0 Replies Latest reply: Oct 16, 2012 9:47 AM by njones RSS

New Nessus Patch Management Integration Support for IBM Tivoli Endpoint Manager

njones

Summary

We are pleased to announce new support for IBM Tivoli Endpoint Manager (TEM) for Patch Management (formerly known as BigFix). This new capability allows us to use the information gathered by TEM from systems where we may not have credentials or we're unable to reach such systems over the network. The TEM integration is configured similarly to our integration with other patch management solutions where credentials and the server address are provided so Nessus can retrieve the patch information for the hosts covered in the scan.

 

In addition to TEM, Nessus and SecurityCenter also integrate with the following popular patch and system management solutions:

 

-  Microsoft Windows Server Update Services (WSUS)

-  Microsoft System Center Configuration Manager (SCCM) 2007

-  Red Hat Network Satellite Server

-  VMware Go

Configuring Tivoli Endpoint Manager

To connect to Tivoli Endpoint Manager from Nessus, we must enable Web Reports on TEM and enable patch-related Fixlet sites. For the latter, you may need TEM for Patch Management. To achieve this:

 

1.  Log in to the Tivoli Endpoint Manager Administrative Console.

 

pic1.png

 

2.  Under All Content (see bottom left in screenshot), select License Overview and enable relevant security sites.

 

pic2.png

 

3.  From the Tools menu, select Launch Web Reports.

pic3.png

 

4.  Create a new user, if prompted. These credentials will be entered in the Tivoli Endpoint Manager Preferences page in Nessus. Note, if neither this page nor a login page loads, you may have another web server running on the same port and will need to disable it for web reporting and Nessus reporting to function.

 

pic4.png

 

5.  If Web Reports is working properly and is enabled, you should be greeted by the following dashboard.

 

pic5.png

 

Now we will be able to connect via Nessus to the Tivoli Endpoint Manager server.

Configuring Nessus for Using Tivoli Endpoint Manager

To have Nessus use the information on the TEM server, we start by creating a Nessus policy.

 

1.  Make sure the Nessus plugin named Patch Management: Tivoli Endpoint Manager Report Plugin ID 62561 is enabled. Also enable all plugins under the family of Windows: Microsoft Bulletins. Confirm that plugins with IDs 62558, 62559, and 62560 are also enabled.

 

pic6.png

 

pic7.png

 

2.  Under Preferences, select the Patch Management: IBM Tivoli Endpoint Manager plugin preference, and enter the address, Web Report port, and credentials. If the server is configured for SSL, also enable it.

 

pic8.png

 

3.  Once this is done, click on Submit to ensure that all settings have been saved and the policy is stored in the Nessus server.


Note, if Nessus is able to log in to the host it is scanning, it will perform the local check and will not use the data from TEM since this will provide the greatest level of accuracy for the check being performed. If Nessus is unable to log in to the host it is scanning, and it fingerprints such host as a Windows system, it will query the TEM for the patch information and the local Windows bulletin checks will use this information.

 

If Nessus sees that the host is not being managed by the TEM solution, it will report it as an unmanaged host. This information will allow administrators to determine what hosts may be outside of the enforcement of policies configured in their patch and configuration management solution.

 

pic9.png

 

Nessus will also identify the source of where it got the information for the specific local check in the Plugin Output section:

 

pic10.png

 

Nessus also provides additional information so administrators can see if the system scanned is managed by the TEM server and what patches are missing from the specific host.

 

pic11.png

Conclusion

Nessus' ability to leverage the information from patch and configuration management solutions in a customer environment provides deeper insight into systems that due to controls on the network may have been previously missed in scans. This added information also provides administrators a way to validate that all proper hosts are managed under their patch and configuration solutions, and that such solutions are providing the appropriate information.