jgstew / bigfix-content Goto Github PK
View Code? Open in Web Editor NEWa repo to store some example bigfix-content
License: The Unlicense
a repo to store some example bigfix-content
License: The Unlicense
Many SysInternals tools can be downloaded directly from: https://live.sysinternals.com/
My hope is to have something like a Visual Studio Code Extension to enable this, but also make it easier to do this in any language anywhere.
ActionScript.schclass
automatically escape { in powershell, add it to a createfile command with actionscript to run it.
There are tons of existing projects out there, but not a lot of example content to use them.
Starting with these logs:
Using the Security Log as an example, the current settings seem to be stored here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
While the Group Policies that also affect this are here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security
It seems like the policies location overrules the other location, which makes sense.
To get the max log size setting (in MB) assuming no policy, then it should be:
(it / 1024) of (it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries
Getting the same but set by policy would be:
(it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries
Combined, getting only policy location first, otherwise getting regular location:
(it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries | (it / 1024) of (it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries | ERROR "NoValue"
Changing the setting for "archive the log when full, do not overwrite events" in the GUI sets both the AutoBackupLogFiles
setting and the Retention
values here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
I'd recommend reviewing this related presentation first: https://drive.google.com/file/d/1dUqdTSuqex-c-3Iu33cnWEP6oV0vN0tm/view?usp=sharing
Make content that can be safely used to set recommended client settings that can be taken as a policy action targeted to ALL COMPUTERS. These are conservative, not setting anything that shouldn't be left in place in almost all cases, and most of the settings are only set if not already set to a different value, and only set once, so that if they are overridden later, then so be it. (command polling is an exception, the interval can be changed, but it MUST be enabled with an interval no greater than once every 6 hours)
Windows Console Dashboard to help generate tasks to manage bigfix client settings:
Other Example Fixlets to set client settings:
Use BigFix content to more easily setup and forward SysLog data to a collector. ( NXlog, ELK, Splunk, Graylog )
Start with arbitrary data, then BigFix logs, then OS logs.
Create content for sigcheck: https://twitter.com/swiftonsecurity/status/946532192460648448?s=21
sigcheck.exe -accepteula -c -nobanner -tv * -u
SigCheck will download the current Microsoft Trusted Root Store and look for any certificates not rooted by it that would be considered invalid on a default windows install. Any positive results are likely malicious or inappropriate (eDellRoot) and should be investigated.
see if during action execution you can check what the reapply behavior is set to and fail if it is too often
This matters if something like this is set to reapply every day: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Compress%20and%20Upload%20System%20Logs%20-%20Windows.bes#L124
Can use the action header task to investigate: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Test%20Action%20Header%20Info%20-%20Universal.bes
The dell catalog has an entry for Precision 3431
but in at least some cases, the actual model is reported as Precision Tower 3431
so then the relevance doesn't match.
This example was provided:
Q: exists values "product_name" whose(it as string as trimmed string as uppercase contains "Precision 3431" as trimmed string as uppercase) of structures "system_information" of smbios
A: False
T: 1.1000 ms
Q: ("Precision Tower 3431" as uppercase) = ((value "product_name" of structures "system_information" of smbios) as string as trimmed string as uppercase)
A: True
T: 4.000 ms
It may work to check that the model string starts with Precision
and ends with 3431
but the model number MUST have a space before the numerals, because some models might be E7000 vs 7000 and the relevance needs to make sure to not think the BIOS update for model 7000
also applies to model E7000
It would be nice to have the unique set of results of (it as string as trimmed string) of values "product_name" of structures "system_information" of smbios
across as many Dell / HP / Lenovo systems as possible to find these edge cases.
Turn existing content for creating MSI uninstallers with a RESTAPI/Fixlet into a Console Dashboard
This was brought up in the BigFix slack and I think it is a great idea to have a fixlet to set BigFix to be able to run in Windows Safe Mode.
Create a simplified dashboard that creates a prefetch and nothing more.
See function CreateAction()
in file: BES Support\SWDistributionSummary.js
Will also need this in the OJO at least: var isEvansOrLater = '<?relevance if (exists property "datastore inspectors") then True else False?>' == 'True'?true:false;
Look at automating the addition of Icons to content for display within the Self Service Application using REST API or Dashboard or other methods.
Can get an Icon from the content's prefetch statement on windows using: https://github.com/jgstew/tools/blob/master/CSharp/ExtractAssociatedIcon.bat
data:image/x-icon;base64,
<MIMEField>
<Name>action-ui-metadata</Name>
<Value>{"version":"66.208.49227","size":46641152,"icon":"data:image/png;base64,iVB....CC"}</Value>
</MIMEField>
(base64 encodes it) of concatenations of lines of files "setup.exe.ico"
(values of headers "Subject" of it, ("<img alt='icon' height='64' src='" & it as string & "'>") of values of keys "icon" of jsons of values of headers "action-ui-metadata" of it) of fixlets of sites whose("Custom Site" = type of it)
(it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
(pathname of folders "Resources" of folders "Contents" of items 0 of it & "/" & item 1 of it) of (it, (it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of it) of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
( preceding texts of lasts ".app" of names of it, (pathname of folders "Resources" of folders "Contents" of items 0 of it & "/" & item 1 of it) of (it, (it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of it) of it) of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
(preceding texts of lasts ".png" of names of it, sizes of it) of files ending in ".png" of folders "/tmp/_BigFix/Icons"
number of (concatenations of lines of it) of files ending in ".png" of folders "/tmp/_BigFix/Icons" of encodings "ISO-8859-1"
files whose(name of it as lowercase ends with ".icns") of folders "Contents/Resources" of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
number of mime fields "action-ui-metadata" of custom bes fixlets
values of keys "icon" of jsons of mime fields "action-ui-metadata" of custom bes fixlets
(links of it, ("<img alt='icon' height='64' src='" & it as string & "'>") of values of keys "icon" of jsons of mime fields "action-ui-metadata" of it) of custom bes fixlets
("<img src='data:image/png;base64," & it & "'>") of unique values of (substrings separated by ";;" of concatenations of values of it) of results of bes properties "base64 of Icons"
number of custom bes fixlets whose( (task flag of it OR fixlet flag of it) AND visible flag of it AND NOT exists mime fields "action-ui-metadata" of it AND exists default action of it)
(id of it as string & " " & name of it) of custom bes fixlets whose( (task flag of it OR fixlet flag of it) AND visible flag of it AND NOT exists mime fields "action-ui-metadata" of it AND exists default action of it)
Get Magic Literal:
Q: concatenations of (characters it) of (bytes 0 of it; bytes 1 of it; bytes 2 of it; bytes 3 of it) of files "/Applications/App Store.app/Contents/Resources/AppIcon.icns"
A: icns
iconutil
command line tool to pack and unpack *.icns files."Create bigfix content to monitor and automate the use of AWS Ephemeral Instance Storage for:
Related:
OSD Cloud uses the OSD power shell module:
Dell Command Update added checks to handle BitLocker being enabled when installing BIOS updates, but apparently if you generate BigFix content that installs Dell BIOS updates directly without going through Dell Command Update, then those BIOS updates will happily install with BitLocker enabled (not suspended) and put BitLocker into recovery mode. This is very bad.
take an example system and create fixlets to configure browser settings based upon the current settings
generally make it easier to automatically configure browsers with bigfix.
autorunsc.exe -accepteula -a * -c -h -s -t -v -vt * >>"%TEMP%%COMPUTERNAME%-Autoruns4.csv"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.