Ivanti Patch for Windows Servers API integration with the Qualys vulnerability scanner

Version 5

    Purpose

     

    The following is a sample integration script for the Ivanti Patch for Windows Servers API integration with the Qualys vulnerability scanner.

     

    If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner is assessing for CVEs (Common Vulnerabilities and Exposures) explicitly.  In reality a software update will often include many CVEs.  A patch can also be superseded or replaced by a newer update.  What this tends to cause is the Vulnerability Assessment reflecting hundreds of vulnerabilities that can be resolved by updating just a few software titles on a system.

     

    To address this, you can use the API to::

     

    • Make calls to the vulnerability scanner
    • Extract the vulnerability list (consisting of CVEs)
    • Import those CVEs into a Ivanti Patch for Windows Servers patch group via the Patch Group API
    • Perform patch scans and deployments using that patch group
    • The patch engine will take into account any superseded patches and will identify the handful of patches that are required to bring the target system into compliance. If you rerun the vulnerability scanner after deploying the patches, the vulnerability count should be greatly reduced.

     

    Overview

    The API feature is meant for advanced users who have a working knowledge of PowerShell and who want to perform tasks beyond those available through the Ivanti Patch for Windows Servers user interface. The PS script needs run from the Patch for Windows Servers console server.

     

    • The script and supporting files can be downloaded from here: QualysToPatch_API.zip (attached to this document)
      • Extract the contents to it's own folder on C:\. For example C:\QualysToPatch_API
    • The copy tool curl is required for this to work. You can download this tool from here: curl 7.56.1
      • Extract the contents of the CAB files to it's own folder on C:\. For example: C:\curl

     

    1. Edit the variables in the UpdateLocalQualysFiles.bat. This batch file is used to download data files directly from the Qualys content servers.

    a. SET CURLPATH=C:\curl\curl.exe - Set the location of your curl.exe.

    b. SET LOCALDATA="C:\QualysToPatch_API\Qualys" - Set the location of your Qualys scripts.

    c. SET PLATFORM=qualysapi.qg3.apps.qualys.com - Specify host you were assigned when you setup your Qualys account.

    d. SET USER="user:pass" - Set a username and password for your Qualys account.

     

    2. Run UpdateLocalQualysFiles.bat to get the latest data from Qualys.  This will download the data files directly from the Qualys content servers and place them in the location specified in the batch file.

     

    3. Run the script: (Scan)

        > . .\QualysToIvanti.ps1

        > QualysToIvanti -machinesXmlFile C:\QualysToPatch_API\hosts.xml -qualysKbXmlFile C:\QualysToPatch_API\qualyskb.xml -ScanTemplate 'Demo' -DeployTemplate 'Agent Standard' -PatchGroupName 'Demo' -MachineGroupName 'Demo' -ScanName 'Qualys-Ivanti demo' -DeployMissingPatches $False

     

    4. You can choose not to perform a scan and update a Patch Group in Patch for Windows Servers.

        > . .\QualysToIvantiPatchGroup.ps1

        > QualysToIvantiPatchGroup -machinesXmlFile "C:\QualysToPatch_API\hosts.xml" -qualysKbXmlFile "C:\QualysToPatch_API\qualyskb.xml" -PatchGroupName 'Demo'