Skip to content

Latest commit

 

History

History
529 lines (366 loc) · 28.2 KB

README.md

File metadata and controls

529 lines (366 loc) · 28.2 KB
Raw

C3 Inventory provide's expansive inventory capabilities for organizations looking to inventory and assess their endpoint and server environments. C3 Inventory is a C3 site -- for more information on C3 please see the C3 Homepage.

Inventory Capabilities

Documentation on this page is organized into categories of content (Active Directory, Applications, etc). Within each category there are sub categories defined (Group Policy, Users and Groups, etc). Each Sub Category will outline what Analyses, Fixlets, and Tasks make up that piece of functionality.

For certain content there are instructions to help get started with that content. Under each Analysis is a list of example properties you can gather using that analysis. If there is a sentence of information under a property the intention is for that to further describe the propery itself.

Every Fixlet and Analysis is a hyperlink to the content on BigFix.Me but we highly recommend setting up the BigFix.Me Sync Tool.

Active Directory

Active Directory

Basic information covering the Active Directory domain that endpoints are bound to.

This property provides recursive group membership which is especially useful for identifying devices with membership in high-privilege groups

Provides a secure mechanism to perform remote domain joins in your environment.

Group Policy

Advanced information covering the current Windows Group Policy applied to the Endpoint. This information is especially useful when troubleshooting Group Policy issues and essentially provides the pieces of a, "Resultant Set of Policy".

Lists each applied Group Policy, what OU it's applied to and it's GUID

  • Assigned Software Installations
  • Average Network wait
  • Current AD Site
  • Current AD Domain Controller
  • Enforced Group Policies
  • Extensions with Debug/Tracing
  • Locally Group Policy Settings

Lists each applied setting registry path and its current value

Deletes and resets the Local Group Policy store

Users and Groups

Users and Groups content focuses on providing information related to the current and historical users of the endpoint.

Applications

General

CommVault

  • CommVault - Windows
  • Agent Version
  • Backup Target
  • Client Port
  • Installed Packages
  • Last Job Id
  • Last Job Time
  • Service State

Correlog

  • Correlog - Windows
  • Destination Address and Port
  • Encryption Configuration
  • Last Configuration Modification Time
  • Monitored Event Logs
  • Remote Configuration Mode
  • Service State

Dell Command | Configure

The Dell Command | Configure features of C3-Inventory allow the inventorying and control of bios settings on Dell systems.

Using Dell Command | Configure requires the following steps to be completed:

  1. Install Dell Command | Configure

The package for Dell Command | Configure is available in the C3-Patch site as Deployment, Updating, and Removal content.

  1. Action Invoke - Dell Command | Configure Probe - Windows as a policy action

The probe Invoke - Dell Command | Configure Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Dell Command | Update

The Dell Command | Update features of C3-Inventory enable updating system drivers as well as the BIOS of a Dell system.

Using Dell Command | Update requires the following steps to be completed:

  1. Install Dell Command | Update

The package for Dell Command | Update is available in the C3-Patch site as Deployment, Updating, and Removal content.

  1. Action Invoke - Dell Command | Update Driver Probe - Windows as a policy action

The probe Invoke - Dell Command | Update Driver Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Optionally, you can perform updates using Dell Command | Update:

  1. Action Invoke - Dell Command | Update Driver Update - Windows

This will cause the Dell Command | Update agent to reach out to the internet (bypassing the relay infrastructure) to download available drivers.

Internet Explorer

Java

NXLog

NXLog is the log forwarder of choice for C3 Inventory. NXLog can be configured and deployed entirely using C3.

Using NXLog requires the following steps to be completed:

  1. Install NXLog

The package for NXLog is available in the C3-Patch site as Deployment, Updating, and Removal content.

  1. Build a configuration baseline with the following Component Groups:
  1. Action your baseline as a policy action

Your baseline should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the configuration to be acceptable (typically once a day is fine).

Microsoft IIS

Mirosoft MDT

Microsoft SQL

Microsoft SCCM

BIOS

UEFI

Secure Boot

Trusted Platform Module

Hardware

Mobile Device Management

Apple Configuration Profiles

Monitoring

Service Monitoring

The Service Monitor features of C3-Inventory enable operators to monitor and remediate critical service failures on their servers and endpoints.

Using C3 Service Monitor requires the following steps to be completed:

Start Monitoring Services

In the C3 Inventory Site are a number of fixlets for monitoring standard services. These Fixlets have relevance to only be applicable on devices that have these services. Simply build a baseline with all relevant "Config - Service Monitor - *" Fixlets and apply to your endpoints.

Report on failing Services

To report on failing services you can simply make a web report which checks for results for the property, "Service Monitor - Services Failing to Start - Windows" in the, Service Monitor - Windows analysis. Set this report to email whenever there is a change to the report.

Remediate failing Services

You also have the option of automatically remediating failed services. You can do this using Invoke - Service Monitor Remediation - Windows. This Fixlet has the same relevance as the failing services property and will only be relevant on computers with failing services.

When this Fixlet runs it will attempt to start the service.

You should apply this as a policy action set to re-apply at whatever frequency you would like Service monitor to attempt to start the services (Typically 5-15 minutes).

Custom Service Monitoring

To designate custom services to monitor you can simply create a client setting: "besservicemonitor--".

This name should be unique for every set of services you want to monitor. The value of this new client setting should be a semi-colon separated list of services to monitor.

For instance, for monitoring Microsoft EMET we would could use ActionScript create a client setting like this:

setting "besservicemonitor-microsoft-emet"="EMET_Service" on "{now}" for client

We can then use the following relevance to cause computers without this setting to become applicable:

not exists values whose (it = "EMET_Service") of settings "besservicemonitor-microsoft-emet" of client

And finally we can use the following relevance to make the fixlet only relevant on computers that have the service installed:

exists services (substrings separated by ";" of "ccmexec;ConfigMgr Wake-up Proxy")

To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly service group name and for the list of services and generates/imports a fixlet.

Customizing Service Monitor

There are three ways to customize service monitor:

  1. Adjust the time threshold for Failure (besservicemonitor-setting-audit-delay)
  2. Adjust the time threshold for Remediation (besservicemonitor-setting-remediation-delay)
  3. Blacklist a service to prevent reporting and remediation (besservicemonitor-setting-blacklist)

The first two two settings adjust how long after startup the Service Monitor should wait before reporting a service failure and before attempting remediation. If these settings are not set, the Service Monitor defaults to waiting for 5 minutes after system startup before reporting on service failure and before attempting remediation.

There are pre-made Fixlets in the C3 Inventory site for setting these values to 5, 10, and 15 minutes.

The final setting is a semi-colon separated list of services to ignore. This causes the service monitor to ignore the blacklisted services and not report them as failing or attempt to remediate them. This is particularly useful if you're pushing service monitor configs as global policy actions but need to exclude a specific service on just a single machine.

Process Monitoring

In addition to monitoring Services, the Process Monitor features of C3-Inventory enable operators to monitor critical processe failures on their servers and endpoints.

You can also monitor processes that do not correspond to a service by activating the Analysis: "Process Monitor - Windows" and configuring processes to monitor using the prefix, "besprocessmonitor-" instead of "besservicemonitor" to make sure that individual processes are running on the system. Process Monitor does not have any capability for performing automatic remediation (just reporting) if a process has failed.

To help simplify and automate this process we have provided a helper script, written in powershell, which prompts you for a friendly process group name and for the list of process and generates/imports a fixlet.

Network

Operating System

Certificate Store

The Certificate Store capabilities of C3 Inventory make auditing Certificates easier.

  • Certificates - Windows

  • My Certificates

  • My Certificates Expiring in 30 Days

  • My Certificates Expiring in 7 Days

  • My Certificates Expiring in 1 Day

  • My Expired Certificates

  • Remote Desktop Certificates

  • Trusted Code Signing Certificates

  • Trusted Intermediate Authorities

  • Trusted Publishers

  • Trusted Root Authorities

  • Trusted Root Authorities with Private Keys

  • Invoke - Certificate Store Probe - Windows

Using the C3 Certificate Store capabilities of C3 Inventory requires the following steps to be completed:

  1. Action Invoke - Certificate Store Probe - Windows as a policy action

The probe Invoke - Certificate Store Probe - Windows should be should be actioned to run an unlimited number of times with a delay of however long you find the age of the data to be acceptable (typically once a day is fine).

Launch Daemons/Agents

Network Shares

Pagefile

Pending Restart

Printers

Updates

Scheduled Tasks

Services

Pagefile

Volumes

Temporary Administrators

The temporary administrator features of C3-Inventory allow the provisioning and automatic removal of administrative rights for end-users using actions or offers. The feature requires the following to be successful:

Using Temporary Administrative Rights requires the following steps to be completed:

Add users to Administrators Group Temporarily

Invoke - Add Current User to Temporary Administrators - Windows can be used to grant a user temporary administrative privileges.

This Fixlet has a number of actions available that determine the expiration date and time of the users administrative rights anywhere from 1 hour to 5 days.

Offer Temporary Administrative Privileges

By using the Invoke - Add Current User to Temporary Administrators - Windows as an offer, you can temporarily grant users administrative rights in a self-service model.

Automatically remove expired administrative privileges

Use Invoke - Remove Expired Users from Temporary Administrators - Windows as a policy action to always remove expired users from the administrators group.

This should be actioned to run an unlimited number of times with no delay.

Authorized Requestors

Using "Authorized Requestors"

Authorized Requestors is a way to limit who can request Temporary Administrator access on an endpoint. The idea is that instead of allowing anyone to request access anywhere, you can designate "Authorized Requestors" on individual endpoints and only those users can request administrative rights on the workstation.

To do this simply use the Invoke - Add Current User to Authorized Requestors - Windows Fixlet combined with the Invoke - Add Current Authorized Requestor to Temporary Administrators - Windows as an offer! This combination allows you to selectively provide temporary administrative rights to users.

Convert "Current Administrators" to "Authorized Requestors"

Where the Authorized Requestor model becomes very powerful is when combined with Invoke - Add Permanent Administrators to Authorized Requestors - Windows and Invoke - Convert Permanent Administrators who are Authorized Requestors to Temporary Administrators - Windows.

The idea here is to convert current administrators to authorized requestors, remove their permanent administrator access and replace it with a timed temporary administrative access (up to 5 days). This allows you to convert permanent administartors to temporary administrators!

Special Use Cases

Reverting Help Desk granted Administrators

One of the most effective ways to use temporary administrator content is to just convert permanent administrators to temporary administrators using: Invoke - Convert Permanent Administrators to Temporary Administrators - Windows. This allows help desk and other staff to give out Administrative Rights and have them automatically revoked after a certain amount of time. This is particularly useful when deploying new computers.

Virtualization

Hyper-V Guest and Host

VMWare ESXi

Support

If you're having issues with the content feel free to create issues in the Github Repository for this site or contact me on the BigFix forum.

Contributing

Feel free to make a pull request with any changes or fixes to the content in this site.