How to prevent tampering or screwing with TEM (BigFix) Agents

In a typical Tivoli Endpoint Manager (TEM or aka BigFix) deployment, end users shouldn't be having the administrative rights else they may just uninstall the TEM agent or stop the TEM agent.

TEM Clients listen for UDP commands which have been sent to them by their parent Relay or Server.  Many times UDP commands may not reach the TEM Client, as when UDP has been blocked by a firewall or there is a significant amount of network traffic. For such cases the TEM Client has been configured to poll its parent Relay or Server and check if there is any command for it.

If the TEM agent service is stopped, the machine will be grayed out in the TEM console after the default client poll time ( typically it is every 4 hours ) ... For a secure endpoint management we need to prevent user from disabling TEM (BigFix) agent.

On Windows, we can prevent the TEM Client service from being stopped or disabled.
We can also configure the service to automatically restart incase it is killed/stopped.

DENY Administrators from starting/stopping the BESClient service:

cmd.exe /c sc failure besclient reset= 1 actions= restart/5000
cmd.exe /c sc sdset besclient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

ALLOW Administrators to start/stop the BESClient service (default state):

cmd.exe /c sc failure besclient reset= 1 actions= restart/5000
cmd.exe /C sc sdset BESClient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Restoring the security descriptor is a little harder. The best way, is to use a third-party CLI tool called SCAcl as follows:

scacl besclient /Q /T /I
sc failure besclient reset= 0 actions= none

However instead of using third party tools, I suggest to use the following Fixlets provided OOTB with TEM:

ID	Name	Site
251	Hide BES Clients from the Add/Remove Programs List - BES Client < 8.0	BES Support
325	Hide BES Clients from the Add/Remove Programs List - MSI	BES Support
713	Hide BES Clients from the Add/Remove Programs List - BES Client >= 8.0	BES Support
591	Install BES Client Helper Service	BES Support

You should also apply the client helper Fixlet 591 which installs a watchdog executable file that will start the BESClient even if its stopped or disabled.

agent BigFix blog iem tamper

How to prevent tampering or screwing with TEM (BigFix) Agents

Jul 3, 2013

Create a POC image using IEM 9.0 on Linux with Free DB2 10.1.2 Express-C Edition

IBM recently ported the Tivoli Endpoint Manager server from Windows to Linux. With the new release of TEM 9.0, server component of TEM can now be installed on RHEL 6.1 and above with IBM DB2 10.x as the backend database.

In order to explore the new features and capabilities of IBM Endpoint Manager 9.0,  lets quickly create a POC image. Before you start creating a POC image, its recommended to read these tutorials: How to create a YUM repository from an ISO image or mounted CD and Installing TEM 9.0 on Linux

You may download the TEM Linux Server installer from http://software.bigfix.com/download/bes/90/ServerInstaller_9.0.649.0-rhel.tgz . This archive doesn't contain the installer for IBM DB2 10.x. For the purpose of demonstration ( exploring TEM features or creating a quick POC ) , you can download the  FREE version of DB2 from http://www.ibm.com/developerworks/downloads/im/db2express/index.html . Ensure that you download the Linux 64-bit version of IBM DB2 10.1.2 Express-C edition. DB2 Express-C is a full function DB2 data server available for download, and deployment at no charge.

Create a VM with RHEL6.1 (  RHEL 6.2 , RHEL 6.3 are also supported ) typical installation.
Ensure that a valid hostname and IP is assigned to the VM.
Now configure the YUM repository as mentioned here
Install the per-requisite packages for TEM:

#yum install audit-libs.i686 libselinux.i686 cracklib.i686 libaio compat-libstdc++-33 pam.i686 libstdc++.i686 cyrus-sasl-lib.i686

Note: Since TEM Server is 32-bit, ensure that 32-bit compatibility libraries are installed - without x86_64 in the file name.

Now extract the downloaded DB2 package, and run the db2prereqcheck utility. Check for failed errors and warnings.

 Before installing DB2 10.1.2 Express-C edition, install the required packages on RHEL6.1 :

#yum install ibsim ibutils libcxgb3 libibcm libibmad libibumad libipathverbs libmthca libnes rdma sg_persist sg3_utils

Note: Since DB2 is 64-bit, ensure that 64-bit libraries are installed - with x86_64 in the file name.
Shown below the list of dependencies:

Once the required packages are installed, you can proceed to installation of IBM DB2 10.1.2 Express-C edition. Run the db2setup script from the extracted location of DB2 package. Enter default values and proceed with the DB2 installation. Refer this ppt for detailed install steps:
Now install TEM 9.0 as per the steps mentioned here.
I've tried installing the Evaluation version of TEM 9.0 for Linux on RHEL 6.1 (Santiago) with Free version of IBM DB2 10.1.2 Express-C and it works perfecting fine. Good for creating Proof of Concepts and customer demos. This installation appears to work on CentOS 6.3 also, although it is not supported by IBM.

BigFix blog how-to ibm iem

Create a POC image using IEM 9.0 on Linux with Free DB2 10.1.2 Express-C Edition

Apr 25, 2013

BigFix architecture in 4 minutes

No matter how much ever I explain or write about IBM Tivoli Endpoint Manager's (a.k.a BigFix) architecture, its best to understand the architecture and working via this 4 minute animated video.



IBM Tivoli Endpoint Manager is industry's only "single server, single agent platform, single console" solution for heterogeneous endpoint management that addresses operations, security and compliance initiatives in real-time visibility and at global scale.

Top competitive differentiators of TEM:

One for all solution - One product to manage all endpoints (physical,virtual,client class,server class)
Technically speaking 1 console, 1 agent, 1 server: 250,000 endpoints, 90+ OS versions

Ease of use - Intuitive console, wizards for common tasks and a very simple scripting language.

Automatic product update - of features and content through the TEM content delivery cloud based service and exploits the subscription based model (Get what you subscribe for).

Pull model - Real-time endpoint configuration evaluation and enforcement in contrast to relying on a central server to push queries and gather configuration settings.

Scalability - True Enterprise scalability with minimal infrastructure.

BigFix blog ibm iem Video

BigFix architecture in 4 minutes

Nov 22, 2012

IBM Endpoint Manager for Server Automation

IBM Endpoint Manager for Server Automation V8.2, is an add-on to other Tivoli Endpoint Manager solutions. This domain offers a range of server automation capabilities from provisioning VMware virtual machines to deploying middleware softwares like IBM DB2 , IBM Websphere Application Server and Microsoft SQL Server. Advanced server automation capabilities will help you lower your costs and improve efficiency.

IBM Endpoint Manger for Server Automation (IEMfSA) is uniquely positioned as an advanced server automation solution in the Tivoli portfolio that builds on lifecycle management capabilities to enhance IT automation and provide a bridge to cloud computing.

IEMfSA V8.2 features:
        1. Ability to manage physical and virtual endpoints in your data centers.
        2. Support for deploying and managing complex middleware softwares like IBM DB2, IBM WAS and Microsoft SQL Server.
        3. Delivers an easy way to build custom content with a powerful Relevance scripting language.
        4. Allows cross-server sequencing of existing and new fixlets with the help of Automation Plans.
        5. Painless and in-expensive automatic updates of new and current features via the TEM content delivery cloud based service.

Capabilities of IEMfSA v8.2:

Physical and virtual server management provides a single interface across patch management, lifecycle management, and server automation, and simplifies operations and lowers costs. It improves the visibility and control of all your systems including the ability to view and manage both physical and virtual endpoints (laptops, desktops, and servers) from a single interface.

Automation Plans provides the ability to sequence simple Tivoli Endpoint Manager automation tasks into a broader automation flow known as a automation plan which can be saved and reused. These cross-server sequenced tasks enable automation of previously manual operations, helping improve application delivery time and reduce labor costs. This includes the automation and integration of tasks such as creating virtual machines, deploying operating systems, deploying softwares, and setting and enforcing security and compliance settings. Below is a screenshot of a simple automation plan:

Middleware deployment of multitiered business applications typically require a lot of manual intervention to get them deployed and configured in the optimal way to deliver business services. IBM Endpoint Manager for Server Automation provides the ability to easily deploy, configure and manage a variety of middleware applications like IBM DB2, IBM WAS and Microsoft SQL Server.

With IBM Endpoint Manager for Server Automation an organization can leverage advanced server automation capabilities with proven Tivoli Endpoint Manager benefits. IEMfSA simplifies server automation and reduce costs for IT operations.

More Information:
Download datasheet for IBM Endpoint Manager for Server Automation
IBM Endpoint Manager for Server Automation offering
IEMfSA quick start guide 

Architecture of IEMfSA component:

 

BigFix cloud Datacenter automation ibm ibmendpoint IEMfSA

IBM Endpoint Manager for Server Automation

Nov 21, 2012