Hi,
We have a list of 100+ KB articles from the patching team and they want us to create baseline using those KB’s. Now we have to search in search bar to see the Fixlet and add in baseline, this would be a time consuming and manual task
Any suggestions to quickly close this task without putting so much manual efforts?
There are a couple of potential approaches to do this with baselines, but to avoid a lot of on-going effort here, I’d suggest working with the Patching Team to understand the logic/criteria they used to generate the list in the first place (there likely is one, and if not, you can likely jointly come up with good criteria to use moving forward). These criteria can then be used to create Patch Policies which will automatically handle the selection of patches/KB articles on an on-going basis (not just once).
Hi Aram,
Thanks for your reply, there is no specific criteria such as category or severity for patch selection, Patch team got the patch details from the security team according to their own policy. That is why I am worried today it is around 100 fixlets but tomorrow they may come up with 500+ fixlets.
If you can suggest any solution for this it would be a great help from your end
If you have access to the BigFix IVR content site, you could use the Create Baseline from Fixlet List Dashboard to acheive this. You will need to know the Site Name of each Fixlet to use it.
If their criteria is coming from some specific CVE scan, you might use the ‘CVE Search’ Dashboard in the CyberFocus site to build a baseline from the same CVEs.
If they are performing a network scan and just sending you every vulnerability they find, then perhaps you could build your baselines from ‘every patch thing that is relevant’, or configure Patch Policies independently of their scan, and have them rescan to find any discrepancies after you deploy your patches.
I’m just not understanding the use-case where you would not be using the patch detection we already provide to determine which patches to deploy.
I could go into detail about how we deal with these challenges but I am not sure how much it would help in your situation.
We are multi-tenant. We also do not use patch policies, mostly because of the way we deal with baselines, such as patch exceptions (ie. Patch the OS but don’t patch SQL). We deploy in phases. Each phase has a slew of baselines assigned to them. We do our best to keep the number of components below 150 for each baseline and some of our baselines only have a few components.
Also, we only deploy patches that have a Category of “Security Update”, For Windows, and “Security” for Linux and other OSes, and a source severity of anything but empty or unspecified.
Now to get to your challenge, we use filters. For example…
I even have a filter for a “list” of KBs, because occasionally someone will send me a list and ask for a baseline.
The trick about using filters, you have to find what is common between the fixlets and use that to your advantage. If you get more than you wanted, use a filter to remove it, like above where I used “Name does not contain superseded”.
Don’t forget to pay attention to the “ANY” or “ALL” property criteria.
