Purpose

The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the BeyondTrust vulnerability scanner.

If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly.  In reality a software update will often include many CVEs.  A patch can also be superseded or replaced by a newer update.  What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system. 

To address this, you can use the API to:

• Make calls to the vulnerability scanner
• Extract the vulnerability list (consisting of CVEs)
• Import those CVEs into a Ivanti Patch for Windows Servers patch group via the Patch Group API
• Perform patch scans and deployments using that patch group
• The patch engine will take into account any superseded patches and will identify the handful of patches that are required to bring the target system into compliance. If you rerun the vulnerability scanner after deploying the patches, the vulnerability count should be greatly reduced.

Overview

Please note:

• The scripts can be downloaded from here: BeyondInsightToPatch_API.zip (attached to this document)
  • We included 2 scripts, one that will verify the BeyondTrust certificate and another where it will not.
• The PS script needs run from the Patch for Windows Servers console server.

Environment confirmation steps:

1. Ensure the BeyondInsight console is set up correctly

    a. Go to the Configure tab

    b. Go to the API Registration tab

    c. Make sure the current IPv4 address/range is in the Source Addresses list.

    d. Click Update

2. Edit the $Authorization variable at the top of the BeyondInsightToPatch.ps1 file to include your BeyondInsight authorization connection string as specified in the BeyondInsight API documentation.

    a. http://<yourBIhost>/eEye.RetinaCS.Server/Flex/Help/BeyondInsightAndPasswordSafeAPIUserGuide.pdf

    b. Use the example style text from the Authorization Header section of the API guide. Only include the text to the right of "Authorization="

        Example: PS-Auth key=XXXXXXXX...XXXX; runas=demo;

How to invoke the script - BeyondInsightToPatch.ps1

1. Open PowerShell

2. Run BeyondInsightToPatch.ps1 or invoke it with the following mandatory parameters:

3. BeyondInsightToPatch -BtHostOrIpAddress '127.0.0.1' -SmartRuleId 10001 -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'BT-Ivanti demo' -DeployMissingPatches $False

    a. BtHostOrIpAddress should be the current IPv4 address of the console VM. I've configured BI to allow 127.0.0.1

    b. SmartRuleId should be the smart asset group defined by BeyondInsight.

         I. 1 is the system group of All Assets

        II. 2 is the system group of All Workstations.

    c. DeployMissingPatches set to $True will actually download and deploy the patches to the machines in $MachineGroupName

4. If/when you see yellow warning messages like "WARNING: Cve item was not found: CVE-YYYY-NNNN", don't worry.

    a. It means we don't have that CVE in our (Ivanti Patch for Windows Servers content)

    b. The patch for the vulnerability may be in our content, but under a different CVE. We add all CVEs for all vulnerabilities to the Patch Group.

5. Open Patch for Windows Servers and view the full results of the patch scan/deployment. You'll see the scan result by $ScanName, date, and source of API in the left navigator.