design something that would cover all areas of configuration. I know that you could look at TADDM for some of this, but not sure if it would be good for what you are trying to do.
