You are here: Interface > Scans > Patch Management

TOC & Recently Viewed

Recently Viewed Topics

Patch Management

SecurityCenter can leverage credentials for the Red Hat Network Satellite, IBM TEM, Dell KACE 1000, WSUS, and SCCM patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner.

Options for these patch management systems can be found under Scan Policy Definitions in their respective drop-down menus: Symantec Altiris, IBM Tivoli Endpoint Manager (BigFix), Red Hat Satellite Server, Microsoft SCCM, Dell KACE K1000, and Microsoft WSUS.

IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.

Scanning With Multiple Patch Managers

If multiple sets of credentials are supplied to SecurityCenter for patch management tools, SecurityCenter uses all of them. Available credentials are:

  • Credentials supplied to directly authenticate to the target
  • Dell KACE 1000
  • IBM Tivoli Endpoint Manager
  • Microsoft System Center Configuration Manager (SCCM)
  • Microsoft Windows Server Update Services (WSUS)
  • Red Hat Network Satellite Server

  • Symantec Altiris

If credentials are provided for a host, as well as a patch management system, or multiple patch management systems, SecurityCenter compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.

ClosedDell KACE K1000

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. SecurityCenter has the ability to query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the SecurityCenter GUI.

  • If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignore KACE K1000 output.
  • The data returned to SecurityCenter by KACE K1000 is only as current as the most recent data that the KACE K1000 has obtained from its managed hosts.

KACE K1000 scanning is performed using four SecurityCenter plugins.

  • kace_k1000_get_computer_info.nbin (Plugin ID 76867)
  • kace_k1000_get_missing_updates.nbin (Plugin ID 76868)
  • kace_k1000_init_info.nbin (Plugin ID 76866)
  • kace_k1000_report.nbin (Plugin ID 76869)

Credentials for the Dell KACE K1000 system must be provided for K1000 scanning to work properly. Under the Credentials tab, select Patch Management and then Dell KACE K1000.

Option Default Description

Server

none

The KACE K1000 IP address or system name. This is a required field.

Database Port

3306

The port the K1000 database is running on (typically TCP 3306).

Organization Database Name

ORG1

The name of the organization component for the KACE K1000 database. This component begins with the letters ORG and ends with a number that corresponds with the K1000 database username.

Database Username

none

The username required to log into the K1000 database. R1 is the default if no user is defined. The username begins with the letter R. This username ends in the same number that represents the number of the organization to scan. This is a required field.

K1000 Database Password

none

The password required to authenticate the K1000 Database Username. This is a required field.
ClosedIBM Tivoli Endpoint Manager (TEM)

Tivoli Endpoint Manager (TEM) is available from IBM to manage the distribution of updates and hotfixes for desktop systems. SecurityCenter has the ability to query TEM to verify whether or not patches are installed on systems managed by TEM and display the patch information.

  • If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it will perform checks on that system and ignore TEM output.
  • The data returned to SecurityCenter by TEM is only as current as the most recent data that the TEM server has obtained from its managed hosts.

TEM scanning is performed using five SecurityCenter plugins

  • Patch Management: Tivoli Endpoint Manager Compute Info Initialization (Plugin ID 62559)
  • Patch Management: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)
  • Patch Management: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)
  • Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561)
  • Patch Management: Tivoli Endpoint Manager Get Installed Packages (Plugin ID 65703)

Credentials for the IBM Tivoli Endpoint Manager server must be provided for TEM scanning to work properly.

Option Default Description

Web Reports Server

None

The name of IBM TEM Web Reports Server.

Web Reports Port

none

The port that the IBM TEM Web Reports Server listens on.

Web Reports Username

none

The Web Reports administrative username.

Web Reports Password

none

The Web Reports administrative password.

HTTPS

Enabled

Shows if the Web Reports service is using SSL.

Verify SSL certificate

Enabled

Verify that the SSL certificate is valid.

Package reporting is supported by RPM-based and Debian-based distributions that IBM TEM officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless officially supported by TEM, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, and Ubuntu are supported. The plugin Patch Management: Tivoli Endpoint Manager Get Installed Packages must be enabled.

In order to use these auditing features, changes must be made to the IBM TEM server. A custom Analysis must be imported into TEM so that detailed package information is retrieved and made available to SecurityCenter. This process is outlined below. Before beginning, the following text must be saved to a file on the TEM system, and named with a .bes extension.

<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">

<Analysis>

<Title>Tenable</Title>

<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>

<Relevance>true</Relevance>

<Source>Internal</Source>

<SourceReleaseDate>2013-01-31</SourceReleaseDate>

<MIMEField>

<Name>x-fixlet-modification-time</Name>

<Value>Fri, 01 Feb 2013 15:54:09 +0000</Value>

</MIMEField>

<Domain>BESC</Domain>

<Property Name="Packages - With Versions (Tenable)" ID="1"><![CDATA[if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else "<unsupported>" ]]></Property>

</Analysis>

</BES>

ClosedMicrosoft System Center Configuration Manager (SCCM)

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. SecurityCenter has the ability to query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the SecurityCenter GUI.

  • If the credentialed check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores SCCM output.
  • The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its managed hosts.
  • SecurityCenter connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, meaning an admin account in SCCM with the privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database as well as the SCCM repository can be on separate servers. When leveraging this audit, SecurityCenter must connect to the SCCM Server, not the SQL or SCCM server if they are on a separate box.

SecurityCenter SCCM patch management plugins support SCCM 2007 and SCCM 2012.

SCCM scanning is performed using four SecurityCenter plugins.

  • Patch Management: SCCM Server Settings (Plugin ID 57029)
  • Patch Management: Missing updates from SCCM(Plugin ID 57030)
  • Patch Management: SCCM Computer Info Initialization(Plugin ID 73636)
  • Patch Management: SCCM Report(Plugin ID 58186)

Credentials for the SCCM system must be provided for SCCM scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft SCCM.

Credential Description

Server

The SCCM IP address or system name.

Domain

The domain the SCCM server is a part of.

Username

The SCCM admin username.

Password

The SCCM admin password.
ClosedWindows Server Update Services (WSUS)

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the SecurityCenter GUI.

  • If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores WSUS output.
  • The data returned to SecurityCenter by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

WSUS scanning is performed using three SecurityCenter plugins.

  • Patch Management: WSUS Server Settings (Plugin ID 57031)
  • Patch Management: Missing updates from WSUS (Plugin ID 57032)
  • Patch Management: WSUS Report (Plugin ID 58133)

Credentials for the WSUS system must be provided for WSUS scanning to work properly. Under the Credentials tab, select Patch Management and then Microsoft WSUS.

Credential Default Description

Server

None

The WSUS IP address or system name.

Port

8530

The port WSUS is running on (typically TCP 80 or 443).

Username

none

The WSUS admin username.

Password

none

The WSUS admin password.

HTTPS

Enabled

Shows if the WSUS service is using SSL.

Verify SSL certificate

Enabled

Verifies that the SSL certificate is valid.
ClosedRed Hat Satellite Server

Red Hat Satellite is a systems management platform for Linux-based systems. SecurityCenter has the ability to query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.

Although not supported by Tenable, the RHN Satellite plugin will also work with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk has the capability of managing distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

  • If the credential check sees a system, but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Security Center is able to connect to the target system, it performs checks on that system and ignores RHN Satellite output.
  • The data returned to SecurityCenter by RHN Satellite is only as current as the most recent data that the Satellite server has obtained from its managed hosts.

Satellite scanning is performed using five SecurityCenter plugins:

  • Patch Management: Patch Schedule From Red Hat Satellite Server (Plugin ID 84236)
  • Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84235)
  • Patch Management: Red Hat Satellite Server Get Managed Servers (Plugin ID 84234)
  • Patch Management: Red Hat Satellite Server Get System Information (Plugin ID 84237)
  • Patch Management: Red Hat Satellite Server Settings (Plugin ID 84238)

If the RHN Satellite server is version 6, three additional SecurityCenter plugins are used:

  • Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84231)
  • Patch Management: Red Hat Satellite 6 Settings (Plugin ID 84232)
  • Patch Management: Red Hat Satellite 6 Report (Plugin ID 84233)
ClosedRed Hat Satellite 6 Server
Credential Default Description

Satellite server

none

The RHN Satellite IP address or system name.

Port

443

The port Satellite is running on (typically TCP 80 or 443).

Username

none

The Red Hat Satellite username.

Password

none

The Red Hat Satellite password.

HTTPS

Enabled

 

Verify SSL Certificate

Enabled

Verifies that the SSL certificate is valid.
ClosedSymantec Altris

Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. SecurityCenter has the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the SecurityCenter GUI.

  • If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores Altiris output.
  • The data returned to SecurityCenter by Altiris is only as current as the most recent data that the Altiris has obtained from its managed hosts.
  • SecurityCenter connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL database). The database server may be run on a separate host from the Altiris deployment. When leveraging this audit, SecurityCenter must connect to the MSSQL database, not the Altiris server if they are on a separate box.

Altiris scanning is performed using four SecurityCenter plugins.

  • symantec_altiris_get_computer_info.nbin (Plugin ID 78013)
  • symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)
  • symantec_altiris_init_info.nbin (Plugin ID 78011)
  • symantec_altiris_report.nbin (Plugin ID 78014)

Credentials for the Altiris Microsoft SQL (MSSQL) database must be provided for Altiris scanning to work properly. Under the Credentials tab, select Patch Management and then Symantec Altiris.

Credential Default Description

Server

none

Altiris IP address or system name. This is a required field.

Database Port

5690

The port the Altiris database is running on (Typically TCP 5690).

Database Name

Symantec_CMDB

The name of the MSSQL database that manages Altiris patch information.

Database Username

None

The username required to log into the Altiris MSSQL database. This is a required field.

Database Password

none

The password required to authenticate the Altiris MSSQL database. This is a required field.

Use Windows Authentication

Disabled

Denotes whether or not to use NTLMSSP for compatibility with older Windows Servers, otherwise it uses Kerberos.

To ensure SecurityCenter can properly utilize Altiris to pull patch management information, it must be configured to do so.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.