I am new to bigfix and digging into the fixlets. We are in need of creating an automated process that picks needed patches, and then creates a baseline that can be put in bigfix.
I created a baseline in BigFix Console and exported it, and the BES file looks to be the contents of the fixlet relevance details that can see in console, etc, etc. My big question is are the patches that select (example MS-11…) available in the database or do have to find them with SHA1 on disk?
i know there is an import/export tool and the BigFix SOAP API. What i was thinking is somehow we could do this
We get a list of approved patches we want to push out
From this list of approved patches we go to SQL database or download directory and somehow grab the fixlet so we can create our own baseline.BES file (same one that we can export after building in console).
We use import/export tool to import the new baseline.BES
then all the user has to do is go into the console, select a baseline, and take an action on it to computer. (Ideally, we would like to take it one step further, and automate the action of patching with automation, so we can have an external application that can select baseline, and group and press one button to patch, we would then query for results to insure it all went ok or needs a reboot to finish).
I might not be in the correct part of forum for this question, but thought i would start here.
This will be more involved than what you might be thinking of.
The reason is gets complicated is because we need to use different technologies to string this together.
This is the way I can think of to make this work.
You need to identify the Fixlets of interest. From an external program, the best way is to use the SOAP AP and sending it Sessions Relevance statements. What we need is a list of Fixlet IDs given some other identifying criteria you have, such as the Microsoft bulletin numbers, e.g. MS11-014.
There are 2 technologies involved here, a scripting/programming environment such as Perl, .NET and the Sessions Relevance language.
The BigFix Platform API (http://support.bigfix.com/bes/misc/platformapi.html) which is Microsoft COM based, can generate importable XML if you know the Fixlet ID. Look at the class BESAPI.FixletMessage and method Load().
If you want to combine these Fixlets into a baseline, you have to pull them together into a valid baseline XML.
Use the Platform API again to import the baseline XML into BigFix. The class you will use is BESAPI.XMLImporter.
question, is the Fixlet ID somewhere in the SQL Database or do have to find it in download directories.
We will have a list of Microsoft Bulletin numbers (MS11-014), can the fixlet ID be returned using this by querying the database, disk using SOAP or BigFix Platform API. It sounds like that is the key, if can get that then sounds like the BigFix Platform API can get the importable XML using the FixletMessage and load method.
Thanks so much, this points us into the right direction.
that is great, thanks so much going to try this over next week. while on subject, can the BigFix Platform API do about every action that the Console can manually? Meaning would it be feasible if we can get to this point, that we might be able to run the baseline against a group of computers? How would the API handle prompting for the master password?
The Platform API will not perform all the actions that you can do from the Console.
However, the common ones such as those you have asked are positive.
That is you can create baselines and generate an action to target a set of computers.
When you look at the API doc, you will see that there is a Class you use (BESAPI.SigningKeys) to specify the location of the digital certificates, as well as the username/password required.