Patch Management
Nessus Manager can leverage credentials for the Red Hat Network Satellite, IBM BigFix, Dell KACE 1000, WSUS, and SCCM patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner.
Options for these patch management systems can be found under Credentials in their respective drop-down boxes: Symantec Altiris, IBM BigFix, Red Hat Satellite Server, Microsoft SCCM, Dell KACE K1000, and Microsoft WSUS.
IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.
Scanning with Multiple Patch Managers
If you provide multiple sets of credentials to Nessus for patch management tools, Nessus uses all of them. Available credentials are:
- Credentials supplied to directly authenticate to the target
- Dell KACE 1000
- IBM BigFix
- Microsoft System Center Configuration Manager (SCCM)
- Microsoft Windows Server Update Services (WSUS)
- Red Hat Network Satellite Server
- Symantec Altiris
If you provide credentials for a host, as well as one or more patch management systems, Nessus compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.
Dell KACE K1000
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and Tenable.sc have the ability to query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Nessus or Tenable.sc user interface.
- If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores KACE K1000 output.
- The data returned to Nessus by KACE K1000 is only as current as the most recent data that the KACE K1000 has obtained from its managed hosts.
KACE K1000 scanning uses four Nessus plugins.
- kace_k1000_get_computer_info.nbin (Plugin ID 76867)
- kace_k1000_get_missing_updates.nbin (Plugin ID 76868)
- kace_k1000_init_info.nbin (Plugin ID 76866)
- kace_k1000_report.nbin (Plugin ID 76869)
You must provide credentials for the Dell KACE K1000 system for K1000 scanning to work properly. Under the Credentials tab, select Patch Management, then select Dell KACE K1000.
| Option | Default | Description |
|---|---|---|
|
Server |
none |
KACE K1000 IP address or system name. This is a required field. |
|
Database Port |
3306 |
Port the K1000 database is running on (typically TCP 3306). |
|
Organization Database Name |
ORG1 |
The name of the organization component for the KACE K1000 database. This component will begin with the letters ORG and end with a number that corresponds with the K1000 database username. |
|
Database Username |
none |
Username required to log into the K1000 database. R1 is the default if no user is defined. The username will begin with the letter R. This username will end in the same number that represents the number of the organization to scan. This is a required field |
|
K1000 Database Password |
none |
Password required to authenticate the K1000 Database Username. This is a required field. |
IBM BigFix
IBM BigFix is available from IBM to manage the distribution of updates and hotfixes for desktop systems. Nessus and Tenable.sc have the ability to query IBM BigFix to verify whether or not patches are installed on systems managed by IBM BigFix and display the patch information.
- If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore IBM BigFix output.
- The data returned to Nessus by TEM is only as current as the most recent data that the IBM BigFix server has obtained from its managed hosts.
IBM BigFix scanning uses five Nessus plugins:
- Patch Management: Tivoli Endpoint Manager Compute Info Initialization (Plugin ID 62559)
- Patch Management: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)
- Patch Management: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)
- Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561)
- Patch Management: Tivoli Endpoint Manager Get Installed Packages (Plugin ID 65703)
Credentials for the IBM BigFix server must be provided for IBM BigFix scanning to work properly.
| Option | Default | Description |
|---|---|---|
|
Web Reports Server |
None |
Name of IBM BigFix Web Reports Server |
|
Web Reports Port |
none |
Port that the IBM BigFix Web Reports Server listens |
|
Web Reports Username |
none |
Web Reports administrative username |
|
Web Reports Password |
none |
Web Reports administrative username’s password |
|
HTTPS |
Enabled |
If the Web Reports service is using SSL |
|
Verify SSL certificate |
Enabled |
Verify that the SSL certificate is valid |
Package reporting is supported by RPM-based and Debian-based distributions that IBM BigFix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless IBM BigFix officially supports them, there is no support available.
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, and Ubuntu are supported. The plugin Patch Management: Tivoli Endpoint Manager Get Installed Packages must be enabled.
In order to use these auditing features, you must make changes to the IBM BigFix server. You must import a custom analysis into IBM BigFix so that detailed package information is retrieved and made available to Nessus. Before beginning, save the following text to a file on the IBM BigFix system, and name it with a .bes extension.
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides Nessus with the data it needs for vulnerability reporting. </Description>
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Fri, 01 Feb 2013 15:54:09 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="1"><![CDATA[if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else "<unsupported>" ]]></Property>
</Analysis>
</BES>
Microsoft System Center Configuration Manager (SCCM)
Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Nessus has the ability to query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the Nessus or Tenable.sc web interface.
- If the credentialed check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore SCCM output.
- The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its managed hosts.
- Nessus connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, meaning an admin account in SCCM with the privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database as well as the SCCM repository can be on separate servers. When leveraging this audit, Nessus must connect to the SCCM Server, not the SQL or SCCM server if they are on a separate box.
Nessus SCCM patch management plugins support SCCM 2007 and SCCM 2012.
SCCM scanning is performed using four Nessus plugins.
- Patch Management: SCCM Server Settings (Plugin ID 57029)
- Patch Management: Missing updates from SCCM(Plugin ID 57030)
- Patch Management: SCCM Computer Info Initialization(Plugin ID 73636)
- Patch Management: SCCM Report(Plugin ID 58186)
Credentials for the SCCM system must be provided for SCCM scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft SCCM.
| Credential | Description |
|---|---|
|
Server |
SCCM IP address or system name |
|
Domain |
The domain the SCCM server is a part of |
|
Username |
SCCM admin username |
|
Password |
SCCM admin password |
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Nessus and Tenable.sc have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or Tenable.sc web interface.
- If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore WSUS output.
- The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.
WSUS scanning is performed using three Nessus plugins.
- Patch Management: WSUS Server Settings (Plugin ID 57031)
- Patch Management: Missing updates from WSUS (Plugin ID 57032)
- Patch Management: WSUS Report (Plugin ID 58133)
Credentials for the WSUS system must be provided for WSUS scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft WSUS.
| Credential | Default | Description |
|---|---|---|
|
Server |
None |
WSUS IP address or system name |
|
Port |
8530 |
Port WSUS is running on (typically TCP 80 or 443) |
|
Username |
none |
WSUS admin username |
|
Password |
none |
WSUS admin password |
|
HTTPS |
Enabled |
If the WSUS service is using SSL |
|
Verify SSL certificate |
Enabled |
Verify that the SSL certificate is valid |
Red Hat Satellite Server
Red Hat Satellite is a systems management platform for Linux-based systems. Nessus has the ability to query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, Inc., the RHN Satellite plugin will also work with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk has the capability of managing distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
- If the credential check sees a system, but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore RHN Satellite output.
- The data returned to Nessus by RHN Satellite is only as current as the most recent data that the Satellite server has obtained from its managed hosts.
Satellite scanning is performed using five Nessus plugins:
- Patch Management: Patch Schedule From Red Hat Satellite Server (Plugin ID 84236)
- Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84235)
- Patch Management: Red Hat Satellite Server Get Managed Servers (Plugin ID 84234)
- Patch Management: Red Hat Satellite Server Get System Information (Plugin ID 84237)
- Patch Management: Red Hat Satellite Server Settings (Plugin ID 84238)
If the RHN Satellite server is version 6, three additional Nessus plugins are used:
- Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84231)
- Patch Management: Red Hat Satellite 6 Settings (Plugin ID 84232)
- Patch Management: Red Hat Satellite 6 Report (Plugin ID 84233)
Red Hat Satellite 6 Server
| Credential | Default | Description |
|---|---|---|
|
Satellite server |
none |
RHN Satellite IP address or system name |
|
Port |
443 |
Port Satellite is running on (typically TCP 80 or 443) |
|
Username |
none |
Red Hat Satellite username |
|
Password |
none |
Red Hat Satellite password |
|
HTTPS |
Enabled |
If the Red Hat Satellite service is using SSL |
|
Verify SSL Certificate |
Enabled |
Verify that the SSL certificate is valid |
Symantec Altris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and Tenable.sc have the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Nessus or Tenable.sc web interface.
- If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore Altiris output.
- The data returned to Nessus by Altiris is only as current as the most recent data that the Altiris has obtained from its managed hosts.
- Nessus connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL database). The database server may be run on a separate host from the Altiris deployment. When leveraging this audit, Nessus must connect to the MSSQL database, not the Altiris server if they are on a separate box.
Altiris scanning is performed using four Nessus plugins.
- symantec_altiris_get_computer_info.nbin (Plugin ID 78013)
- symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)
- symantec_altiris_init_info.nbin (Plugin ID 78011)
- symantec_altiris_report.nbin (Plugin ID 78014)
Credentials for the Altiris Microsoft SQL (MSSQL) database must be provided for Altiris scanning to work properly. Under the Credentials tab, select Patch Management and then Symantec Altiris.
| Credential | Default | Description |
|---|---|---|
|
Server |
none |
Altiris IP address or system name. This is a required field. |
|
Database Port |
5690 |
Port the Altiris database is running on (Typically TCP 5690) |
|
Database Name |
Symantec_CMDB |
The name of the MSSQL database that manages Altiris patch information. |
|
Database Username |
None |
Username required to log into the Altiris MSSQL database. This is a required field. |
|
Database Password |
none |
Password required to authenticate the Altiris MSSQL database. This is a required field. |
|
Use Windows Authentication |
Disabled |
Denotes whether or not to use NTLMSSP for compatibility with older Windows Servers, otherwise it will use Kerberos |
To ensure Nessus can properly utilize Altiris to pull patch management information, it must be configured to do so.