Patch Management
Tenable Security Center can leverage credentials for patch management systems to perform patch auditing on systems for which credentials may not be available.
Tenable Security Center supports:
- Dell KACE K1000
- HCL BigFix
- Microsoft System Center Configuration Manager (SCCM)
- Microsoft Windows Server Update Services (WSUS)
- Red Hat Satellite Server
- Symantec Altiris
You can configure patch management options in scan policies, as described in Authentication Options and Add a Scan Policy.
IT administrators are expected to manage the patch monitoring software and install any agents required by the patch management system on their systems.
Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the data obtained from the patch management system to perform the check. If Tenable Security Center is able to connect to the target system, it performs checks on that system and ignores the patch management system output.
Note: The data returned to Tenable Security Center by the patch management system is only as current as the most recent data that the patch management system has obtained from its managed hosts.
Scanning with Multiple Patch Managers
If you provide multiple sets of credentials to Tenable Security Center for patch management tools, Tenable Security Center uses all of them.
If you provide credentials for a host and for one or more patch management systems, Tenable Security Center compares the findings between all methods and report on conflicts or provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data differences between the host and a patch management system.
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and macOS systems. Tenable Security Center can query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Tenable Security Center user interface.
Tenable Security Center supports KACE K1000 versions 6.x and earlier.
KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.
Option | Description | Default |
---|---|---|
Server |
(Required) The KACE K1000 IP address or system name. |
- |
Database Port |
(Required) The TCP port that KACE K1000 listens on for communications from Tenable Security Center. |
3306 |
Organization Database Name |
(Required) The name of the organization component for the KACE K1000 database (e.g., ORG1). |
ORG1 |
Database Username |
(Required) The username for the KACE K1000 account that Tenable Security Center uses to perform checks on the target system. |
R1 |
K1000 Database Password |
(Required) The password for the KACE K1000 user. |
- |
HCL Bigfix is available to manage the distribution of updates and hotfixes for desktop systems.Tenable Security Center can query HCL Bigfix to verify whether or not patches are installed on systems managed by HCL Bigfix and display the patch information.
Package reporting is supported by RPM-based and Debian-based distributions that HCL Bigfix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless HCL Bigfix officially supports them, there is no support available.
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, Ubuntu, and Solaris are supported. Plugin 160250 must be enabled.
Tenable Security Center supports HCL Bigfix 9.5 and later and 10.x and later.
HCL Bigfix scanning uses the following Tenable plugins: 160247, 160248, 160249, 160250, and 160251.
Option | Description | Default |
---|---|---|
Web Reports Server |
(Required) The name of HCL Bigfix Web Reports server. |
- |
Web Reports Port |
(Required) The TCP port that the HCL Bigfix Web Reports server listens on for communications from Tenable Security Center. |
- |
Web Reports Username |
(Required) The username for the HCL Bigfix Web Reports administrator account that Tenable Security Center uses to perform checks on the target system. |
- |
Web Reports Password |
(Required) The password for the HCL Bigfix Web Reports administrator user. |
- |
HTTPS |
When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP. |
Enabled |
Verify SSL certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
HCL Bigfix Server Configuration
In order to use these auditing features, you must make changes to the HCL Bigfix server. You must import a custom analysis into HCL Bigfix so that detailed package information is retrieved and made available to Tenable Security Center.
From the HCL BigFix Console application, import the following .bes files.
BES file:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:43:29 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then (exists object repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset" & "|" & architecture of operating system) of filesets of products of object repository else if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exists true whose (if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as string & "|" & "pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true whose (if true then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of pkginfos of pkgdb else "<unsupported>"]]></Property>
<Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Property>
<Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowercase contains "SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file "/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
</Analysis>
</BES>
BES file:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Task>
<Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
<Description><![CDATA[<enter a description of the task here> ]]></Description>
<GroupRelevance JoinByIntersection="false">
<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
<SearchText>SunOS 5.10</SearchText>
<Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS 5.10" as lowercase)</Relevance>
</SearchComponentPropertyReference>
</GroupRelevance>
<Category></Category>
<Source>Internal</Source>
<SourceID></SourceID>
<SourceReleaseDate>2021-05-12</SourceReleaseDate>
<SourceSeverity></SourceSeverity>
<CVENames></CVENames>
<SANSID></SANSID>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:50:58 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<DefaultAction ID="Action1">
<Description>
<PreLink>Click </PreLink>
<Link>here</Link>
<PostLink> to deploy this action.</PostLink>
</Description>
<ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_patches.b64
]]></ActionScript>
</DefaultAction>
</Task>
</BES>
Microsoft System Center Configuration Manager (SCCM)
Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Tenable Security Center can query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the scan results.
Tenable Security Center connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, so the selected user must have privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository can be on separate servers. When leveraging this audit, Tenable Security Center must connect to the SCCM server via WMI and HTTPS.
Note: SCCM scanning with Tenable products requires one of the following roles: Read-only Analyst, Operations Administrator, or Full Administrator. For more information, see Setting Up SCCM Scan Policies.
SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.
Note: SCCM patch management plugins support versions from SCCM 2007 up to and including Configuration Manager version 2309.
Credential | Description | Default |
---|---|---|
Server |
(Required) The SCCM IP address or system name. |
- |
Domain |
(Required) The name of the SCCM server's domain. |
- |
Username |
(Required) The username for the SCCM user account that Tenable Security Center uses to perform checks on the target system. The user account must have privileges to query all data in the SCCM MMC. |
- |
Password |
(Required) The password for the SCCM user with privileges to query all data in the SCCM MMC. |
- |
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Tenable Security Center can query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Tenable Security Center user interface.
WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.
Option | Description | Default |
---|---|---|
Server |
(Required) The WSUS IP address or system name. |
- |
Port |
(Required) The TCP port that Microsoft WSUS listens on for communications from Tenable Security Center. |
8530 |
Username |
(Required) The username for the WSUS administrator account that Tenable Security Center uses to perform checks on the target system. |
- |
Password |
(Required) The password for the WSUS administrator user. |
- |
HTTPS |
When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP. |
Enabled |
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Red Hat Satellite is a systems management platform for Linux-based systems. Tenable Security Center can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.
Option | Description | Default |
---|---|---|
Satellite Server |
(Required) The Red Hat Satellite IP address or system name. |
- |
Port |
(Required) The TCP port that Red Hat Satellite listens on for communications from Tenable Security Center. |
443 |
Username |
(Required) The username for the Red Hat Satellite account that Tenable Security Center uses to perform checks on the target system. |
- |
Password |
(Required) The password for the Red Hat Satellite user. |
- |
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Red Hat Satellite 6 Server
Red Hat Satellite 6 is a systems management platform for Linux-based systems. Tenable Security Center can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.
Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.
Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238, 84231, 84232, and 84233.
Option | Description | Default |
---|---|---|
Satellite Server |
(Required) The Red Hat Satellite 6 IP address or system name. |
- |
Port |
(Required) The TCP port that Red Hat Satellite 6 listens on for communications from Tenable Security Center. |
443 |
Username |
(Required) The username for the Red Hat Satellite 6 account that Tenable Security Center uses to perform checks on the target system. |
- |
Password |
(Required) The password for the Red Hat Satellite 6 user. |
- |
HTTPS |
When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP. |
Enabled |
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
Enabled |
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and macOS systems. Tenable Security Center has the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Tenable Security Center user interface.
Tenable Security Center connects to the Microsoft SQL server that is running on the Altiris host. When leveraging this audit, if the MSSQL database and Altiris server are on separate hosts, Tenable Security Center must connect to the MSSQL database, not the Altiris server.
Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.
Credential | Description | Default |
---|---|---|
Server |
(Required) The Altiris IP address or system name. |
- |
Database Port |
(Required) The TCP port that Altiris listens on for communications from Tenable Security Center. |
5690 |
Database Name |
(Required) The name of the MSSQL database that manages Altiris patch information. |
Symantec_CMDB |
Database Username |
(Required) The username for the Altiris MSSQL database account that Tenable Security Center uses to perform checks on the target system. Credentials must be valid for a MSSQL databas account with the privileges to query all the data in the Altiris MSSQL database. |
- |
Database Password |
(Required) The password for the Altiris MSSQL database user. |
- |
Use Windows Authentication |
When enabled, use NTLMSSP for compatibility with older Windows Servers. When disabled, use Kerberos. |
Enabled |