bigfix lifecycle aix - ibm.com · hpux, mac osx, vmware esx ... baseline: a deployment container of...

© 2017 IBM Corporation

AIX EE bundleIBM Virtual Users Group

27 April 2017

Devaughn RackhamSenior Managing ConsultantIBM STG Power Systems Lab [email protected]

IBM BigFix Lifecycle

2© 2017 IBM Corporation

Siloed IT Operations and Security Teams

IT OPERATIONS

• Apply patches and fixes

• Implement security and operational policy

• Manual process takes weeks / months

IT SECURITY

• Scan for compliance status

• Create security policies

• Identify vulnerabilities

Disparate tools, manual processes, lack of integration and narrow visibility


Today’s reality

• Discover and secure all existing and new assets on the network

• Deploy software applications & updates quickly

• Build automation to reduce manual labor

• Patch all servers, Physical and Virtual, including clustered servers

• Reduce Admin overhead for deploying software and onboarding users

• Automate Operating system deployment, migration and re-imaging

• Find a way to do reduce costs while enforcing security policies

The Impossible To-do list


What BigFix Offers

The BigFix Unified Management Platform provides real-time visibility and

control through a single infrastructure, single agent and single console


IBM BigFix Lifecycle

� Entitlement with AIX Enterprise Edition:

– IBM BigFix Platform

• RHEL(Server x86-64 ver 6 FP3 or higher) / DB2 10.5 ESE

• Windows (Windows 2008 64, Windows Server 2012) / SQL Server

– AIX clients

– Installed Windows console

– Web Reports

� BigFix Products Included with AIX Enterprise Edition:

– Patch Management

– Systems Lifecycle

– Software Distribution

– Server Automation

Now included in AIX Enterprise Edition!


Discovery and patchingA single-console management system to identify, patch, and report on multiple

devices and attributes

� Discover and report on every AIX endpoint

� Gain accurate, up-to-the minute visibility

and continuous enforcement of patches

� Manage patches to hundreds of thousands

of endpoints, multiple operating systems

and applications – automatically

� Clients report >98% first pass patch success

Protecting 50,000 PCs, servers and ATMs in 1,800 locations with one console

SunTrust Banks


IBM BigFix Lifecycle – Key differentiators

� Continuous compliance

– Intelligent agent evaluates the system to identify the missing or corrupt patches

– Automatically assess the status once the patch is deployed

– Distribute patches and software updates to endpoints around the globe

– Enforce patch policies to achieve continuous compliance

� Visibility

– Centralized reporting of all assets

– Provides an automated, simplified patching process that is administered from a single console

� Scalability

– Scale from 1 to 250,000 endpoints with a single server


• Increase first-pass success rates from 60-75%

to 95-99+%

• Reduce patch and update times from weeks

and days to hours and minutes

• Access real-time reporting

• Provide patches to distributed endpoints

regardless of their location, connection type or

status.

• Deliver patches for Windows, UNIX, Linux and

Mac OS and for applications from vendors

including Adobe, Mozilla, Apple and Java.

• Automated self-assessment, no centralized or

remote scanning required

Patch Overview dashboard

Provide status on critical security patch installationWith more critical patches every week, how can I keep up?


� Increased coverage of Microsoft product

patches means your administrator can rely

on one solution for all of their needs

�Patch content for multiple Linux distributions

means you can do more with a single tool

�Native tools support ensure flexibility and

reliability in patch deployment

�Ability to rollback patches means less manual

effort for IT

�Deploy updates to existing alternate disk

images for easy Rollback

�Preview deployments of TL and SP fix packs to

reduce patch errors during maintenance

windows

�AIX Deployment wizard now supports NFS to

minimize disk space requirements

�NFS Support for Solaris patch bundles to

minimize disk space requirements

�Patch cluster fixlets for Solaris Live

Upgrade to support cluster patching of

alternate boot environment

�Package install task for Solaris 11 for

improved remote management which

reduces on-site support costs

� Increased coverage for 3rd party application support

�Custom repository support for Java downloads

helps secure a common area of vulnerability

Key Features - More content, Make things faster, Go broader


Intelligent Agent: Pervasive Real-time Visibility

� Heterogeneous Platform Support (Managed Assets)

� IBM AIX (6.1 – 7.2)

� RHEL on Power – Big Endian (5.5 – 7)

� RHEL on Power – Little Endian (7.1)

� SUSE on Power – Big Endian (10,11)

� SUSE on Power – Little Endian (12)

� Ubuntu on Power – Little Endian (16.04)

� Windows NT SP6a/95/98/ME/2000/XP/2003/Vista/Windows 7/Windows 2008/Windows 8/Windows 10 (Incl. x86, x64 and Itanium)

� Suse Linux (32 and 64-bit), Suse Linux Enterprise Desktop

� Redhat Linux (32 and 64-bit)

� CentOS x86 (32 and 64-bit)

� Debian x86 (32 and 64 bit)

� Solaris (incl. Sparc and x86)

� IBM zLinux

� HPUX, Mac OSX, VMWare ESX

� Wyse Thinclients

� Visibility into any IP enabled device through network scanning enabled in any BigFix managed asset (Unmanaged Assets)

1

0


Product Architecture

1

1


BigFix Platform Elements

Single Intelligent Agent• Continuous self-assessment

• Continuous Policy enforcement

• Minimal system impact (<2% cpu)

Single Server & Console• Highly secure, highly available

• Aggregates data, analyzes & reports

• Manages >250k endpoints

Powerful policy language (Fixlets)

• Thousands of out-of-the-box policies

• Best practices for ops and security

• Simple custom policy authoring

• Highly extensible / applicable across all platforms

Virtual Infrastructure

• Designate any BigFix agent a relay or scan point

• Built-in redundancy

• Leverage existing systems/ shared infrastructure

An existing BigFix managed asset can become a relay in minutes


Publish

EvaluateEnforce

Report

Our Closed Loop Speed is Our Advantage


Closed Loop Speed is Our Advantage

Challenge Traditional client/server tools BigFix Platform

Complete the policy enforcement loop Everything is controlled by the server, which is slow Distributed computing with intelligent, universal

agent

Increase the accuracy and speed of your

knowledge

It can take days to accurately close the

enforcement loop

Policy enforcement is accomplished and proven in

minutes instead of days

Scalability cannot be attained without large

infrastructure investments

Administrators are still managing tools instead of

being productive

Distributed processing means scalability is

unlimited

Adjust system policies depending on environment,

location

Scan-based assessment, leading to stale data false

sense of awareness

Real-time situational awareness

14

Report Publish

Evaluate

Traditional

SolutionsBigFix

Enforce Evaluate

PublishReport

Decide

Evaluate

Enforce

Decide


BigFix: Content Based Delivery Model

15

BigFix Content Sites

Patch Power SCM Anti-Malware

SW Dist. SW Asset Mgt. OS Prov. Other MInternet

Description and Benefits

•Applications are delivered via subscriptions to content (fixlet) sites (e.g., “cable box” or “iTunes” model)

•Content flows to the BigFix server and through the infrastructure

•No on-premise reinstall

•Speed – distribution is automated

•Rapid, easy testing / POC

•Model is key to account expansion strategy / cross selling

15


Single Intelligent Agent

• Performs multiple functions

• Continuous self-assessment & policy

enforcement

• Minimal system impact (< 2% CPU)

IBM BigFix

Single intelligent

agent

Lightweight, robust infrastructure

• Use existing systems as relays

• Built-in redundancy

•Support/secure roaming endpoints

Cloud-based content delivery

• Highly extensible

• Automatic, on-demand functionality

Single server and console

•Highly secure and scalable

•Aggregates data, analyzes & reports

•Pushes out pre-defined/custom policies

Real-Time Visibility

Scalability Ease of Use

BigFix

Platform

Flexible policy language (Fixlets)

• Thousands of out-of-the-box policies

• Best practices for operations and security

• Simple custom policy authoring

• Highly extensible/applicable across all platforms


BigFix Message Architecture

17

BES Server

BigFix Fixlet

Publishing Servers

BES RelayBES Clients

BES Relay

BES Clients

Primary Data Center

BES ClientsBES Console

BES Relay BES Clients

DMZInternet

Remote Data Center



18

BES Server

BigFix Fixlet

Publishing Servers


BES Relay

BES ClientsBES ClientsBES Console


DMZInternet

Remote Data CenterThe BES Server retrievesFixlets (Policies) from

BigFix Fixlets Publishing Serversautomatically.

Primary Data Center



19

BES Server

BigFix Fixlet

Publishing Servers


BES Relay



DMZInternet

The BES Server notifies (UDP)its clients immediately of

new Fixlets content

Primary Data Center

Remote Data Center



20

BES Server

BigFix Fixlet

Publishing Servers


BES Relay



DMZInternet

The notification propagatesthroughout the enterprise

within minutes

Primary Data Center

Remote Data Center



21

BES Server

BigFix Fixlet

Publishing Servers


BES Relay



DMZInternet

BES Clients retrieve the Fixletsupon connection, and

defined intervals

Primary Data Center

Remote Data Center



22

BES Server

BigFix Fixlet

Publishing Servers


BES Relay



DMZInternet

BES Clients continuouslyevaluate and enforcereceived policies

Primary Data Center

Remote Data Center


BigFix Technology: The Fixlet

� Fixlets are a key part of BigFix Architecture

� Fixlets are a general purpose way to encapsulate:

– Issue identification - RelevanceRelevanceRelevanceRelevance

– Description of an issue – HTML for users

– How to solve it – ActionActionActionAction

� Examples

– Fixlet to identify/fix a critical Interim Fix for an AIX Security Advisory

– Fixlet to identify/fix a java vulnerability

– Fixlet to identify/fix an ssh vulnerability

– Fixlet to identify/upgrade to a new TL level or SP

23


Fixlets

� By decomposing problems into Fixlets, it makes it easy to identify, report,

fix, manage issues

� Fixlets are authored by BigFix or partners in FixletFixletFixletFixlet SitesSitesSitesSites

� BigFix and partners offer thousands of Fixlets in dozens of Fixlet sites for

many different areas:

– Patching, security configs, inventory, app deployment, AV management, …

� When BigFix publishes new Fixlets, they are distributed to all customer’s

BigFix Servers within an hour

� Customers can easily create their own Fixlets

24


Relevance Language

� Custom made for managing endpoints

� >100 faster than other solutions

Example Relevance

Language vs WMI

showing >100

faster execution


Other BigFix Vocabulary

� Analysis: A probe run on one or more systems to collect and summarize properties.

Often a prerequisite for running certain fixlets, tasks, dashboards, or wizards.

� Task: Just like a fixlet, but not fix related (increase storage, reboot system, run inventory,

etc)

� Action: A script that runs on selected targets. Used to fix policy violations, run

configurations steps, etc. Used by fixlets, tasks, and baselines.

� Baseline: A deployment container of fixlets and tasks. Used to apply a group of

fixlets/tasks to one or more systems. Contents applied using predetermined sequence.

� Relay: Creates a tiered hierarchy for transmission of information between BigFix Clients

and the BigFix Server

– Allows BigFix to scale

– Minimizes ports to be opened through a firewall

– Minimizes bandwidth usage – can be set up to serve clients in a separate geographic location

– Serves as a intermediate cache for clients

– Uses minimal computer resources – minimal impact

– Does NOT need to be a dedicated server (NIM Master is often a good choice)

– Can serve up to 1000 clients


IBM BigFix Patch – AIX Function


NIM Support

NIM configuration tasks:

� NIM Filesets Installation

– Install master or client filesets

� NIM Master Configuration

– Manual

– EZNIM

– Basic

� NIM Client Configuration

– From NIM Master

– From NIM Client

– Initialize NIM Client (create

/etc/niminfo)

28


AIX Deployment

Deploy Fileset, Package, or Firmware updates

� AIX Filesets

– Retrieve from URL

– Local File

– Local folder

– **NFS path (usually best option)


AIX Interim Fix Deployment

� AIX Interim Fix Management wizard provides a capability to install and remove interim

fixes


AIX Advanced Deployment Wizard

� Support for Alt Disk features– Create a new alternate disk clone

– Deploy Fix Pack or TL to alternate disk clone

– Update roovg boot device

– Remove alt disk volume groups

� Preview deployments of TL and SP fix packs– Validate fix pack, determine if reboot is

needed.

� Rollback AIX patches– Ability to identify and report on filesets in

an applied based on the fix pack they are associated with

– Reject groups of applied filesets that are associated with a TL / SP fix pack.

– Reject groups of applied filesets that were installed on or after a specified date.

– Reject individually specified fileset(s) that are selected by BigFix user.

31


AIX Advanced Deployment Wizard – Multibos

� Support for Multibos features

– Create a New BOS

– Deploy TL and SP to a standby BOS

– Update Boot Logical Volume

– Remove Standby BOS

NEW

32


AIX Advanced Deployment Wizard – NFS

Support for NFS repository

management:

� Register an existing endpoint as an

NFS repository

� Download TLs and SPs to a

registered NFS drive, to be used by

BigFix.

� Manage downloaded TLs and SPs

NEW


Reduce Costs & Improve Efficiency with Customizable Automation

� Simple UI to build, save and re-use

Automation Plans for higher levels

of automation

� Easily Leverage Thousands of “Out

of the Box” fixlets, Tasks and

Automation Plans to improve IT

Efficiency

� Other uses for Automation Plans:

Physical & Virtual Server builds,

Complex Application deployment,

Re-purposing servers, Advanced

Patching, cross-server sequences

for vulnerability remediation


Sample Automation Plans

• Simple sequence of Plan

steps.

• Can include Baselines within

an Automation plan to handle

more complex operations.

Dynamic Baselines allows you

to create a single Automation

plan, update the baselines

within a site, and re-run the plan

monthly.

• Default Actions included to

simplify the amount of time it

takes to create a plan

OOTB Automation Plans Cover capabilities Like: • Patch Operating systems in clusters• Patch middleware in clusters• Build physical servers (individual and hypervisors) • Build virtual servers (vmware and AIX LPAR’s)• Install Complex Applications (WAS, DB2, Oracle)


UI Features Simply Automation Plan Tasks

• More Elegant Failure

Handling by running

baselines instead of just

simple fixlets & tasks.

• Simplified modification of

Automation Plans – Quickly

Insert, move ANY step.

• Create Single or Parallel

paths within an automation

plan to accelerate operations.


Email Notification

� For Automation Plans and for Deployment Tasks in the WebUI


Web Reports

� Easily create your own reports, or use/modify one of the 70+ default reports

� Use labels (think tags) to organize reports the way you want

� Set the visibility of reports to be public or private

� Schedule reports to be automatically executed and emailed on a recurring schedule

� Import/Export reports


Web Reports – Example Reports


Web Reports – Scheduling a Report


IBM BigFix Lifecycle Enablement (AIX EE)

Features:� Our consultants will assist your team to implement IBM BigFix Lifecycle in a proof of concept environment to

demonstrate the benefits of the rich patch function.

� Features implemented include

– Single console to identify, patch and report on AIX endpoints in your environment

– Provides accurate, up-to-the minute visibility and continuous enforcement of patches

– Scales from small environment to hundreds or thousands of AIX partitions

– Provides a foundation in which BigFix can be upgraded to support other Enterprise endpoints and other BigFix modules.

� The deliverable is a BigFix engagement summary document outlining:

– Brief overview of your environment

– Summary of BigFix installation and configuration work performed.

– Next steps

Service Benefits:

� Helps improve overall operational efficiency by providing a single console to identify, patch and report on endpoints

Implement enterprise patch management for AIX partitions

Service Overview:

Helps install, configure and exploit the capabilities of the IBM BigFix Lifecycle components of IBM AIX Enterprise Edition.

41

Contact:

Devaughn Rackham, [email protected]


Security fix coverage and native tool support for Linux OS

� Broad patch coverage for Linux OS– Covers all security and critical fixes

– RPM deployment wizard to facilitate deployment of RPM packages

� Flexibility and reliability in patch deployment by supporting native tools– Native tools such as Zypper for Suse and Yum for Red Hat are

used for resolving dependencies

– Deployment wizards such as RPM deployment wizard for Red Hat and CentOS to facilitate deployment of packages

– Improved performance and reliability in installing security patches

� Bandwidth savings and improved patch deployment performance using custom repository management on Suse and Red Hat– Leverage existing local repository mirrors for patch deployment

– Eliminates dependency on the single subscription management tool server

– Deploy custom software hosted in local repository


New patch content, easy rollback and visibility in patch history

� New patch content

– CentOS 5

– CentOS 6

� Rollback of RHEL patches

– Use YUM transaction history dashboard to

manage YUM transactions for RHEL patches

– Supports rollback, undo and redo actions

� Patch history on RHEL

– Ability to see the installed patches on each

endpoint

– YUM logs analysis retrieves the YUM transaction

logs from RHEL endpoints

� Rollback of SLES patches

– Use Btrfs/Snapper Rollback dashboard to

rollback patches in Btrfs with snapper

management configurations

� Patch history on SUSE

– Ability to see the installed RPM package

list on each endpoint

– Analysis retrieves the Zypper transaction

logs from the SUSE endpoints

NEW

bigfix lifecycle aix - ibm.com · hpux, mac osx, vmware esx ... baseline: a deployment container of...

Documents