Arguably one of the most cumbersome jobs in the data center is staying on top of patches. Using an over the wire vulnerability scanner can be prohibitive if there are restrictive firewalls in the way. Get around the firewalls, and typically you are only checking for remotely exploitable issues. Luckily the Halo Software Vulnerability Management (SVM) module can give you visibility of both local and remote software, regardless of the current firewall policy.
To access Halo SVM, log on to your Halo account and click the “Software” icon. Your screen should appear similar to Figure 1. By default, the “All Servers” tab will be selected showing the results for all servers registered via Halo. You can click on any of the other tabs if you are only interested in checking servers that are part of a specific group.
Each of the columns are sortable by clicking on the column title. For example in Figure 1 I’ve clicked on “Critical” in order to sort the results by the number of critical issues that have been found. Note that the status of the server “centos-6-2” is listed as “Missing”. This means that the server is not currently online, so the results reflect how the server looked prior to going offline.
Note the “Actions” pull down menu just below the search function. This permits me to perform an action against multiple servers at the same time. The options are shown in Figure 2. If I wanted to manually initiate a scan against multiple servers, I would click the square radial box to the right of each server, and then select “Launch Scan” from the Actions pull down.
By clicking on a server name, I am brought to a detailed view of vulnerabilities for that server. This is shown in Figure 3. At the top of the screen is a histogram that will graph the quantity of vulnerabilities found on this sever over the specified period of time. This feature is only available to Halo Pro customers. If you are using Halo Basic, the graph will be non-functional, similar to that shown in Figure 3.
This view is where you can find all of the details regarding missing patches for each of your software packages. The package name is color coded based on severity, which can help to prioritize your work. CVE references are listed for each detected vulnerability in case you need to learn the specifics of the vulnerability. Each CVE reference is hotlinked to information from NIST’s National Vulnerability Database. You can also create exceptions for vulnerabilities if you don’t want to see the output or discover the vulnerability is actually a false positive.
Just above the list of vulnerabilities is a list of potential actions we can perform. For example we could export the report as a PDF file. This can be useful if we need to pass the information along to an auditor. We can also view the entire vulnerability report, which will also include software packages that were checked but were found to be up to date. We can look at the history of when this server has been checked for vulnerabilities, and finally we can choose to manually initiate a new scan against this server. This function can be useful if you’ve just made changes on the server and want to update the results.
This blog post is just a primer on getting you started with Halo SVM. For more information, see the Halo Support & Documentation.