Patch Management
Nessus can leverage credentials for patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner. Nessus supports:
-
Dell KACE K1000
-
HCL BigFix
-
Microsoft System Center Configuration Manager (SCCM)
-
Microsoft Windows Server Update Services (WSUS)
-
Red Hat Satellite Server
-
Symantec Altiris
You can configure patch management options in the Credentials section while creating a scan, as described in Create a Scan.
IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.
Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Nessus is able to connect to the target system, it performs checks on that system and ignores the patch management system output.
Note: The data returned to Nessus by the patch management system is only as current as the most recent data that the patch management system has obtained from its managed hosts.
Scanning with Multiple Patch Managers
If you provide multiple sets of credentials to Nessus for patch management tools, Nessus uses all of them.
If you provide credentials for a host and for one or more patch management systems, Nessus compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.
Dell KACE K1000
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus can query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Nessus user interface.
Nessus supports KACE K1000 versions 6.x and earlier.
KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.
| Option | Description | Default |
|---|---|---|
|
Server |
(Required) The KACE K1000 IP address or system name. |
- |
|
Database Port |
(Required) The TCP port that KACE K1000 listens on for communications from Nessus. |
3306 |
|
Organization Database Name |
(Required) The name of the organization component for the KACE K1000 database (e.g., ORG1). |
ORG1 |
|
Database Username |
(Required) The username for the KACE K1000 account that Nessus uses to perform checks on the target system. |
R1 |
|
K1000 Database Password |
(Required) The password for the KACE K1000 user. |
- |
IBM Tivoli Endpoint Manager (BigFix)
Package reporting is supported by RPM-based and Debian-based distributions that
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, Ubuntu, and Solaris are supported. Plugin 65703 must be enabled.
Nessus supports
| Option | Description | Default |
|---|---|---|
|
Web Reports Server |
(Required) The name of |
- |
|
Web Reports Port |
(Required) The TCP port that the |
- |
|
Web Reports Username |
(Required) The username for the |
- |
|
Web Reports Password |
(Required) The password for the |
- |
|
HTTPS |
When enabled, Nessus connects using secure communication (HTTPS). When disabled, Nessus connects using standard HTTP. |
Enabled |
|
Verify SSL certificate |
When enabled, Nessus verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
In order to use these auditing features, you must make changes to the
From the HCL BigFix Console application, import the following .bes files.
BES file:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:43:29 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then (exists object repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset" & "|" & architecture of operating system) of filesets of products of object repository else if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exists true whose (if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as string & "|" & "pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true whose (if true then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of pkginfos of pkgdb else "<unsupported>"]]></Property>
<Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Property>
<Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowercase contains "SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file "/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
</Analysis>
</BES>
BES File:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Task>
<Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
<Description><![CDATA[<enter a description of the task here> ]]></Description>
<GroupRelevance JoinByIntersection="false">
<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
<SearchText>SunOS 5.10</SearchText>
<Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS 5.10" as lowercase)</Relevance>
</SearchComponentPropertyReference>
</GroupRelevance>
<Category></Category>
<Source>Internal</Source>
<SourceID></SourceID>
<SourceReleaseDate>2021-05-12</SourceReleaseDate>
<SourceSeverity></SourceSeverity>
<CVENames></CVENames>
<SANSID></SANSID>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:50:58 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<DefaultAction ID="Action1">
<Description>
<PreLink>Click </PreLink>
<Link>here</Link>
<PostLink> to deploy this action.</PostLink>
</Description>
<ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_patches.b64
]]></ActionScript>
</DefaultAction>
</Task>
</BES>
Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Nessus can query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the scan results.
Nessus connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, so the selected user must have privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository can be on separate servers. When leveraging this audit, Nessus must connect to the SCCM server via WMI and HTTPS.
SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.
Note: SCCM patch management plugins support SCCM 2007, SCCM 2012, SCCM 2016, and SCCM 2019.
| Credential | Description | Default |
|---|---|---|
|
Server |
(Required) The SCCM IP address or system name. |
- |
|
Domain |
(Required) The name of the SCCM server's domain. |
- |
|
Username |
(Required) The username for the SCCM user account that Nessus uses to perform checks on the target system. The user account must have privileges to query all data in the SCCM MMC. |
- |
|
Password |
(Required) The password for the SCCM user with privileges to query all data in the SCCM MMC. |
- |
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Nessus can query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus user interface.
WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.
| Option | Description | Default |
|---|---|---|
|
Server |
(Required) The WSUS IP address or system name. |
- |
|
Port |
(Required) The TCP port that Microsoft WSUS listens on for communications from Nessus. |
8530 |
|
Username |
(Required) The username for the WSUS administrator account that Nessus uses to perform checks on the target system. |
- |
|
Password |
(Required) The password for the WSUS administrator user. |
- |
|
HTTPS |
When enabled, Nessus connects using secure communication (HTTPS). When disabled, Nessus connects using standard HTTP. |
Enabled |
| Verify SSL Certificate |
When enabled, Nessus verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Red Hat Satellite Server
Red Hat Satellite is a systems management platform for Linux-based systems. Nessus can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.
| Option | Description | Default |
|---|---|---|
|
Satellite server |
(Required) The Red Hat Satellite IP address or system name. |
- |
|
Port |
(Required) The TCP port that Red Hat Satellite listens on for communications from Nessus. |
443 |
|
Username |
(Required) The username for the Red Hat Satellite account that Nessus uses to perform checks on the target system. |
- |
|
Password |
(Required) The password for the Red Hat Satellite user. |
- |
|
Verify SSL Certificate |
When enabled, Nessus verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Red Hat Satellite 6 Server
Red Hat Satellite 6 is a systems management platform for Linux-based systems. Nessus can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238, 84231, 84232, and 84233.
| Option | Description | Default |
|---|---|---|
|
Satellite server |
(Required) The Red Hat Satellite 6 IP address or system name. |
- |
|
Port |
(Required) The TCP port that Red Hat Satellite 6 listens on for communications from Nessus. |
443 |
|
Username |
(Required) The username for the Red Hat Satellite 6 account that Nessus uses to perform checks on the target system. |
- |
|
Password |
(Required) The password for the Red Hat Satellite 6 user. |
- |
| HTTPS |
When enabled, Nessus connects using secure communication (HTTPS). When disabled, Nessus connects using standard HTTP. |
Enabled |
|
Verify SSL Certificate |
When enabled, Nessus verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Symantec Altris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. Nessus has the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Nessus user interface.
Nessus connects to the Microsoft SQL server that is running on the Altiris host. When leveraging this audit, if the MSSQL database and Altiris server are on separate hosts, Nessus must connect to the MSSQL database, not the Altiris server.
Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.
| Credential | Description | Default |
|---|---|---|
|
Server |
(Required) The Altiris IP address or system name. |
- |
|
Database Port |
(Required) The TCP port that Altiris listens on for communications from Nessus. |
5690 |
|
Database Name |
(Required) The name of the MSSQL database that manages Altiris patch information. |
Symantec_CMDB |
|
Database Username |
(Required) The username for the Altiris MSSQL database account that Nessus uses to perform checks on the target system. Credentials must be valid for a MSSQL databas account with the privileges to query all the data in the Altiris MSSQL database. |
- |
|
Database Password |
(Required) The password for the Altiris MSSQL database user. |
- |
|
Use Windows Authentication |
When enabled, use NTLMSSP for compatibility with older Windows Servers. When disabled, use Kerberos. |
Disabled |