Frequently asked questions

Learn from these questions and answers that are designed to help you better understand BigFix Patch for Debian.

Which versions of BigFix are the Debian Fixlet content for?

The current Fixlet content is only for BigFix version 9.2.

Where can I search and download the packages?

The current version of packages can be found and downloaded from the Debian website at https://www.debian.org/security/, while previous versions can be found in the Debian snapshot (http://snapshot.debian.org). You can also search packages at https://www.debian.org/distrib/packages.

Are there other Debian resources I should be aware of?

Here are a few helpful resources:

• Debian website: https://www.debian.org/security/
• Mail list: https://lists.debian.org/debian-security-announce/
• Debian snapshot: http://snapshot.debian.org/
• Search package: https://www.debian.org/distrib/packages
• Debian security repository host: http://security.debian.org
• Security Bug Tracker: https://security-tracker.debian.org/tracker/

If a patch fails to install, what should I do?

Ensure that you applied the patch to the correct computers. Also, check the following logs:

• /var/opt/BESClient/__BESData/__Global/Logs/<YYYYMMDD>.log
• /var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt

For debugging purposes, you can add an extra -n to the last line of the action script after wait /bin/bash "{parameter "cwd"}/InstallPackages.sh".

The -n flag disables the cleanup of following files:

• /var/opt/BESClient/EDRDeployData/EDR_RepoData.txt
• /var/opt/BESClient/EDRDeployData/EDR_PackageList.txt
• /var/opt/BESClient/EDRDeployData/EDR_ResolverOutput.log
• /var/opt/BESClient/EDRDeployData/EDR_ResolverError.log
• /var/opt/BESClient/__BESData/Patches for Debian 7/apt

These extra files provide the context information of the patching and can help in investigating the failure.

What are superseded patches?

Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet is superseded, then a newer Fixlet exists with newer versions of the packages. The newer Fixlet ID can be found in the description of the superseded Fixlet.

How do I find out if the Debian package is upgradeable?

You must first install the apt-show-versions, which is a rpm package to find out if any Debian packages are upgradeable.

1. To install apt-show-versions, enter apt-get install apt-show-versions.
2. To get a list of only the upgradeable packages, enter apt-show-versions -u | less. You can also use grep as follows: apt-show-versions -u | grep "apache"

How do I upgrade specific packages?

You should specify the package name. For example, if you want to upgrade apache-perl package, type the following command: apt-get install apache-perl. This command is useful if you just want to upgrade a single package and not the entire system.

The client logs contains a prefetch plug-in error that prevents the Fixlet from completing successfully. What is causing the error? What should I do?

The ActionScript that was running on the endpoint might have been blacklisted, causing the prefetch plug-in issue.

To resolve this issue, restart the BigFix client to clear the blacklist. To prevent the script from being blacklisted, set the _BESClient_ActionManager_PrefetchPlugInTimeoutSeconds client configuration setting with sufficient time for the patch to install and resolve dependencies. This client setting indicates how long the client should wait before blacklisting the script. You can use the Change Timeout for Prefetch Plugins task, available from the Patching Support site, to set the setting to 30 minutes (1800 seconds).

The _BESClient_ActionManager_PrefetchPlugInTimeoutSeconds setting varies based on the endpoint and the Fixlet being installed. To get the desired value, take the slowest endpoint and increase the setting to a high number, such as 3,000 seconds, then run a large Fixlet and see how long it takes. You can then take that number and multiple it by two. Alternatively, set the client setting to 600 seconds and adjust it accordingly if the suggested value does not work for you.