Cb Response - Identify endpoints with sensor not running
Log In or Register to download the BES file, and more.

1 Votes

Description

This Fixlet will become relevant on endpoints where the Cb Response Sensor is installed, but not currently running.  Use it within a policy action to ensure the Sensor stays running.

Property Details

ID21664
StatusProduction - Fully Tested and Ready for Production
TitleCb Response - Identify endpoints with sensor not running
CategoryApplication Maintenance
SourceCarbon Black
Source SeverityCritical
Source Release Date1/21/2016 12:00:00 AM
KeywordsIBM BigFix & Carbon Black Integration Content
Added by on 9/16/2016 11:50:40 AM
Last Modified by on 9/16/2016 11:56:39 AM
Counters 3726 Views / 129 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Relevance

Used in 73 fixlets and 6 analyses   * Results in a true/false
Show indented relevance
version of client >= "9.0"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
if (windows of operating system) then (exists keys whose (value "DisplayName" of it = "Carbon Black Sensor") of key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of registry) else (exists package "cbsensor" of rpm)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
if (windows of operating system) then (state of service whose (display name of it = "Carbon Black Sensor") = "Stopped") else (not exists process "cbdaemon")
Used in 4 fixlets and 1 analsis   * Results in a true/false
Show indented relevance
(windows of operating system) OR (exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
if {windows of operating system}
    parameter "ServiceName" = "carbonblack"

    delete __appendfile
    delete netquiet.bat

    appendfile @ECHO OFF
    appendfile start "" /min /b net %1 %2 /y > NUL 2> NUL
    move __appendfile netquiet.bat

    waithidden "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" netquiet.bat start "{parameter "ServiceName" of action}"

    delete netquiet.bat
elseif {(exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))}
    wait sh /etc/init.d/cbdaemon start
else
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!