Security Controls

Use Examples

There are many possible uses of the API feature. Here are two examples that many Security Controls customers are likely to find useful.

Integrate Security Controls with a Vulnerability Scanner

If you use a vulnerability scanner to identify weaknesses in your network, the scanner may detect hundreds or even thousands of issues on your machines. At first this might seem a bit overwhelming, but what’s likely happening is that the vulnerability scanner is simply producing a lot of noise. The scanner will often report every single missing patch as a vulnerability, when in reality the machines are probably only missing a few key patches that supersede a large number of older patches. It often takes very few patches to resolve many so-called vulnerabilities.

To address this, you can use the API to:

Make calls to the vulnerability scanner

Extract the vulnerability list (consisting of CVEs)

Import those CVEs into a Security Controls patch group

Perform patch scans and deployments using that patch group

The patch engine will eliminate all of the superseded patches and will identify the handful of patches that are actually missing. If you rerun the vulnerability scanner after deploying the patches, most of the vulnerabilities will likely go away.

Use a PowerShell Script to Patch a Clustered SQL Server

This example shows how to use a PowerShell script to control the patch scanning and patch deployment processes on machines in an SQL cluster. The goal in this example is to coordinate events and provide zero downtime while patching.

Import-Module STProtect –PassThru

Import-Module ServerManager

Add-WindowsFeature RSAT-Clustering

Import-Module FailoverClusters

 

Write-Host “Scanning SampleSQL1”

$scan = Start-PatchScan –EndpointName “SampleSQL1”

–CredentialFriendlyName “Sample Domain Cred” –TemplateName “Security Patch Scan”

 

$scan | Watch-PatchScan

Write-Host “Scanning SampleSQL1 Complete”

 

$scanDetail = $scan | Get-PatchScan

Write-Host “SampleSQL1 Final Details”

$scanDetail | Format-PatchScanTable

 

#Identify if there are missing patches on the target node. If yes, stop the node in the cluster and patch the system.

If ($scanDetail.MachineStates[0].MissingPatches –ne 0)

{

$totalMissingPatches = scanDetail.MachineStates[0].MissingPatches

 

Write-Host “$totalMissingPatches total missing patches will be deployed. Starting deploy . . .”

Write-Host “Stopping cluster node on SampleSQL1”

Suspend-ClusterNode –Name SampleSQL1 –Cluster SampleSQLCluster –Drain

 

$deploy = $scan | Start-PatchDeploy –TemplateName “Standard”

$deploy | Watch-PatchDeploy | Format-Table

 

Write-Host “Starting cluster node on SampleSQL1”

Resume-ClusterNode –Name SampleSQL1 –Cluster SampleSQLCluster –Failback NoFailback

}

In particular, this example script will:

1.Import the required modules.

2.Scan a single node in a SQL cluster.

3.Watch the patch scan, blocking further action until it completes.

4.Get the results of the scan.

The output will include details such as information about the targeted machine, the number of missing and installed patches, a message indicating that the scanning process is complete, etc.

5.If there are missing patches, suspend the node in the SQL cluster and prepare to patch the system.

Do this by suspending the node in the cluster and draining all current sessions from this node to another node.

6.Start the patch deployment using the Standard template.

7.Watch the progress of the patch deployment, blocking other actions until it completes.

This will display the current status of the deployment including scheduled, complete and reboot, pending rescan, and finished.

8.Add the node back to the SQL cluster and resume operation.

Repeat the process as needed for additional SQL Server instances or nodes in the cluster.


Was this article useful?