Auditing

Table of Contents

In SUSE Manager, you can keep track of your clients through a series of auditing tasks. You can check that your clients are up to date with all public security patches (CVEs), perform subscription matching, and use OpenSCAP to check for specification compliance.

In the SUSE Manager Web UI, navigate to Audit to perform auditing tasks.

1. CVE Audits

A CVE (common vulnerabilities and exposures) is a fix for a publicly known security vulnerability.

You must apply CVEs to your clients as soon as they become available.

Each CVE contains an identification number, a description of the vulnerability, and links to further information. CVE identification numbers use the form CVE-YEAR-XXXX.

In the SUSE Manager Web UI, navigate to Audit  CVE Audit to see a list of all clients and their current patch status.

By default, the CVE data is updated at 2300 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.

Procedure: Updating CVE Data
  1. In the SUSE Manager Web UI, navigate to Admin  Task Schedules and select the cve-server-channels-default schedule.

  2. Click cve-server-channels-bunch.

  3. Click Single Run Schedule to schedule the task. Allow the task to complete before continuing with the CVE audit.

Procedure: Verifying Patch Status
  1. In the SUSE Manager Web UI, navigate to Audit  CVE Audit.

  2. To check the patch status for a particular CVE, type the CVE identifier in the CVE Number field.

  3. Select the patch statuses you want to look for, or leave all statuses checked to look for all.

  4. Click Audit Servers to check all systems, or click Audit Images to check all images.

For more information about the patch status icons used on this page, see CVE Audit.

For each system, the Next Action column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a System Set for further batch processing.

You can use the SUSE Manager API to verify the patch status of your clients. Use the audit.listSystemsByPatchStatus API method. For more information about this method, see the SUSE Manager API Guide.

2. CVE Status

The CVE status of clients is usually either affected, not affected, or patched. These statuses are based only on the information that is available to SUSE Manager.

Within SUSE Manager, these definitions apply:

System affected by a certain vulnerability

A system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability.

System not affected by a certain vulnerability

A system which has no installed package that is also in a relevant patch marked for the vulnerability.

System patched for a certain vulnerability

A system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability.

Relevant patch

A patch known by SUSE Manager in a relevant channel.

Relevant channel

A channel managed by SUSE Manager, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.

Because of the definitions used within SUSE Manager, CVE audit results might be incorrect in some circumstances. For example, unmanaged channels, unmanaged packages, or non-compliant systems might report incorrectly.