Missing Vulnerability Analysis
Setting up Altiris CMS for the first time here (version 7). I've done all the basics, my NS server is functioning normally, I have agents and plugins pushed out and I'm working on getting everything configured the way we need it. I'm currently working on the Patch Management system, as we need that part set up and running first.
My issue is that while I have the software update plugin pushed out (currently to about 40 PCs) NONE of them are reporting thier vulnerability data. I have gone through all the policies and schedules I can think of to get them to report back, and they just refuse to do anything. They have been sitting there for over 24 hours and haven't reported.
I'm not sure where to go from here. I suspect that I've made a newbie mistake and overlooked something, but since I'm basically "learning by doing", I'm a bit lost. Can anyone offer suggestions?
Comments
Have you ensured that the Microsoft Import job has run? This downloads the meta data needed to determine which updates are missing. It can be found under Manage->Jobs and Tasks->System Jobs and Task->Software->Patch Management
------------------------------------
Principal SQA Engineer
Symantec
Andrew,
Yes. I have run the MS Import task, both ASAP and I have set a recurring schedule for it. So yes, that's been done. Good thought though.
Vulnerability defined
I assume, of course, that you've done the basics prior to this: Installed Patch Management Solution, configured the PM Core and Microsoft settings, downloaded QChain and PMIMport.cab, and set the Microsoft Vulnerability Analysis settings.
Each computer running Software Update Agent downloads specialized inventory rules for Patch Management and stores them in C:\Program Files\Altiris\Altiris Agents\Agents\Inventory Rule Agent\InventoryRuleCache.ibd. Does this file exist on the clients? It must exist in this location for the Inventory Rule Agent to evaluate a computer's compliance. So the requirements on the client from an agent and plug-in perspective are the Altiris Agent, the Software Update Agent, and the Inventory Rule Agent.
The inventory is reported back to the server based on the Microsoft Vulnerability Analysis Task. You will want to check this task to make sure it is Enabled and is reporting as often as you'd like. You may wish to shorten this interval for testing, then change it back later. I think the default is 4 hours. Confirm that it applies to at least one of your test PCs in that group of 40 by viewing the Resource Manager for that PC and selecting Summaries > Policy Summary. You should see Microsoft Vulnerability Analysis policy.
Compliance is based on two types of rules: IsApplicable and IsInstalled. A vulnerability exists if IsApplicable is true and IsInstalled is false for a particular software update. Open Resource Manager for one of your test PCs and select View > Inventory. Then expand Data Classes > Software Management > Patch Management > Microsoft. Select Applicable Microsoft Software Update. You should see a list of software updates that can be applied. If you like, click the Status window in the right pane to view more information. If you're not seeing this data, the agent isn't reporting the inventory -- either because it hasn't been asked to, or because some other process has failed (see above).
In order to be vulnerable, a computer needs to know that a patch exists. If you haven't downloaded patches (staged them) and assigned a policy for each patch, computers don't know that they're vulnerable.
I realize this is a lot of information. Does this help explain the requirements?
Mike Clemson, Systems Engineer
Intuitive Technology Group -- Symantec Platinum Partner
Whoa there... Are you saying that I have to assign a policy to every patch (essentially sending the patch out to be run) before my clients will "know they need it"? Why would I prep a patch to go out before I even know if it's needed? (Or superseded, or problematic) And why would the NS not be tracking which clients are vulnerable? Shouldn't the server be gathering metrics from the clients on what they currently have installed and from there determining the patch level they are at and what available patches they might need?
I am struggling to understand this, particularly since I previously used Lumension's Patchlink product for patch management. While it was a "Pull" technology product, the server did all the tracking and client metrics, and all patch "staging" and prep work was fully automated "out of the box". (It was really quite easy to use. It was NOT my decision to get rid of it.) All I had to do was set up the patch distribution groups and a few basic patch application rules (when to reboot, wether to allow the user to pause the patching process, etc.) and then just pick the unpatched vulnerabilities from the list and send them out on a schedule I specified. It was (admittedly) limited, but it was elegant and worked well. So please bear with me as I slog through this, I have a certain set of expectations that I am having to alter in order to wrap my mind around Altiris.
Also, What are:
PMIMport.cab and Resource Manager
Note: I am running this in a Windows environment and have had zero formal training on Symantec or Altiris products. I am literally having to learn this as I go, with nothing but this forum and the guides available online to assist me.
Correction, and a wall of text
You only need to run PMImport to download bulletins; you do not need to download/stage the updates themselves for vulnerability reports to work or create policies for vulnerability reports to work. However, if you would like to run a compliance report, you will only report against staged updates for which a policy exists. This is because PMImport downloads new inventory rules which are sent to the client as part of the InventoryRuleCache.ibd file. This file is all a client needs to evaluate vulnerability, which it reports back to the SMP server.
Altiris knows a computer is vulnerable based on PMImport and the local activity I explained above. Compliance, however, is based on what vulnerabilities you've asked the client to patch (as a result of policies). Don't make my mistake and confuse vulnerability and compliance reports!
PMImport is a CAB file containing XML. It's downloaded to the SMP server by the Microsoft Patch Management Import task. You have to do this before you can begin using Patch Management to deploy patches/updates. PMImport is updated by Symantec when Microsoft releases new updates. You can schedule PMImport to automatically download. This is where you get the resources for the software/SPs/updates/bulletins, and the inventory rules. You can view PMImport settings at Manage > Jobs and Tasks, Jobs and Tasks > System Jobs and Tasks > Software > Patch Management > Microsoft Patch Management Import.
Resource Manager lets you view all sorts of information about resources. Computers are one example of a resource. Software is another example. You can view these by going to Manage > Computers (or whichever selection you want), and then expanding the tree in the left pane to display resources in the right pane. For example, Manage > Computers, then double-click a computer in the right pane to open up Resource Manager for that computer. Information is stored in something called a data class, so this is where you see all the various data classes. Play around with the menus for computers with the Altiris Agent installed. For example, open Resource Manager for one of your test computers, then View > Inventory, then expand Data Classes > Software Management > Patch Management, then expand Microsoft and also Global > Windows. These are the data classes you should see populated with software updates and various patch-related data. Are these there?
The patch remediation center is where you can actually work with the Microsoft items that PMImport told Altiris about. You can find this page at Actions > Software > Patch Remediation Center. This is where you would stage, create policies, distribute patches/updates, etc.
Regarding supercede concerns: there is a task, called the Disable Superceded Software Updates task. This task runs on a schedule and disables a superceded software update. It will only disable an update if 1) a patch is available which Microsoft indicates supercedes an older update and 2) you have added this superceding patch to a policy. This prevents scenarios like downloading a new patch which supercedes an old security patch, thus halting rollout of the old security patch while you wait to release the new patch. I hope that makes sense.
A final clarification: in order to roll out a patch or bulletin, you must create a policy. But a policy can contain multiple bulletins. For example, I could create a policy called 'MS Security July 2010' including MS10-42, MS10-43, MS10-44, and MS10-45, which includes all of the bulletins released July 2010 by Microsoft.
When you say none are reporting vulnerability data, where are you looking? Did you find those data classes I mentioned? It may be basic, but are you sure your clients are licensed with a valid patch management license?
Mike Clemson, Systems Engineer
Intuitive Technology Group -- Symantec Platinum Partner
Mclemson,
Thanks for the clarification, and don't worry about the "walloftext" ;) . Your response was actually quite informative and taught me more in 15 minutes about Altiris patch management than I've been able to glean from Symantec's PDF's in the last 3 days. I guess there really is no better teacher than the voice of experience.
To answer your question, I am using the "Windows Compliance" portal page, which has a pile of info available on it. Actually, since I ended up uninstalling and reinstalling the Software Update Plugin, now all but one of the machines are now reporting back properly, and that one appears to be off right now, so it doesn't count. So it looks like the plugin simply didn't install properly the first time, or there was an issue related to the fact that I've had to reload my NS 3 times in the last week and a half due to not knowing what I was doing and making errors that were fatal to my NS install. (oops)
But thanks for all your advice, it's going to make rolling out Patch Management SO much easier! (Symantec should get you to write some "how to" stickies for the forums!)
Thanks again!
Just a second reply, I have noticed that when I try to get to the Resource Manager locations you mentioned, I have to use the drop down menus in the green title bar rather than the center pane tree view. If I use the tree view I get an error: "Error loading callback data". I'm not sure what's going on there, I suspect a webpage or SQL issue. If I use the drop downs the tree fills out, but none of the items on the tree work. Only the drop down menu items work, and they seem to work slowly and don't fill out properly.
I checked a few other unrelated menus and they seem to have similar issues. Looks like I might have a new problem.
EDIT: Nevermind, I didn't notice that I had selected a computer that has been detected, but didn;'t have the client installed yet. so yeah, you wouldn't get anything from those menus. i tried again on a machine that has the Agent installed and everything worked as you said it should.
(batting a thousand here ain't I?)
Check the client
I would check client-side and make sure they are receiving the inventory rules and caching them locally. What size is the InventoryRuleCache.idb file located at c:\program files\Altiris\Altiris Agent\Agents\InventoryRuleAgent?
------------------------------------
Principal SQA Engineer
Symantec
2773KB. (on my machine)
I should note, as a troubleshooting step I have uninstalled the Software Update Plugin, and am now in the process of re-installing it to all the previous clients. (Just to ensure I didn't have a faulty install the first time around.) My own machine hasn't reinstalled it yet.
Command Line Utility
You could try to kick off the vulnerability scan manually. Use 'C:\Program Files\Altiris\Altiris Agent\Agents\Patch Agent\AexPatchUtil.exe /I /q'.
------------------------------------
Principal SQA Engineer
Symantec
Would you like to reply?
Login or Register to post your comment.