Automatic Baseline Creation

(imported topic written by rkneal91)

I am new to bigfix and digging into the fixlets. We are in need of creating an automated process that picks needed patches, and then creates a baseline that can be put in bigfix.

I created a baseline in BigFix Console and exported it, and the BES file looks to be the contents of the fixlet relevance details that can see in console, etc, etc. My big question is are the patches that select (example MS-11…) available in the database or do have to find them with SHA1 on disk?

i know there is an import/export tool and the BigFix SOAP API. What i was thinking is somehow we could do this

  1. We get a list of approved patches we want to push out

  2. From this list of approved patches we go to SQL database or download directory and somehow grab the fixlet so we can create our own baseline.BES file (same one that we can export after building in console).

  3. We use import/export tool to import the new baseline.BES

then all the user has to do is go into the console, select a baseline, and take an action on it to computer. (Ideally, we would like to take it one step further, and automate the action of patching with automation, so we can have an external application that can select baseline, and group and press one button to patch, we would then query for results to insure it all went ok or needs a reboot to finish).

I might not be in the correct part of forum for this question, but thought i would start here.

(imported comment written by Lee Wei)

rkneal,

This will be more involved than what you might be thinking of.

The reason is gets complicated is because we need to use different technologies to string this together.

This is the way I can think of to make this work.

  1. You need to identify the Fixlets of interest. From an external program, the best way is to use the SOAP AP and sending it Sessions Relevance statements. What we need is a list of Fixlet IDs given some other identifying criteria you have, such as the Microsoft bulletin numbers, e.g. MS11-014.

There are 2 technologies involved here, a scripting/programming environment such as Perl, .NET and the Sessions Relevance language.

  1. The BigFix Platform API (http://support.bigfix.com/bes/misc/platformapi.html) which is Microsoft COM based, can generate importable XML if you know the Fixlet ID. Look at the class BESAPI.FixletMessage and method Load().

  2. If you want to combine these Fixlets into a baseline, you have to pull them together into a valid baseline XML.

  3. Use the Platform API again to import the baseline XML into BigFix. The class you will use is BESAPI.XMLImporter.

Lee Wei

(imported comment written by rkneal91)

thanks Lee

question, is the Fixlet ID somewhere in the SQL Database or do have to find it in download directories.

We will have a list of Microsoft Bulletin numbers (MS11-014), can the fixlet ID be returned using this by querying the database, disk using SOAP or BigFix Platform API. It sounds like that is the key, if can get that then sounds like the BigFix Platform API can get the importable XML using the FixletMessage and load method.

Thanks so much, this points us into the right direction.

(imported comment written by Lee Wei)

Here is the knowledge base article pointing to the database schema reference:

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=161

The SQL will look something like:

select Sitename, ID, Name from BES_FIXLETS
where Sitename = 'Enterprise Security’
and Name like ‘MS11-001%’

Session Relevance example:

(name of site of it, id of it, name of it)
of bes fixlets
whose (name of site of it = “Enterprise Security” and name of it starts with “MS11-001”)

(imported comment written by rkneal91)

that is great, thanks so much going to try this over next week. while on subject, can the BigFix Platform API do about every action that the Console can manually? Meaning would it be feasible if we can get to this point, that we might be able to run the baseline against a group of computers? How would the API handle prompting for the master password?

thanks again

(imported comment written by Lee Wei)

The Platform API will not perform all the actions that you can do from the Console.

However, the common ones such as those you have asked are positive.

That is you can create baselines and generate an action to target a set of computers.

When you look at the API doc, you will see that there is a Class you use (BESAPI.SigningKeys) to specify the location of the digital certificates, as well as the username/password required.

(imported comment written by rkneal91)

excellent, this gets us everything i think we need to know. Appreciate the help Lee.

bob