Home Applications Asset Management BigFix Endpoint Manager BigFix Tip Sheet BigFix: Microsoft patch deployment IEM Baselines

IEM Baselines

Introducing Baselines

Baselines are collections of Fixlet messages and Tasks. They provide a powerful way to deploy a group of Actions across an entire network with a single command.

Baselines provide a way to maintain a common operating environment, making sure that all users in any given domain have the same software, patches and drivers. Baselines are easy to set up, simply by selecting the Fixlet messages, Tasks and other Baselines that you wish to be a part of the group. To limit the scope of a Baseline, a Relevance expression can be used to target any subset of your network, using IP addresses, computer names, operating systems and many other qualifiers.

For instance, you might make a Baseline named “All critical hotfixes,” and populate it with all the current critical hotfixes available in the Fixlet list. Or you might create one named “Finance department baseline,” designed to keep that particular group of computers updated with the latest financial programs, financial tables, updates and patches.

Creating Baselines

Baselines allow you to gather multiple Fixlets and Tasks into groups that can be applied at once to any set of target computers. The name Baseline was chosen to suggest a minimal set of conditions that could be applied across your network to ensure compliance with corporate guidelines. To create your own custom Baseline from scratch, follow these steps:

  • In a Fixlet or Task list, highlight one or more items and select Add To New Baseline from the context menu. You can also select Create New Baseline from the Tools

This brings up a dialog with four tabs. At the top of the dialog, you can specify the name of your Baseline and the site that will host the Baseline. Click through each of the tabs below to define your Baseline:

  • Description: This dialog lets you describe your Baseline in an HTML format. Enter the text description of your Baseline, using the text modification bar at the top to adjust font, size, etc. In the Action box, enter the prompt you want to accompany your action.
  • Components: This tab lets you add components to a Baseline. To add a new component, click the add components to group link.  From the resulting dialog, you can select new Fixlet messages, Tasks and other Baselines to add to your new Baseline group. Components can also be added to a baseline after it has been created by either editing the Baseline or by browsing Fixlets and Tasks and then right click and select Add To Existing Baseline.
    Default action settings can also be set on this tab.  To set default action settings you will need to check the box for “Use custom action settings for this baseline”.  Then click on the “set action settings” link to open the Action Settings window.
  • Relevance: Enter your relevance statement here. This allows you to constrain the application of your new Baseline to specific subsets of computers. The default here is TRUE, which lets the individual Fixlets and Tasks determine the targeting of the Baseline. For more information on the relevance language, refer to the IEM Inspector Libraries. An example of using relevance to target to a specific group of computers is shown below.
  • Properties: Enter the basic descriptive properties of your Baseline, including Category, Download Size, Source, Source ID, Source Release Data, Source Severity and CVE/SANS ID, if any. These properties become sortable fields in Baseline listings and Web Reports.

When you’re satisfied with your Baseline definitions, click OK. Your Baseline will be sent to all the IEM Clients, which will evaluate it for relevance and report back their status. You will now be able to take action using this Baseline – see Actions.

Viewing Baselines

Baselines allow you to group Fixlet messages and Tasks into a group for simple, one-click deployment. To display an existing Baseline,

  • Double-click an entry in any Baseline list
  • The body of the Baseline will show up in the lower display region. Each Baseline, when selected, gets a window of its own. These windows can be managed by selecting items from the Window
  • The Baseline display region has several tabs:
  • Description: This is typically an HTML page providing a descriptive explanation of the problem and an action to fix it.
  • Details: This tab lists the Baseline Properties, a section detailing the code behind the Relevance expressions and the Baseline actions, along with other Baseline properties. Scroll to the bottom to enter a comment as a note for yourself or other IEM Console operators.
  • Components: This tab lists the components, namely the Fixlet messages, Tasks and other Baselines that are grouped into this Baseline. Baselines make a copy of the components, so it is possible for one of these copies to get out of sync with the underlying Fixlet or Task that spawned it. If this happens a message will appear saying that the source differs from the copy and allowing you to synchronize with the current source.
  • Applicable Computers: This is a filter/list of all the computers targeted by the selected Baseline. You can filter the list by selecting items from the folders on the left, and sort the list by clicking on the column headers.
  • Component Applicability: This is a filter/list of the various components of the Baseline. It displays the number of computers where the Baseline is currently applicable and, after a slash, the number where it it not. Double-click on an item in the list to bring it up for inspection.
  • Action History: This is a filter/list of any Actions that have been deployed from this Baseline. If the Baseline is new, there won’t be any Actions in the list. Like the other filter/lists in the IEM Console, you can filter the actions using the left panel, and sort them by clicking the column headers.

 Monitoring Baselines

When Baselines become relevant somewhere on your network, IEM will add them to the list of Baselines to be displayed under the Baselines tab in the IEM Console main window. As with all the filter/lists in the IEM Console, you can filter this list using the panel of folders on the left. Each folder contains data groupings that you can use to narrow down the list of Baselines on the right. Then, in the listing area itself, you can sort the Baselines by clicking a column heading:

  • Name: The name assigned to the Baseline by the author.
  • ID: A numerical ID assigned to the Baseline by the author.
  • Site: The name of the site that is generating the relevant Baseline.
  • Applicable Computer Count: The number of IEM Clients in the network currently targeted by the Baseline.
  • Open Action Count: The number of actions open for the given Baseline.

For example, you might filter the list by opening the By Site folder (under All Applicable Baselines) and selecting a specific site to narrow the list. If you don’t see one of the columns listed above, right-click in the Baseline header and select it from the pop-up menu.

Commenting on Baselines

You can attach a comment to a Baseline that other operators can read.

  1. Select the Baselines tab and choose one of the categories and folders from the left panel to narrow down your list.
  2. Select a Baseline from the list on the right by double-clicking it.
  3. From the document panel below, select the Details tab and scroll to the bottom of the page.
  4. Type your comment into the text box and click the Add Comment

Your comment will be name- and time-stamped for other operators to view it. As well as Baselines, you can attach comments to Fixlets, Actions, Computers and Analyses.

Creating Custom Copies

To clone off a Baseline and customize it, first select the Baseline in any list, then:

  • Select Edit > Create Custom Baseline Copy (or right-click on the Baseline and select Create Custom Copy from the pop-up menu).
  • This brings up a dialog with four tabs. At the top of the dialog, you can specify the name of your custom Baseline and the site that will host the Baseline. Click through each of the tabs below to define your Baseline:
  • Description: This dialog lets you describe your custom Baseline as an HTML page. Edit the text, using the text modification bar at the top.
  • Components: You can add or customize the components of a Baseline. To add a new component, click the add components to group From the resulting dialog, you can select new Fixlet messages, Tasks and other Baselines to add to the existing Baseline group.
  • Relevance: Enter your relevance statement here, or modify the existing relevance statement. This allows you to further constrain your Baseline to specific computers. By default, this Relevance statement is simply TRUE, which leaves the job of targeting to the individual Fixlets and Tasks that make up the Baseline. For more information on the relevance language, refer to the IEM Inspector Libraries.
  • Properties: Customize the properties of your Baseline, or accept the original properties. Since you have customized the Baseline, you should update the source fields to reflect the new authorship. There are fields here specify the category, download size, source info and the CVE/SANS ID codes.

When you’re satisfied with your Baseline modifications, click OK. Once you click OK, your Baseline will be sent to all networked IEM Clients, which will evaluate it for relevance and report back their status. You will now be able to take action using this Baseline – see Actions.

Hiding Baselines

You can hide a Baseline with the following procedure:

  1. From any Baseline list, select the Baseline you want to hide.
  2. Right-click on the Baseline and select Globally or Locally Hide Baseline from the pop-up menu (or from the Edit menu)

The selected Baseline(s) will no longer be displayed in the Baseline list. If you elected to hide the Baseline locally, it will still be visible to other Console users.

Items that are hidden are still available and you can restore or unhide them at any time. Here’s how:

  1. Click on the Baselines tab, then select Locally or Globally Hidden Baselines from the left filter panel.
  2. Right-click on the Baseline you wish to restore and select the appropriate action from the pop-up menu. You can unhide or toggle the hiding scope between global and local.

Generally speaking, it isn’t necessary to hide Baselines, as you can simply ignore them. The main reason for hiding a Baseline is if you feel that the message isn’t relevant to your network and could never be useful and you want to avoid viewing the Baseline every time you launch the IEM Console.

Taking Actions on Baselines

Select the desired Baseline and select Take Action.

See IEM Actions for additional information on Actions.

Comments are closed.