Recently Viewed Topics
Patch Management
SecurityCenter can leverage credentials for the Red Hat Network Satellite, IBM BigFix, Dell KACE 1000, WSUS, and SCCM patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner.
Options for these patch management systems can be found under Scan Policy Definitions in their respective drop-down boxes: Symantec Altiris, IBM BigFix, Red Hat Satellite Server, Microsoft SCCM, Dell KACE K1000, and Microsoft WSUS.
IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.
Scanning With Multiple Patch Managers
If you provide multiple sets of credentials to SecurityCenter for patch management tools, SecurityCenter uses all of them. Available credentials are:
- Credentials supplied to directly authenticate to the target
- Dell KACE 1000
- IBM BigFix
- Microsoft System Center Configuration Manager (SCCM)
- Microsoft Windows Server Update Services (WSUS)
- Red Hat Network Satellite Server
- Symantec Altiris
If you provide credentials for a host, as well as one or more patch management systems, SecurityCenter compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.
Dell KACE K1000
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. SecurityCenter can query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the SecurityCenter user interface.
- If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores KACE K1000 output.
- The data returned to SecurityCenter by KACE K1000 is only as current as the most recent data that the KACE K1000 has obtained from its managed hosts.
KACE K1000 scanning uses four SecurityCenter plugins:
- kace_k1000_get_computer_info.nbin (Plugin ID 76867)
- kace_k1000_get_missing_updates.nbin (Plugin ID 76868)
- kace_k1000_init_info.nbin (Plugin ID 76866)
- kace_k1000_report.nbin (Plugin ID 76869)
You must provide credentials for the Dell KACE K1000 system for K1000 scanning to work properly. Under the Credentials tab, select Patch Management, then select Dell KACE K1000.
| Option | Default | Description |
|---|---|---|
|
Server |
none |
(Required) The KACE K1000 IP address or system name. |
|
Database Port |
3306 |
The port the K1000 database is running on (typically TCP 3306). |
|
Organization Database Name |
ORG1 |
The name of the organization component for the KACE K1000 database. This component begins with the letters ORG and ends with a number that corresponds with the K1000 database username. |
|
Database Username |
none |
(Required) The username required to log into the K1000 database. R1 is the default if no user is defined. The username begins with the letter R. This username ends in the same number that represents the number of the organization to scan. |
|
K1000 Database Password |
none |
(Required) The password required to authenticate the K1000 Database Username. |
IBM BigFix
IBM BigFix is available from IBM to manage the distribution of updates and hotfixes for desktop systems. SecurityCenter can query IBM BigFix to verify whether or not patches are installed on systems managed by IBM BigFix and display the patch information.
- If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores IBM BigFix output.
- The data returned to SecurityCenter by IBM BigFix is only as current as the most recent data that the IBM BigFix server has obtained from its managed hosts.
IBM BigFix scanning uses five SecurityCenter plugins:
- Patch Management: Tivoli Endpoint Manager Compute Info Initialization (Plugin ID 62559)
- Patch Management: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)
- Patch Management: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)
- Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561)
- Patch Management: Tivoli Endpoint Manager Get Installed Packages (Plugin ID 65703)
You must provide credentials for the IBM BigFix server for IBM BigFix scanning to work properly. Under the Credentials tab, select Patch Management, then select IBM Tivoli Endpoint Manager (BigFix)
| Option | Default | Description |
|---|---|---|
|
Web Reports Server |
None |
The name of IBM BigFix Web Reports Server. |
|
Web Reports Port |
none |
The port that the IBM BigFix Web Reports Server listens on. |
|
Web Reports Username |
none |
The Web Reports administrative username. |
|
Web Reports Password |
none |
The Web Reports administrative password. |
|
HTTPS |
Enabled |
Shows if the Web Reports service is using SSL. |
|
Verify SSL certificate |
Enabled |
Verify that the SSL certificate is valid. |
Package reporting is supported by RPM-based and Debian-based distributions that IBM BigFix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless IBM BigFix officially supports them, there is no support available.
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, and Ubuntu are supported. The plugin Patch Management: Tivoli Endpoint Manager Get Installed Packages must be enabled.
In order to use these auditing features, you must make changes to the IBM BigFix server. You must import a custom analysis into IBM BigFix so that detailed package information is retrieved and made available to SecurityCenter. Before beginning, save the following text to a file on the IBM BigFix system, and name it with a .bes extension.
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Fri, 01 Feb 2013 15:54:09 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="1"><![CDATA[if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else "<unsupported>" ]]></Property>
</Analysis>
</BES>
Microsoft System Center Configuration Manager (SCCM)
Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. SecurityCenter can query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the SecurityCenter user interface.
- If the credentialed check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores SCCM output.
- The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its managed hosts.
- SecurityCenter connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, meaning an admin account in SCCM with the privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database as well as the SCCM repository can be on separate servers. When leveraging this audit, SecurityCenter must connect to the SCCM Server, not the SQL or SCCM server if they are on a separate box.
SecurityCenter SCCM patch management plugins support SCCM 2007 and SCCM 2012.
SCCM scanning uses four SecurityCenter plugins:
- Patch Management: SCCM Server Settings (Plugin ID 57029)
- Patch Management: Missing updates from SCCM(Plugin ID 57030)
- Patch Management: SCCM Computer Info Initialization(Plugin ID 73636)
- Patch Management: SCCM Report(Plugin ID 58186)
You must provide credentials for the SCCM system for SCCM scanning to work properly. Under the Credentials tab, select Patch Management, then select Microsoft SCCM.
| Credential | Description |
|---|---|
|
Server |
The SCCM IP address or system name. |
|
Domain |
The domain the SCCM server is a part of. |
|
Username |
The SCCM admin username. |
|
Password |
The SCCM admin password. |
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. SecurityCenter can query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the SecurityCenter user interface.
- If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores WSUS output.
- The data returned to SecurityCenter by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.
WSUS scanning uses three SecurityCenter plugins:
- Patch Management: WSUS Server Settings (Plugin ID 57031)
- Patch Management: Missing updates from WSUS (Plugin ID 57032)
- Patch Management: WSUS Report (Plugin ID 58133)
You must provide credentials for the WSUS system for WSUS scanning to work properly. Under the Credentials tab, select Patch Management, then select Microsoft WSUS.
| Credential | Default | Description |
|---|---|---|
|
Server |
None |
The WSUS IP address or system name. |
|
Port |
8530 |
The port WSUS is running on (typically TCP 80 or 443). |
|
Username |
none |
The WSUS admin username. |
|
Password |
none |
The WSUS admin password. |
|
HTTPS |
Enabled |
Shows if the WSUS service is using SSL. |
|
Verify SSL certificate |
Enabled |
Verifies that the SSL certificate is valid. |
Red Hat Satellite Server
Red Hat Satellite is a systems management platform for Linux-based systems. SecurityCenter can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, the RHN Satellite plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
- If the credential check sees a system, but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Security Center is able to connect to the target system, it performs checks on that system and ignores RHN Satellite output.
- The data returned to SecurityCenter by RHN Satellite is only as current as the most recent data that the Satellite server has obtained from its managed hosts.
Satellite scanning uses five SecurityCenter plugins:
- Patch Management: Patch Schedule From Red Hat Satellite Server (Plugin ID 84236)
- Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84235)
- Patch Management: Red Hat Satellite Server Get Managed Servers (Plugin ID 84234)
- Patch Management: Red Hat Satellite Server Get System Information (Plugin ID 84237)
- Patch Management: Red Hat Satellite Server Settings (Plugin ID 84238)
If the RHN Satellite server is version 6, it uses three additional SecurityCenter plugins:
- Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 84231)
- Patch Management: Red Hat Satellite 6 Settings (Plugin ID 84232)
- Patch Management: Red Hat Satellite 6 Report (Plugin ID 84233)
Red Hat Satellite 6 Server
| Credential | Default | Description |
|---|---|---|
|
Satellite server |
none |
The RHN Satellite IP address or system name. |
|
Port |
443 |
The port Satellite is running on (typically TCP 80 or 443). |
|
Username |
none |
The Red Hat Satellite username. |
|
Password |
none |
The Red Hat Satellite password. |
|
HTTPS |
Enabled |
|
|
Verify SSL Certificate |
Enabled |
Verifies that the SSL certificate is valid. |
Symantec Altris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X systems. SecurityCenter has the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the SecurityCenter GUI.
- If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If SecurityCenter is able to connect to the target system, it performs checks on that system and ignores Altiris output.
- The data returned to SecurityCenter by Altiris is only as current as the most recent data that the Altiris has obtained from its managed hosts.
- SecurityCenter connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL database). The database server may be run on a separate host from the Altiris deployment. When leveraging this audit, SecurityCenter must connect to the MSSQL database, not the Altiris server if they are on a separate box.
Altiris scanning uses four SecurityCenter plugins:
- symantec_altiris_get_computer_info.nbin (Plugin ID 78013)
- symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)
- symantec_altiris_init_info.nbin (Plugin ID 78011)
- symantec_altiris_report.nbin (Plugin ID 78014)
You must provide credentials for the Altiris Microsoft SQL (MSSQL) database for Altiris scanning to work properly. Under the Credentials tab, select Patch Management, then select Symantec Altiris.
| Credential | Default | Description |
|---|---|---|
|
Server |
none |
(Required) Altiris IP address or system name. |
|
Database Port |
5690 |
The port the Altiris database is running on (Typically TCP 5690). |
|
Database Name |
Symantec_CMDB |
The name of the MSSQL database that manages Altiris patch information. |
|
Database Username |
None |
(Required) The username required to log into the Altiris MSSQL database. |
|
Database Password |
none |
(Required) The password required to authenticate the Altiris MSSQL database. |
|
Use Windows Authentication |
Disabled |
Denotes whether or not to use NTLMSSP for compatibility with older Windows Servers, otherwise it uses Kerberos. |
To ensure SecurityCenter can properly utilize Altiris to pull patch management information, you must configure it.