There’s a site called “S-CERT” which provides evaluated security reports especially for the “Sparkasse” (a German bank). Those reports can be retrieved as email or RSS feed, and contains the following information (excerpt):
CVE number
Security rating (like probability of attack, potential damage when exploited etc.)
Description
link to patches (if available)
Is it possible to include this RSS feed into BigFix and somehow automatically link those reports with the existing patch information BigFix already gathered from i.e. RedHat, so the client can use the BigFix features like “Take Action” on high severity issues to patch relevant systems based on the RSS feed?
And if so, how easy/complicated would it be to include the RSS feed?
Any help would be appreciated, thanks a lot in advance!
Btw: the S-CERT support never heard of BigFix, so they weren’t that much of a help
It would be entirely possible to do something like this, but I’m not sure there would be enough demand for it for us to include that in the product. You might get in touch with @aram to talk about adding features on the roadmap, or if you like I can help you get in touch with our Professional Services organization to build a custom solution for you.
There are a few approaches one could take on this. A fully-automated solution is actually the simplest - a script could easily retrieve the RSS feed, and then leverage our REST API to correlate the CVEs to Fixlets, and either create Baselines or send Actions based on those Fixlets. Scheduling actions, automatic reboots, targeting computer groups, etc. would be very much customer-specific though, making it a bit complex to generalize to something that works for everyone.
If you want to add user interactivity, the same could certainly be done in a Console Dashboard - either reading the RSS feed directly, or having a script that retrieves the RSS on a schedule and writes the resulting CVE list to a data file on your server as a Site File, and then the Dashboard could use that in selecting Fixlets for Baseline/Action/Reporting.
For WebUI integration, we did very recently publish a WebUI SDK that could help with writing a custom WebUI application to do the same.
Are the security reports public? And if so, can you share a link and/or more details? (we will do our own research here as well, but any details you can share would help)
Would you be interested in a follow-up conversation with Product Management to help us better understand the need here, and potentially collaborate on approaches/solutions?
@JasonWalker about “For WebUI integration, we did very recently publish a WebUI SDK that could help with writing a custom WebUI application to do the same.” I remember that it was released internally and not for the public. could you please provide information about it.
