BigFix is well know for it's native relevance language and it's flexibility, that's what make it so unique.
The language has two main contexts - Client and Session.
'Client Relevance' is the means of communicating with every client while depending on the agent itself to report back with the results to the main root server.
Client relevance can be used throughout the platform in the form of a 'Property' or inside objects such as Baselines, Analysis, Groups etc.
'Session Relevance' is the way to communicate with the platform itself, much like querying a database rather than individual clients.
Session relevance can be used to pull data via REST or SOAP APIs and Custom Reports.
Let's focus on Client Relevance:
The client side relevance allow operators to send queries to the endpoint which return one of more results that can be used for automation, grouping, reporting etc.
Here are some basic examples:
Fetch all users which belongs to the local 'Administrators' group:
members of local group "Administrators"
Display all services which run as a domain account:
(display names of it, login accounts of it) of services whose (login account of it contains "lab")
Based on the return data, automation can be created to reduce wasted time and effort.
For example, a System Administrator is requested to remove a specific user or group from the local 'Administrators' on all endpoints.
An automated action can be created that facilitates the relevance query that returns a Boolean value (true or false) if a specific user or group belongs to the Admins group.
In case one or more agents report back with the value 'true', then an action is taken automatically which remove the user or group and will keep doing so as long is it is relevant.
First, we create a 'Fixlet' using the top console menu 'Tool' => 'Create new Fixlet'.
In the 'Relevance' tab we will set the following statement:
exist members whose (it as string as lowercase = "LAB\DummyUser" as lowercase) of local group "Administrators"
In the 'Actions' tab, we will set the following command:
wait net localgroup administrators "LAB\DummyUser" /delete
Once we click 'OK' and save the fixlet, all agent will start reporting back for relevancy.
Any endpoint that has a DummyUser belonging to the local admins group will be shown as relevant.
To automate the process, we now have to 'Take Action' and target all computers.
The action must be configured with specific settings to allow continuous enforcement:
Select the target endpoints in the 'Target' tab. it can be specific computers or a group.
If you wish to keep the action running forever, you must remove the 'Ends on' checkbox.
In case of a failure, keep trying for 5 more times with 10 minutes delay between each retry.
Check the 'Reapply this action' to allow multiple runs in case someone added the 'DummyUser' back to the admins group.
Once the action is deployed, you can sit back, relax and watch BigFix in action.
Comments