Patch Management

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and macOS systems. Tenable Vulnerability Management can query KACE K1000 to verify whether or not patches are installed on systems managed by KACE K1000 and display the patch information through the Tenable Vulnerability Management user interface.

Tenable Vulnerability Management supports KACE K1000 versions 6.x and earlier.

KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.

HCL Bigfix is available to manage the distribution of updates and hotfixes for desktop systems.Tenable Vulnerability Management can query HCL Bigfix to verify whether or not patches are installed on systems managed by HCL Bigfix and display the patch information.

Package reporting is supported by RPM-based and Debian-based distributions that HCL Bigfix officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless HCL Bigfix officially supports them, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, Ubuntu, and Solaris are supported. Plugin 160250 must be enabled.

Tenable Vulnerability Management supports HCL Bigfix 9.5 and later and 10.x and later.

HCL Bigfix scanning uses the following Tenable plugins: 160247, 160248, 160249, 160250, and 160251.

HCL Bigfix Server Configuration

In order to use these auditing features, you must make changes to the HCL Bigfix server. You must import a custom analysis into HCL Bigfix so that detailed package information is retrieved and made available to Tenable Vulnerability Management.

From the HCL BigFix Console application, import the following .bes files.

BES file:

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
    <Analysis>
        <Title>Tenable</Title>
        <Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. </Description>
        <Relevance>true</Relevance>
        <Source>Internal</Source>
        <SourceReleaseDate>2013-01-31</SourceReleaseDate>
        <MIMEField>
            <Name>x-fixlet-modification-time</Name>
            <Value>Thu, 13 May 2021 21:43:29 +0000</Value>
        </MIMEField>
        <Domain>BESC</Domain>
        <Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then (exists object repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset" & "|" & architecture of operating system) of filesets of products of object repository else if (exists true whose (if true then (exists debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" & architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if (exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exists true whose (if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as string & "|" & "pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true whose (if true then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of pkginfos of pkgdb else "<unsupported>"]]></Property>
        <Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Property>
        <Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowercase contains "SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file "/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
    </Analysis>
</BES>

BES file:

<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
    <Task>
        <Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
        <Description><![CDATA[&lt;enter a description of the task here&gt; ]]></Description>
        <GroupRelevance JoinByIntersection="false">
            <SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
                <SearchText>SunOS 5.10</SearchText>
                <Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS 5.10" as lowercase)</Relevance>
            </SearchComponentPropertyReference>
        </GroupRelevance>
        <Category></Category>
        <Source>Internal</Source>
        <SourceID></SourceID>
        <SourceReleaseDate>2021-05-12</SourceReleaseDate>
        <SourceSeverity></SourceSeverity>
        <CVENames></CVENames>
        <SANSID></SANSID>
        <MIMEField>
            <Name>x-fixlet-modification-time</Name>
            <Value>Thu, 13 May 2021 21:50:58 +0000</Value>
        </MIMEField>
        <Domain>BESC</Domain>
        <DefaultAction ID="Action1">
            <Description>
                <PreLink>Click </PreLink>
                <Link>here</Link>
                <PostLink> to deploy this action.</PostLink>
            </Description>
            <ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_patches.b64

]]></ActionScript>
        </DefaultAction>
    </Task>
</BES>

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Windows-based systems. Tenable Vulnerability Management can query the SCCM service to verify whether or not patches are installed on systems managed by SCCM and display the patch information through the scan results.

Tenable Vulnerability Management connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service, so the selected user must have privileges to query all the data in the SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository can be on separate servers. When leveraging this audit, configured sensors Tenable Vulnerability Management must connect to the SCCM server via WMI and HTTPS.

Note: SCCM scanning with Tenable products requires one of the following roles: Read-only Analyst, Operations Administrator, or Full Administrator. For more information, see Setting Up SCCM Scan Policies.

SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.

Note: SCCM patch management plugins support versions from SCCM 2007 up to and including Configuration Manager version 2309.

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. Tenable Vulnerability Management can query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Tenable Vulnerability Management user interface.

WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.

Red Hat Satellite is a systems management platform for Linux-based systems. Tenable Vulnerability Management can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.

Red Hat Satellite 6 is a systems management platform for Linux-based systems. Tenable Vulnerability Management can query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238, 84231, 84232, and 84233.

Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and macOS systems. Tenable Vulnerability Management has the ability to use the Altiris API to verify whether or not patches are installed on systems managed by Altiris and display the patch information through the Tenable Vulnerability Management user interface.

Tenable Vulnerability Management connects to the Microsoft SQL server that is running on the Altiris host. When leveraging this audit, if the MSSQL database and Altiris server are on separate hosts, Tenable Vulnerability Management must connect to the MSSQL database, not the Altiris server.

Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.