In SUSE Manager, you can keep track of your clients through a series of auditing tasks. You can check that your clients are up to date with all public security patches (CVEs), perform subscription matching, and use OpenSCAP to check for specification compliance.
In the SUSE Manager Web UI, navigate to
Audit to perform auditing tasks.
A CVE (common vulnerabilities and exposures) is a fix for a publicly known security vulnerability.
You must apply CVEs to your clients as soon as they become available.
Each CVE contains an identification number, a description of the vulnerability, and links to further information.
CVE identification numbers use the form
In the SUSE Manager Web UI, navigate toto see a list of all clients and their current patch status.
By default, the CVE data is updated at 2300 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.
In the SUSE Manager Web UI, navigate toand select the
Click Single Run Schedule to schedule the task. Allow the task to complete before continuing with the CVE audit.
In the SUSE Manager Web UI, navigate to.
OPTIONAL: To check the patch status for a particular CVE, type the CVE identifier in the
Select the patch statuses you want to look for, or leave all statuses checked to look for all.
Click Audit Servers to check all systems, or click Audit Images to check all images.
For more information about the patch status icons used on this page, see reference:audit/audit-cve-audit.adoc.
For each system, the
Next Action column provides information about what you need to do to address vulnerabilities.
If applicable, a list of candidate channels or patches is also given.
You can also assign systems to a
System Set for further batch processing.
You can use the SUSE Manager API to verify the patch status of your clients.
audit.listSystemsByPatchStatus API method.
For more information about this method, see the SUSE Manager API Guide.
The CVE status of clients is usually either
not affected, or
These statuses are based only on the information that is available to SUSE Manager.
Within SUSE Manager, these definitions apply:
- System affected by a certain vulnerability
A system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability.
- System not affected by a certain vulnerability
A system which has no installed package that is also in a relevant patch marked for the vulnerability.
- System patched for a certain vulnerability
A system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability.
- Relevant patch
A patch known by SUSE Manager in a relevant channel.
- Relevant channel
A channel managed by SUSE Manager, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.
Because of the definitions used within SUSE Manager, CVE audit results might be incorrect in some circumstances. For example, unmanaged channels, unmanaged packages, or non-compliant systems might report incorrectly.