Patch Management

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and Tenable.sc have the ability to query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Nessus or Tenable.sc user interface.

• If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores KACE K1000 output.
• The data returned to Nessus by KACE K1000 is only as current as the most recent data that the KACE K1000 has obtained from its managed hosts.

KACE K1000 scanning uses four Nessus plugins.

• kace_k1000_get_computer_info.nbin (Plugin ID 76867)
• kace_k1000_get_missing_updates.nbin (Plugin ID 76868)
• kace_k1000_init_info.nbin (Plugin ID 76866)
• kace_k1000_report.nbin (Plugin ID 76869)

You must provide credentials for the Dell KACE K1000 system for K1000 scanning to work properly. Under the Credentials tab, select Patch Management, then select Dell KACE K1000.

IBM BigFix is available to manage the distribution of updates and hotfixes for desktop systems. Nessus can query IBM BigFix to verify whether or not patches are installed on systems managed by IBM BigFix and display the patch information.

Tenable supports IBM BigFix 9.5 and later and 10.x or later.

• If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores IBM BigFix output.
• The data returned to Nessus by IBM BigFix is only as current as the most recent data that the IBM BigFix server has obtained from its managed hosts.

IBM BigFix scanning uses five Tenable plugins:

• Plugin 62558
• Plugin 62559
• Plugin 62561
• Plugin 62560
• Plugin 65703

You must provide credentials for the IBM BigFix server for IBM BigFix scanning to work properly.

Package reporting is supported by RPM-based and Debian-based distributions that IBM BigFix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless IBM BigFix officially supports them, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, Ubuntu, and Solaris are supported. Plugin 65703 must be enabled.

In order to use these auditing features, you must make changes to the IBM BigFix server. You must import a custom analysis into IBM BigFix so that detailed package information is retrieved and made available to Nessus.

From the HCL BigFix Console application, import the following .bes files.

BES file:

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
    <Analysis>
        <Title>Tenable</Title>
        <Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>
        <Relevance>true</Relevance>
        <Source>Internal</Source>
        <SourceReleaseDate>2013-01-31</SourceReleaseDate>
        <MIMEField>
            <Name>x-fixlet-modification-time</Name>
            <Value>Thu, 13 May 2021 21:43:29 +0000</Value>
        </MIMEField>
        <Domain>BESC</Domain>
        <Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then (exists object repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset" & "|" & architecture of operating system) of filesets of products of object repository else if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exists true whose (if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as string & "|" & "pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true whose (if true then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of pkginfos of pkgdb else "<unsupported>"]]></Property>
        <Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Property>
        <Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowercase contains "SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file "/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
    </Analysis>
</BES>

BES File:

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
    <Task>
        <Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
        <Description><![CDATA[&lt;enter a description of the task here&gt; ]]></Description>
        <GroupRelevance JoinByIntersection="false">
            <SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
                <SearchText>SunOS 5.10</SearchText>
                <Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS 5.10" as lowercase)</Relevance>
            </SearchComponentPropertyReference>
        </GroupRelevance>
        <Category></Category>
        <Source>Internal</Source>
        <SourceID></SourceID>
        <SourceReleaseDate>2021-05-12</SourceReleaseDate>
        <SourceSeverity></SourceSeverity>
        <CVENames></CVENames>
        <SANSID></SANSID>
        <MIMEField>
            <Name>x-fixlet-modification-time</Name>
            <Value>Thu, 13 May 2021 21:50:58 +0000</Value>
        </MIMEField>
        <Domain>BESC</Domain>
        <DefaultAction ID="Action1">
            <Description>
                <PreLink>Click </PreLink>
                <Link>here</Link>
                <PostLink> to deploy this action.</PostLink>
            </Description>
            <ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_patches.b64

]]></ActionScript>
        </DefaultAction>
    </Task>
</BES>

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Nessus has the ability to query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the scan results.

• If the credentialed check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores SCCM output.
• The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its managed hosts.

• Nessus connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, so the selected user must have privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository can be on separate servers. When leveraging this audit, Nessus must connect to the SCCM server via WMI and HTTPS.

SCCM scanning is performed using four Tenable plugins.

• Patch Management: SCCM Server Settings (Plugin ID 57029)
• Patch Management: Missing updates from SCCM (Plugin ID 57030)
• Patch Management: SCCM Computer Info Initialization (Plugin ID 73636)
• Patch Management: SCCM Report (Plugin ID 58186)

Note: SCCM patch management plugins support SCCM 2007, SCCM 2012, SCCM 2016, and SCCM 2019.

You must provide the following SCCM system credentials for SCCM scanning to work properly.

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Nessus and Tenable.sc have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or Tenable.sc web interface.

• If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore WSUS output.
• The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

WSUS scanning is performed using three Nessus plugins.

• Patch Management: WSUS Server Settings (Plugin ID 57031)
• Patch Management: Missing updates from WSUS (Plugin ID 57032)
• Patch Management: WSUS Report (Plugin ID 58133)

Credentials for the WSUS system must be provided for WSUS scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft WSUS.

Red Hat Satellite is a systems management platform for Linux-based systems. Nessus has the ability to query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.

Although not supported by Tenable, Inc., the RHN Satellite plugin will also work with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk has the capability of managing distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

• If the credential check sees a system, but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore RHN Satellite output.
• The data returned to Nessus by RHN Satellite is only as current as the most recent data that the Satellite server has obtained from its managed hosts.

Satellite scanning is performed using five Nessus plugins:

• Patch Management: Patch Schedule From Red Hat Satellite Server (Plugin ID 84236)
• Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84235)
• Patch Management: Red Hat Satellite Server Get Managed Servers (Plugin ID 84234)
• Patch Management: Red Hat Satellite Server Get System Information (Plugin ID 84237)
• Patch Management: Red Hat Satellite Server Settings (Plugin ID 84238)

If the RHN Satellite server is version 6, three additional Nessus plugins are used:

• Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84231)
• Patch Management: Red Hat Satellite 6 Settings (Plugin ID 84232)
• Patch Management: Red Hat Satellite 6 Report (Plugin ID 84233)

Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus and Tenable.sc have the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Nessus or Tenable.sc web interface.

• If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it will perform checks on that system and ignore Altiris output.
• The data returned to Nessus by Altiris is only as current as the most recent data that the Altiris has obtained from its managed hosts.
• Nessus connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL database). The database server may be run on a separate host from the Altiris deployment. When leveraging this audit, Nessus must connect to the MSSQL database, not the Altiris server if they are on a separate box.

Altiris scanning is performed using four Nessus plugins.

• symantec_altiris_get_computer_info.nbin (Plugin ID 78013)
• symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)
• symantec_altiris_init_info.nbin (Plugin ID 78011)
• symantec_altiris_report.nbin (Plugin ID 78014)

Credentials for the Altiris Microsoft SQL (MSSQL) database must be provided for Altiris scanning to work properly. Under the Credentials tab, select Patch Management and then Symantec Altiris.

To ensure Nessus can properly utilize Altiris to pull patch management information, it must be configured to do so.