Baseline Gold Images for Windows Approved Applications and System Files
Log In or Register to download the BES file, and more.

0 Votes

Description

Deploy this task to trusted and secured endpoints or gold images.  This task will enumerate and record all EXE and their associated hashes to be imported in to the applications whitelist.

Property Details

ID10553
StatusProduction - Fully Tested and Ready for Production
TitleBaseline Gold Images for Windows Approved Applications and System Files
DomainBESC
SourceRES Software
Source Release Date3/21/2016 12:00:00 AM
Is TaskTrue
Added by on 3/24/2016 5:00:37 AM
Last Modified by on 3/24/2016 5:00:37 AM
Counters 1279 Views / 3 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1113 fixlets and 524 analyses   * Results in a true/false
Show indented relevance
windows of operating system

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//SourceReleaseDate: 20160321-102103


action uses wow64 redirection false
action parameter query "bigfixserver" with description "Please enter your BigFix server name (bigfix.contoso.com)"
action parameter query "algo" with description "Please enter the encription algorithm"
action parameter query "cont" with description "Please enter the baseline container"


delete __createfile
delete "{(value of variable "temp" of environment) & "\whitebaseline.ps1"}"
delete {(value of variable "temp" of environment)}\{(computer name)}.txt
createfile until __done
Function hashSHA {"%7b"}
Param(
[parameter(Mandatory=$True)]$file,
[parameter(Mandatory=$false)][ValidateSet("SHA1","SHA256")]$encr = "SHA256"
)
    $command = '$encr_alg = [Security.Cryptography.HashAlgorithm]::Create("$encr")'
    Invoke-Expression $command
try{"%7b"}
$Hashstring = ([System.BitConverter]::ToString( $encr_alg.ComputeHash([System.IO.File]::ReadAllBytes($file)))) -replace ("-","")

$info = @{"%7b"}{"%7d"}
$info.Hash=$Hashstring
$info.Path=$file
$result = New-Object –TypeName PSObject –Prop $info

return $result
{"%7d"}
catch{"%7b"}{"%7d"}
{"%7d"}

cd c:\
$f = "${"%7b"}env:Temp{"%7d"}" + "\whitebaseliner.csv"

try{"%7b"}
Get-ChildItem -force -recurse "C:\" *.exe -erroraction silentlycontinue |%{"%7b"}hashSHA -encr {parameter "algo" of action} -file $_.FullName{"%7d"}|select-object @{"%7b"}Name="Path"; Expression={"%7b"}$_.Path{"%7d"}{"%7d"},@{"%7b"}Name="Hash"; Expression={"%7b"}$_.Hash{"%7d"}{"%7d"}, @{"%7b"}Name="Process"; Expression={"%7b"}"*"{"%7d"}{"%7d"},@{"%7b"}Name="Status"; Expression={"%7b"}"allow"{"%7d"}{"%7d"},@{"%7b"}Name="Container"; Expression={"%7b"}{"%22"}{parameter "cont" of action}{"%22"}{"%7d"}{"%7d"}|export-csv -delimiter "`t" -path $f -NoTypeInformation    
{"%7d"}
catch{"%7b"}{"%7d"}
$csv = Get-Content $f

$csv = $csv[1..($csv.count - 1)]

$csv > $f

(Get-Content $f) | % {"%7b"}$_ -replace "`"", ""{"%7d"} | out-file -FilePath $f -Force -Encoding ascii

__done
delete "{(value of variable "temp" of environment) & "\whitebaseliner.csv"}"
delete "{(value of variable "temp" of environment) & "\whitebaselinerlog.txt"}"
copy __createfile "{(value of variable "temp" of environment) & "\whitebaseline.ps1"}"
waithidden powershell.exe -executionpolicy unrestricted -file "{(value of variable "temp" of environment) & "\whitebaseline.ps1"}"
move {(value of variable "temp" of environment)}\whitebaseliner.csv {(value of variable "temp" of environment)}\{(computer name)}.txt

setting "_BESClient_ArchiveManager_FileSet-authfiles"="{(value of variable "temp" of environment)}\{(computer name)}.txt" on "{parameter "action issue date" of action}" for client
setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
setting "_BESClient_ArchiveManager_SendAll"="1" on "{parameter "action issue date" of action}" for client
archive now
delete {(value of variable "temp" of environment)}\{(computer name)}.txt
delete "{(value of variable "temp" of environment) & "\whitebaseline.ps1"}"
delete "{(value of variable "temp" of environment) & "\whitebaseliner.csv"}"
delete "{(value of variable "temp" of environment) & "\whitebaselinerlog.txt"}"
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments