HP ProLiant Essentials Vulnerability and Patch Management Pack User Guide Part number 367562-004 Fourth edition July 2007
Legal notices © Copyright 2004, 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents About this guide..................................................................................................................................... 6 Where to go for additional help ................................................................................................................ 6 Website.................................................................................................................................................. 6 Introduction .................................
Deleting scan results by system ........................................................................................................... 58 Deploying patches and fixes.................................................................................................................. 60 Important information about patches and fixes ........................................................................................... 60 Deploying patches and fixes based on a vulnerability scan .......................
Other tools report that a Windows system is patched, but Vulnerability and Patch Management Pack reports patches needed ........................................................................................................................... 93 Patch source for vendor patches is Microsoft* or Red Hat*..................................................................... 93 Multiple events listed in HP SIM for patch deployments ..........................................................................
About this guide This user guide provides step-by-step instructions for installing and using HP ProLiant Essentials Vulnerability and Patch Management Pack. Where to go for additional help In addition to this guide, the following information sources are available. For additional information about Vulnerability and Patch Management Pack, see: • • • http://www.hp.
Introduction Malicious software security threats are becoming more frequent, more sophisticated, and more costly to businesses, draining billions of dollars in productivity, revenue, and corporate credibility each year. The vast majority of attacks, including automated worms, are performed against known vulnerabilities for which a patch or fix is widely known.
the need to recreate these tasks in multiple tools for vulnerability assessment and patch management. • Comprehensive vulnerability assessment—Coverage of vulnerabilities reported in all leading vulnerability databases ensures comprehensive assessment.
Infrastructure A server environment using Vulnerability and Patch Management Pack consists of the following components: • • • • Vulnerability and Patch Management Pack HP SIM Target systems VPM Acquisition Utility (installed on a separate system, optional) Vulnerability and Patch Management Pack and HP SIM can be installed together on a single server (referred to as a shared configuration), or each component can be installed on a separate server (referred to as a distributed configuration).
The following figure depicts a shared server configuration, in which the VPM Acquisition Utility is used to obtain patch and vulnerability updates from the patch update sources.
Distributed server configuration In a distributed server configuration, Vulnerability and Patch Management Pack and HP SIM are each installed on a different server. A distributed server configuration can be beneficial in situations where the hardware limitations of the HP SIM server do not allow Vulnerability and Patch Management Pack to function efficiently on the HP SIM server.
The following figure depicts a distributed server configuration, in which the VPM Acquisition Utility is used to obtain patch and vulnerability updates from patch update sources.
The Vulnerability and Patch Management Pack interface Vulnerability and Patch Management Pack vulnerability information appears in the VPM column of the HP SIM console, shown circled in the following figure. Initially, the icon depicted in the column displays Vulnerability and Patch Management Pack eligibility information for the target system in the specific row.
Table 1 Vulnerability and Patch Management Pack icons Icon Status This system is available for licensing, but Vulnerability and Patch Management Pack cannot run for the following reasons: Risk assessment Unknown • Vulnerability and Patch Management Pack is not installed. • The system is not licensed. • The system is licensed, but a scan has not yet been performed. No icon Vulnerability and Patch Management Pack cannot be licensed on this system.
Requirements This section lists the hardware and software required for each component in the Vulnerability and Patch Management Pack environment.
Table 3 Software requirements Component Specification Microsoft Windows 2000 Server SP4 Windows 2000 Advanced Server SP4 Operating Microsoft Windows Server™ 2003, Standard Edition SP1 system (32-bit versions only)* Windows Server 2003, Enterprise Edition SP1 Windows Server 2003, Web Edition SP1 Windows® XP Professional SP2 Services Microsoft Internet Information Services (IIS) 5.
VPM Acquisition Utility (optional) The VPM Acquisition Utility can be installed on a system with Internet access to acquire patch information and patch files from selected vendor websites. This utility allows patch acquisitions and vulnerability updates without requiring the VPM server to be directly connected to the Internet, thereby reducing potential security risks.
Installation and configuration This section provides detailed instructions to perform a first-time installation of Vulnerability and Patch Management Pack and the initial configuration steps necessary for use. Installation location Vulnerability and Patch Management Pack is installed by default in the C:/Program Files/HP/VPM directory. During the Vulnerability and Patch Management Pack installation, you can either accept this default directory or designate another installation location.
Installing from the Insight Control Management DVD 1. Insert the Insight Control Management DVD into the DVD-ROM drive of the intended VPM server. An autorun menu appears. 2. Read the license agreement. Click Agree. 3. Under Vulnerability and Patch Management Pack, click Install.
4. At the welcome screen, click Install. 5. At the Software Selection screen, select Vulnerability and Patch Management Pack, and click Next.
6. Review the requirements, and click Next.
7. If this is an upgrade installation, be sure that all Vulnerability and Patch Management Pack functions are stopped and that no Vulnerability and Patch Management Pack events are scheduled to run in the next 20 minutes. Click Yes to proceed. 8. Enter the HP SIM account credentials, and click Next. NOTE: This information is entered automatically for an upgrade installation.
9. If Vulnerability and Patch Management Pack is installed on a separate server from HP SIM, enter the user credentials under which Vulnerability and Patch Management Pack will be installed. NOTE: This information is entered automatically for an upgrade installation. You can only modify the password field.
10. Specify the database type to use for storing your patch database, and click Next. An existing SQL Server database can be used, or MSDE can be installed on the VPM server. ○ If you select a SQL Server database, enter your database credentials when prompted. The SQL Server database can be accessed using either of the following authentication methods: − Windows authentication—The provided credentials must match a Windows account configured with privileges to access the database.
11. Specify the installation directory or accept the default directory. NOTE: If this is an upgrade installation, the installation directory cannot be changed. 12. 13. Click Install at the Typical Install Summary screen to install the Vulnerability and Patch Management Pack software. Click Next when the Vulnerability and Patch Management Pack installation completes.
14. Click Finished. The HP SIM service is restarted and Vulnerability and Patch Management Pack is available for use.
Installing from the VPM download website 1. After downloading the Vulnerability and Patch Management Pack from the VPM download website, double-click setup.exe to start the installation. 2. See steps 4 through 14 in the previous section to complete the installation.
− View by System − View Patches Installed by VPM ○ View Patch Reboot Status ○ View Patch Repository • Deploy>Vulnerability and Patch Management ○ ○ ○ ○ ○ Patch without a Scan Patch-Fix Based on a Scan Remove Patch Validate Installed Patches VPM Patch Agent Installation and configuration 28
Vulnerability and Patch Management Pack upgrades New versions of Vulnerability and Patch Management Pack are automatically installed over a previous version. Any scheduled tasks, scan reports, and patch updates are retained. Vulnerability and Patch Management Pack supports installation with an existing SQL Server database. However, patch data from a previous database is not migrated. A full patch acquisition must be performed to repopulate the patch repository.
6. Click Next. 7. Specify the installation directory or accept the default directory, and click Next.
8. Specify the Start Menu folder or accept the default folder, and click Next. 9. Select whether to create a desktop icon and quick launch icon for the VPM Acquisition Utility, and click Next.
10. Review the installation details. Click Back to change any settings, or click Install to begin the installation.
11. When the installation is complete, select whether to launch the VPM Acquisition Utility, and click Finish.
Post-installation configuration 1. Log in to HP SIM from an account with administrator privileges. NOTE: An administrator can add new users and set up existing users to access Vulnerability and Patch Management Pack. For instructions, see the HP Systems Insight Manager Installation and Configuration Guide. IMPORTANT: This configuration step must be completed for Vulnerability and Patch Management Pack to function properly. 2.
5. Perform an automatic discovery to locate and identify target systems in the network that can be used with Vulnerability and Patch Management Pack. For information about performing a discovery and other basic HP SIM tasks, see the HP Systems Insight Manager Installation and Configuration Guide.
○ If the VPM server does not have Internet access, select Acquire updates from local repository to use the VPM Acquisition Utility on another system with Internet access to acquire updates. The update files can either be manually relocated to the VPM server or accessed from the network. Designate the directory path where the update files will be located in the Source path field. If necessary, enter user credentials to access the designated directory.
Configuring Vulnerability and Patch Management Pack acquisition for Red Hat Enterprise Linux If Red Hat patch acquisitions will be run, configure Red Hat Enterprise Linux acquisition settings: 1. Verify the Red Hat library, compat-libstdc++, is installed on all Red Hat target systems. 2. Verify that each Red Hat target system to be patched has a valid subscription and license for the Red Hat Network, which are required for patch acquisitions.
Acquisitions from the VPM server IMPORTANT: If a proxy is used to connect to the Internet, proxy settings must be configured to acquire updates. For information, see the “Modifying the Vulnerability and Patch Management Pack settings” section. IMPORTANT: Do not schedule patch acquisition tasks to run while vulnerability scans are running. Patch acquisition tasks cause vulnerability scans to abort. 1. Select Options>Vulnerability and Patch Management>Acquire Updates. 2.
4. Select the appropriate languages for the required patches, and click Schedule. 5. Schedule a suitable time to acquire daily Vulnerability and Patch Management Pack updates. Updates might not be available daily, but scheduling the event daily ensures that critical updates are obtained promptly. Updates to scan definitions usually follow a few days after new patches are released. 6. Select the Run now checkbox to run the initial patch acquisition, and click Done.
Progress of the acquisition can be monitored at C:\Program Files\HP\VPM\Radia\IntegrationServer\ logs\patch-acquire.log. NOTE: The acquisition event might contain raw HTTP error codes, which must be decoded to determine their cause. To decode HTTP error codes, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html or the IIS help pages located at C:\WINNT\Help\iisHelp\common on a system where IIS is installed.
3. Select the appropriate operating system platforms and platform-related applications, and click Next. 4. Select the appropriate languages for the required patches, and click Next. 5. Enter the appropriate destination path for downloaded files, and click Next. The destination can be either a local or shared directory. IMPORTANT: The designated directory must be accessible.
6. If you use a proxy, select the I use a proxy checkbox, and enter the appropriate configuration information. 7. If your proxy requires authentication, select the My proxy requires authentication checkbox, and enter the appropriate user credentials. Only basic (not encrypted) authentication is supported. 8. Click Next. 9. Click Run Now to run the patch acquisition.
The vulnerability and patch acquisition begins. Progress of the acquisition can be monitored at C:\Program Files\HP\VPM Acquisition Utility\logs\patch-acquire.log. Clear the Enable auto-scroll checkbox to allow manual scrolling during the acquisition. NOTE: The Acquisition Log is provided only to ensure that the acquisition is progressing. Disregard various messages that appear on the log screen. NOTE: The acquisition process might appear to hang for a few moments while downloading large files. 10.
11. On the VPM server, create a directory named “data” at C:\Program Files\HP\VPM\Radia\Integration Server. You can use a network share if the VPM server has read access to the share. 12. Copy downloaded files from the VPM Acquisition Utility server destination directory to the VPM server data directory. 13. From HP SIM, configure your import setting by selecting Options>Vulnerability and Patch Management>Settings. 14.
Licensing This section provides information about licensing systems for use with Vulnerability and Patch Management Pack. NOTE: The VPM Patch Agent is automatically deployed when systems are licensed to allow patches to be applied to the systems. VPM Patch Agent updates might be acquired as part of the normal acquisition process. Agents installed on target systems are automatically updated the next time patches are applied or validated.
3. Click Next to continue the task. NOTE: Selected target systems not yet licensed or licensed using a time-limited license appear in the systems list on the license validation page. This page reappears, displaying the updated licensing status, each time a license is added or applied to a system. Time-limited licenses can be changed to permanent licenses at this time by selecting the node and applying a permanent license.
NOTE: Vulnerability and Patch Management Pack does not support the HP SIM License Manager Add Key from File feature. NOTE: If the license key is not valid or is a duplicate of a key already existing in the database, an error message appears, and the license key is not added to the database. Applying licenses to selected systems To apply licenses to target systems: 1. Select Deploy>License Manager>Deploy Keys. 2.
5. Select the appropriate Vulnerability and Patch Management Pack license key to apply to the selected systems. 6. Click Run Now.
Vulnerability scanning This section provides an overview of setting up and using the Vulnerability and Patch Management Pack scanning functionality. Vulnerability scanning is powered by technology from the Patchlink Corporation’s STAT Scanner. Patchlink Corporation is an international communications equipment company focused on providing mission-critical assured communications for commercial and government customers.
4. Verify that the correct target systems appear in the lists, click Add Targets or Remove Targets if it is necessary to reselect target systems, and click Next. 5. If any selected systems are unlicensed or licensed with a time-limited license, permanent licenses can be applied at this time. If licenses are available, select any unlicensed system in the list, and click Apply License. To add licenses using a key string, click Add Key, enter the key string in the field, and click OK.
NOTE: Scans are run one system at a time in a serial process from the VPM server. 9. If scheduling the vulnerability scan: a. Enter an appropriate name for the scan task, or accept the default name. b. To schedule the vulnerability scan to run on a regular basis, select Periodically, or to run the scan one time, select Once. c. 10. Designate a time and date to run the scan task, and click Done.
3. Modify the event details. a. If necessary, change target systems on which the task is scheduled to run by clicking either Add Targets or Remove Targets. Click Next. b. View the task schedule, and modify if necessary. Click Done.
Viewing vulnerability scan results The Vulnerability and Patch Management Pack scan results can be viewed either for a specified vulnerability scan or for an individual system. When a vulnerability scan is run for a group of target systems, results are generated for the group as well as for each individual system. Vulnerability scan results can be viewed as .
Viewing scan results by system 1. Select Diagnose>Vulnerability and Patch Management>Scan>View Results by System. 2. Select the checkbox next to the individual system for which to view scan results, and click Apply. 3. Verify that the correct target systems appear in the lists, click Add Targets or Remove Targets, if necessary to reselect target systems, and click Next.
4. Results for all scans performed on the selected system appear. Select the scan results to view, and click View. Customizing vulnerability scan definitions NOTE: Custom scans can be created from the default system scans. When default system scans are updated, the custom scans are updated with corresponding vulnerability updates also. To customize the provided vulnerability scans or previously created custom vulnerability scans: 1. Select Diagnose>Vulnerability and Patch Management>Scan>Customize Scan.
3. Select one or more vulnerabilities to include in the custom scan definition. 4. Enter a name and description for the new customized vulnerability scan, and click Save. IMPORTANT: The customized vulnerability scan must be renamed. The Vulnerability and Patch Management Pack default system scans cannot be modified and saved using the original scan name. To use a customized vulnerability scan to perform scanning, see the instructions in the “Scanning for vulnerabilities” section.
Deleting a customized vulnerability scan NOTE: Only custom vulnerability scans can be deleted. Default system scans provided with Vulnerability and Patch Management Pack cannot be deleted. To delete a custom vulnerability scan: 1. Select Diagnose>Vulnerability and Patch Management>Scan>Customize Scan. 2. Select the custom vulnerability scan to delete, and click Delete. 3. Click OK when prompted to confirm the action.
2. Select the appropriate scan or scans, and click Delete. All results associated with the selected scan are deleted. Deleting scan results by system 1. Select Diagnose>Vulnerability and Patch Management>Scan>View Results by System. 2. Select the individual system for which to delete results, and click Apply. 3. Verify that the correct target systems appear in the lists, click Add Targets or Remove Targets, if necessary to reselect target systems, and click Next.
4. Select the scan results to delete, and click Delete.
Deploying patches and fixes This section provides an overview of using Vulnerability and Patch Management Pack to deploy patches and configuration fixes. Patches and configuration fixes can be deployed immediately or scheduled for deployment at a later time. Patches and fixes can be selected individually from the database for deployment to all systems or any combination of specified systems without performing a scan.
To deploy patches, configuration fixes, or both to systems based on a specific vulnerability scan: 1. Select Deploy>Vulnerability and Patch Management>Patch-Fix Based on a Scan. 2. Select the completed vulnerability scan, and click Next. Vulnerabilities appear for all systems included in the scan. All vulnerabilities listed might not be applicable for every system. Clicking the entry in the Vulnerability ID or Advisory column displays additional information about the vulnerability.
4. Select the systems on which to apply patches or fixes, and click Next. 5. Designate when the patched systems will be rebooted. Reboots can be performed immediately after the patches or fixes are installed or postponed until later. The local user can also be given the option to accept or reject the reboot. NOTE: If the local user rejects the reboot, there will not be another automatic reminder. 6. To deploy patches or fixes immediately, click Run Now.
8. View task results in the VPM Events list after the task completes. To view the list of target systems that require reboot, see the “Viewing the patch reboot status” section. Deploying patches without a vulnerability scan If a patch is released that must be deployed immediately, the patch can be applied without running a scan. In normal circumstances, HP recommends running a scan before deploying patches. To deploy patches to systems without running a scan: 1.
5. If any selected systems are unlicensed or licensed with a time-limited license, permanent licenses can be applied at this time. If licenses are available, select any unlicensed system in the list to license, and click Apply License. To add licenses using a key string, click Add Key, enter the key string in the field, and click OK. IMPORTANT: If systems listed as Unknown or Unmanaged in HP SIM are selected for licensing, a server license is assumed and automatically applied.
8. Designate when the patched systems should be rebooted. Reboots can be performed immediately after the patches or fixes are installed or postponed until later. The local user can also be given the option to accept or reject the reboot. NOTE: If the local user rejects the reboot, there will not be another automatic reminder. 9. To schedule patch deployment, choose one of the following options: ○ To deploy patches immediately, click Run Now. ○ To schedule the patch deployment, click Schedule. 10.
a. Enter an appropriate name for the deployment task or accept the default name, and select Once. b. Designate a time and date to run the patch deployment task, and click Done. 11. View task results in the VPM Events list after the task completes. To view the list of target systems that require reboot, see the “Viewing the patch reboot status” section. Viewing the patch repository 1. Select Diagnose>Vulnerability and Patch Management>View Patch Repository. 2.
4. Verify that the correct target systems appear in the lists, click Add Targets or Remove Targets, if necessary to reselect target systems, and click Next. 5. The patch reboot status for the selected systems appears in the Reboot Status column. Select the systems to reboot, and select if the local user of all the listed systems will be given the option to accept or reject the reboot. NOTE: If the local user rejects the reboot, there will not be another automatic reminder.
7. If scheduling the reboot task: a. Enter an appropriate name for the reboot task or accept the default name, and select Once. b. Designate a time and date to run the reboot task, and click Done. Viewing patch installation status You can view consolidated reports showing patch installation status for all systems managed by Vulnerability and Patch Management Pack.
Viewing patch installation status by search filter 1. Select Diagnose>Vulnerability and Patch Management>View Patch Installation Status>View by Search Filter. 2. Enter a search parameter in the appropriate field, and click Search. You can view patches either by advisory number, target system, or the status of patches. Advisory numbers are in the form MS05-005 or RHSA-2005-05-850. 3. To view information about a specific patch, click the patch identification number in the Advisory column.
Viewing patch installation status by system 1. Select Diagnose>Vulnerability and Patch Management>View Patch Installation Status>View by System. 2. Click the entry in the Installed, Not Installed, or Other column for a system to display additional information about patches for that system. An entry in the Other column indicates that Vulnerability and Patch Management Pack cannot determine if the patch has been installed, possibly because adequate information was not provided by the patch vendor.
3. Verify that the correct target systems appear in the lists, click Add Targets or Remove Targets, if necessary to reselect target systems, and click Next. The list of patches installed on the system by Vulnerability and Patch Management Pack appears. The Status column indicates one of the following states for each patch: ○ ○ ○ ○ ○ Install – Successful—The patch installation completed successfully. Install – Unsuccessful—The patch installation did not complete successfully.
Validating installed patches Patch validation identifies any missing patches on target systems and immediately reinstalls the patch, creating a patch deployment event in HP SIM. If a VPM Patch Agent update has been acquired, the update is also automatically applied. If reinstalled patches require selected target systems to be rebooted, this action is automatically deferred.
5. Enter an appropriate name for the validation task, or accept the default name. 6. To schedule the validation task, choose one of the following options: ○ To validate the installed patches immediately, select Run now, and click Done. ○ To schedule the validation task to run on a regular basis, select Periodically. ○ To run the task one time, select Once. 7. Designate a time and date to run the validation task, and click Done.
NOTE: If the VPM Patch Agent deployment failed, be sure that the system is accessible by selecting Options>Protocol Settings>System Protocol Settings and verifying that the WBEM credentials have been configured properly. To deploy the VPM Patch Agent to systems to enable patching: 1. Select Deploy>Vulnerability and Patch Management>VPM Patch Agent. 2. Select the target systems on which to deploy the VPM Patch Agent either by selecting a group from the dropdown list or by selecting the systems. 3.
IMPORTANT: Any unlicensed systems not licensed at this time will not be included in the VPM Patch Agent deployment. NOTE: If all target systems initially selected for the task are licensed with permanent licenses, the license validation page does not appear. 6. Click Next. 7. If the server type is identified as Unknown or Unmanaged with no identified operating system in the HP SIM console, select the appropriate operating system, and click Next. 8.
9. View task results in the VPM Events list after the task completes. Removing patches Only patches that can be removed appear on the patch removal page. Only Microsoft patches including vendor-provided uninstallation patches can be removed, provided these patches were installed by Vulnerability and Patch Management Pack. Vulnerability and Patch Management Pack cannot remove configuration fixes or Red Hat patches.
3. Select the systems on which to remove the designated patches. 4. To remove the patches immediately, click Run Now. To schedule the patch removal, click Schedule.
5. If scheduling the patch removal task: a. Enter an appropriate name for the removal task or accept the default name, and select Once. b. Designate a time and date to run the removal task, and click Done. 6. View task results in the VPM Events list after the task completes. If the patch removal requires the target system to be rebooted, this action is automatically deferred.
Troubleshooting This section identifies and provides solutions for commonly encountered issues, as well as answers to frequently asked questions.
Vulnerability and Patch Management Pack installation updates MDAC and MSDE If MSDE or files used by MSDE are not up-to-date, files are updated during the Vulnerability and Patch Management Pack installation. The server is rebooted after updated files are installed. In this situation, the Vulnerability and Patch Management Pack installation must be restarted.
4. Click the Log On tab, and update with the new password. 5. Click the General tab, and click Stop>Start to restart the HP SIM service. 6. Right-click IIS Admin Service, and select Restart. Click Yes to confirm. Proceed with the Vulnerability and Patch Management Pack installation. If necessary, the installation account credentials can be changed back after the installation completes.
• • UDP 1433, 1434—MSDE Shared Instance Support TCP (variable)—MSDE TCP/IP communications. This port, assigned at random by MSDE during installation, can be identified by selecting Start>Run, entering svrnetcn.exe, and clicking OK. Select Computername\Device from the Server Instances dropdown menu. In the Enabled Protocols list, select TCP/IP>Properties. The port number appears. The port number can be changed at this time, if necessary.
Be sure that the DNS suffix for this connection field has the correct DNS suffix and that both the Register this connection’s addressees in DNS and Use this connection’s DNS suffix in DNS registration are selected. All target systems do not have the same administrator credentials For target systems that have individual administrator credentials, configure WBEM credentials individually to enable access to these target systems. 1.
For information about backing up and restoring the ISS Metabase, see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/131b609d-ff3a488f-a8dd-13044fa623a1.mspx The IIS Certificate has expired and the Vulnerability and Patch Management Pack connection must be reconfigured to use an HTTP connection HP recommends using a secure HTTPS connection between the HP SIM server and the VPM server, when these components are installed on separate servers.
f. Clear the Require secure channel (SSL) option, and click OK>OK. Uninstalling Vulnerability and Patch Management Pack Use either of the following methods to uninstall Vulnerability and Patch Management Pack. The Vulnerability and Patch Management Pack uninstallation must be performed from the VPM server. Vulnerability and Patch Management Pack scan results can be retained after uninstallation. The last scan performed can be accessed from the VPM column.
IMPORTANT: Vulnerability and Patch Management Pack licenses are not removed from target systems when Vulnerability and Patch Management Pack is uninstalled. To uninstall with the Vulnerability and Patch Management Pack uninstaller: 1. Select Start>Programs>HP ProLiant Essentials Vulnerability and Patch Management>Uninstall Vulnerability and Patch Management. 2.
Hiding the VPM column in the HP SIM console Vulnerability and Patch Management Pack uses the VPM column in the HP SIM console to identify vulnerability status. If Vulnerability and Patch Management Pack has been uninstalled, vulnerability status information is no longer updated in the HP SIM console. Data displayed in the HP SIM systems list is cleared if Vulnerability and Patch Management Pack data is removed during uninstallation.
Windows • The account used to scan the target system is a member of the Administrator group or Domain Administrator group for that system. • • • • • • • • Client for Microsoft Networks is installed and enabled. • The Computer Name/Domain network component is defined. Vulnerability and Patch Management Pack has share-level access to all target systems. Remote Registry Service is started. File and Printer Sharing protocol is installed and enabled. Default Administrative Shares are enabled.
Configure file permissions on all necessary DLLs. Configure Windows NT Registry permissions on the following: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\STAT Scanner • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\STAT Scanner WSI Linux target systems • • • TCP/IP network protocol is enabled. SSH is enabled and listening on the default port 22.
A scan was submitted but never started All target systems scanned by Vulnerability and Patch Management Pack must have an IP address displayed in the HP SIM console. If a scan is requested for a target system with no IP address, the scan does not run and an internal error is generated. Be sure that all target systems being scanned have IP addresses that appear in the HP SIM console.
To deploy the VPM Patch Agent to target systems, see the “Deploying the VPM Patch Agent” section. Be sure that the Red Hat library, compat-libstdc++, is installed on Red Hat target systems. The VPM Patch Agent installation can also fail because the WBEM credentials are not configured properly to allow Vulnerability and Patch Management Pack to access target systems. For information about configuring WBEM credentials, see the “Post-installation configuration” section.
This message occurs because the Microsoft information pertaining to the patch location is incorrect and the patch cannot be downloaded. HP is working to correct the metadata at the HP/Radia website for these older patches, however this is ongoing maintenance. These corrections will automatically be downloaded each time a patch acquisition is run. No updates are needed to Vulnerability and Patch Management Pack.
Other tools report that a Windows system is patched, but Vulnerability and Patch Management Pack reports patches needed Many other tools read the registry to determine if a patch is installed. In many cases, when a patch installation fails, the registry is updated while the files remain unchanged. Vulnerability and Patch Management Pack verifies that both the files and registry keys have been updated.
HP SIM integration Vulnerability and Patch Management Pack menus do not appear in the HP SIM console after installation The tool menus might not appear after a Vulnerability and Patch Management Pack installation for any of the following reasons: • The HP SIM user does not have appropriate privileges to access the menus.
Vulnerability and Patch Management Pack provided scan definitions The following table lists the provided scan definitions that are provided with Vulnerability and Patch Management Pack and a brief description of each. NOTE: Custom scans can be created from the default system scans. When default system scans are updated, the custom scans are updated with corresponding vulnerability updates also. Table 5 Provided scan definitions Scan definition Description 4_0* Windows NT® 4.
Using the Change VPM Credentials Utility The Change VPM Credentials Utility can be used to update Vulnerability and Patch Management Pack: • • When the credentials or IP address of the HP SIM server have been changed • To turn on or off the secure connection between the HP SIM and VPM server When the credentials of the account used to install Vulnerability and Patch Management Pack have been changed To update the Vulnerability and Patch Management Pack credentials: 1.
4. If changing database credentials, enter your current database credentials, and click Change.
Backing up and restoring Vulnerability and Patch Management Pack Introduction Vulnerability and Patch Management Pack application files are tightly coupled to HP SIM and its components. There are also Vulnerability and Patch Management Pack subcomponents, which can place files in other locations. A number of tables exist in databases, which require special tools to back up effectively.
Vulnerability and Patch Management Pack events Vulnerability and Patch Management Pack creates events in HP SIM. These events can be viewed with all HP SIM events in the Events list, or independently in the VPM Events list. Scan events Table 6 lists the events created by the Vulnerability and Patch Management Pack scanning components. Table 6 VPM scan events Event Description Occurs Submitted VPM Scan A vulnerability scan has been submitted When a scan is submitted.
Patch and fix events Table 7 lists the events created by the Vulnerability and Patch Management Pack patching components. Table 7 VPM patch and fix events Event Description Occurs Submitted VPM Patch and A VPM patch and fix has been When one more patches and fixes have been Fix submitted. submitted. Started VPM Patch and Fix A group VPM patch and fix has started. When one or more patches or fixes have been started for all systems selected in the patch-fix operation.
Table 7 VPM patch and fix events Event Description Failed VPM Patch and Fix A failure has occurred during for a System a VPM patch or fix operation for a particular system. Occurs When an individual system fix fails to complete because of an internal error. Check the system event log for more information.
Acquisition events Table 8 lists the events created by the Vulnerability and Patch Management Pack patch acquisition. Table 8 VPM acquisition events Event Description Occurs Started VPM Acquisition Acquisition of vulnerability updates and patches has started When acquisition of scan definitions, patches and fixes for selected operating systems and applications has started. This operation might take a while depending on the number of items being downloaded.
Miscellaneous events Table 9 lists the miscellaneous events created by Vulnerability and Patch Management Pack. Table 9 Miscellaneous VPM events Event Description Occurs Installed VPM VPM has been installed When installation of VPM successfully completes. Removed VPM The VPM product has been removed from this HP SIM Server When uninstallation of VPM successfully completes. VPM Product License VPM license applied When a license for VPM is successfully applied to HP SIM.
Table 9 Miscellaneous VPM events Event Description Occurs Failed VPM Patch Agent Install A failure has occurred in the VPM Patch Agent installation When the VPM Patch Agent fails to deploy to a system as part of a licensing operation or the Deploy VPM Patch Agent operation. VPM might not have permission to access the system. If the system type is Unknown or Unmanaged, the VPM Patch Agent must be deployed from the Deploy VPM Patch Agent menu so the operating system type can be manually selected.
HP services and technical support Vulnerability and Patch Management Pack is offered exclusively as a part of Insight Control Environment and Insight Control Environment for BladeSystem. Starting in July 2007, Insight Control Environment suites will include one year of 24 x 7 HP Software Technical Support and Update Service. This service provides access to HP technical resources to help you resolve software implementation or operational issues.
• Obtain the latest SmartStart (http://www.hp.com/servers/smartstart)—The SmartStart, Management, and Firmware CDs are now available for download by registering at the SmartStart website. If you wish to receive physical kits with each release, you can order single release kits from the SmartStart website. To receive proactive notification when SmartStart releases are available, subscribe to Subscriber's Choice at http://www.hp.com/go/subscriberschoice.
Index scan definition, 55 A settings, 35 acquisition patch, 37 D settings, 37 database backing up, 98 adding licenses, 46 restoring, 98 additional help resources, 6 applying licenses definition customizing scan, 55 with License Manager, 47 within Vulnerability and Patch Management Pack, 45 deploying patches automatic discovery, 35 based on a scan, 60 B scheduling agent deployment, 75 backup component, 98 without a scan, 63 discovery, 35 Systems Insight Manager, 98 distributed configurati
IIS.
scheduled task scheduling patch agent deployment, 75 canceling, 51 scheduling patch deployment, 62 modifying, 51 scheduling patch validation, 73 viewing, 51 scheduling vulnerability scan, 51 security, 35 viewing scheduled, 51 settings vulnerability scan, 49 acquisition, 37 toolbar, Systems Insight Manager, 27 changing password, 96 troubleshooting default menu, 27 firewall, 82 installation directory, 18 modifying, 35 protocol, 34 Internet Information Services, 84 U uninstalling, 85 upgrade
default settings, 18 events, 99 upgrading, 29, 37 vulnerability scan hardware requirements, 15 customizing, 55 help resources, 6 deleting, 57 infrastructure, 9 performing, 49 installation logs, 79 provided, 49 installing, 19 required ports, 81 interface, 13 restoring data, 98 modifying settings, 35 scheduling, 51 process, 8 viewing results, 51, 53 reinstalling, 87 software requirements, 15 uninstalling, 85 W WBEM credentials, 34 Index 110
