Looking for some information on how the client stores action information on the machine. We’re in the design stages of a process where we would like to keep the action being run as secure as possible as it may contain sensitive information. Can anyone detail how a client stores and retrieves the action information of a fixlet? We are specifically looking for the action script info, not the relevance (we know thats in .fxf)
2 Likes
The action history on the client side is in BigFix Enterprise\BES Client\__BESData\__Global\ActionHistory.db
The action script will also appear on the client side in the BigFix Enterprise\BES Client\__BESData\<sitename>\Action<123>.fxf file while the action remains open.
The action script details may also appear in the client logs BigFix Enterprise\BES Client\__BESData\__Global\Logs
Suggest, look at secure parameters for your sensitive parts.
https://www.bigfix.me/fixlet/details/3679
2 Likes
One other thing to consider here is that by default, the BESClient folder (and/or the __BESData folder) is permissioned to only allow SYSTEM and administrators on Windows, and ‘root’ on non-Windows.
Please let us know if any of this is unclear, or if there are additional questions/concerns.
we dont see the action script in any of the .fxf files…
the concern is exposure of a credential in the action script.
If you’re including any kind of credentials in actionscript, as @brolly33 suggests above, we would certainly recommend the use of secure parameters to encrypt the credentials. If it’s unclear how to use the example referenced, let us know.
Hello!
I know this is an old thread but the title exactly matches my question and I’m hoping for elaboration on the replies offered already please. The reason is, the .log and .fxf files I’m able to find have no details; and I know I found some log with every line of an Action ran when I was using BigFix elsewhere back in 2019.
Currently I’m attempting to Designate Nmap Scan Point (Task 260) and attempting to troubleshoot the cause of nothing happening. The Action remains Open though the End date/time have passed, with status “Not Reported”. (I customized the Action to add “action log all” at the very top.)
On a related note, when I run the Action locally via Fixlet Debugger it fails due to issues with substitution relevance, finishes when I replace the substitution relevance with the appropriate details but, Nmap is not installed…
Thoughts/Questions?
Thanks in advance!
The action status of ‘Not Reported’ could indicate that the BESClient never actually received the action or the UDP notification to gather the action.
Can you see reference to the Action ID as seen in the Console, in the Client log ?
I created the action as a Master Operator and targeted the Computer by selecting it directly out of the applicable computers list.
The Action ID for me is 9778
The action script is clearly visible in the fxf file, in my case a Linux endpoint.
[root@bfrhv9a ~]# more /var/opt/BESClient/__BESData/mailboxsite/Action\ 9778.fxf
Here is a small extract
Content-Type: application/x-bigfix-itclient-action
Content-Type: application/x-Fixlet-Windows-Shell
action-requires-downloads: 1
site-context: http://sync.bigfix.com/cgi-bin/bfgather/assetdiscovery
fixlet-context: 263
action-parameter: “action issue date”=“Sun, 14 Sep 2025 04:17:34 +0000”
//Remove conflicting packages, order is important
if {(name of operating system) as lowercase does not contain “tinycore”}
wait rpm -e zenmap --allmatches
wait rpm -e nmap-frontend --allmatches
wait rpm -e nmap --allmatches
endif
// create directory for Nmap
wait mkdir {parent folder of parent folder of client folder of current site as s
tring & “/BESScanner-NMAP”}
Here is a small extract from the Client log
ActionLogMessage: (action:9778) starting action
At 23:18:15 -0500 - actionsite (http://bfwinroot.gbl.tx.usa:52311/cgi-bin/bfgather.exe/actionsite)
Command started - wait rpm -e zenmap --allmatches (action:9778)
Waiting for rpm completion. wait rpm -e zenmap --allmatches (action:9778)
At 23:18:16 -0500 - actionsite (http://bfwinroot.gbl.tx.usa:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=1) wait rpm -e zenmap --allmatches (action:9778)
Command started - wait rpm -e nmap-frontend --allmatches (action:9778)
Waiting for rpm completion. wait rpm -e nmap-frontend --allmatches (action:9778)
At 23:18:17 -0500 - actionsite (http://bfwinroot.gbl.tx.usa:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=1) wait rpm -e nmap-frontend --allmatches (action:9778)
Command started - wait rpm -e nmap --allmatches (action:9778)
Waiting for rpm completion. wait rpm -e nmap --allmatches (action:9778)
At 23:18:18 -0500 - actionsite (http://bfwinroot.gbl.tx.usa:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=1) wait rpm -e nmap --allmatches (action:9778)
Command started - wait mkdir /var/opt/BESClient/BESScanner-NMAP (action:9778)
Seems to me that the action was created with only a 20 minute life. 3:10 to 3:30, and by the time the agent downloaded it at 15:46, it was already expired.
1 Like
Thanks! Will try refreshing the client immediately after starting the Action; but the Action also failed (without errors) when ran locally via the Fixlet Debugger. Will let you know what happens.
