Hi everyone, I’m looking for suggestions on how to setup myscans so that they are fair on our admins responsible for patching our servers.
My issue is mainly with HP-UX scanning, but is applicable to Linux servers and Oracle patches as well.
Facts about my scenario:
1. HP-UX patches are not released on a regular basis like Microsoft’s patch Tuesday patches.
2. Many HP-UX admins are only able to patch systems on a 1month, 3month or 6month patch cycle due to business contraints and patch bundles.
3. The MVM scanner updates its vulnerability check faslscripts on “when available basis”
So as an example, if I scan a HP-UX server at the start of the month and allow a 30 day window for the patch admin to fix any vulnerabilities found during that start of the month scan. When I scan that same server again at the 30 day mark, even if the admin successfully patches all the vulnerabilities I had initially found the foundscore still won’t be 100 because there will most likely have been one or two new HP-UX vulnerabilities that get automatically included in my second scan but that the admin has not had a chance to patch yet.
If the vuln sets included a rule expression based on the time the vulnerability check was released by mcafee, I probably wouldn’t be having this problem but that type of rule expression doesn’t exist.
So I’m hoping some of you out there may have encountered the same type of issue and came up with a way to deal with it that I haven’t stumbled upon yet.
You could create a vuln set and uncheck updating for the vulns selected, this way the admins arent chasing a moving target and you can show measured progresss based on the static vuln set.on 9/11/12 12:18:19 PM EDT
Hi John, thanks and I appreciate you taking the time to submit a suggestion. Unfortunately, doing it this way avoids the use of vuln sets and would force me to manually select the vuln filters to apply and continually revisit them. I was hoping for a way to accomplish this using vuln sets and the benefits that come with them.
Also, McAfee mentioned in their pdf about the new features MVM 7.0 that the use of vuln filters would be removed from MVM in a coming release, so I don't want to develop a process I will not be able to continue to rely on into the near future.
Here's an excerpt from their pdf about vuln filters - pdf called "What's new in MVM 701.pdf"
Many customers have attempted to use the “Vulnerability
Filter” feature to fill some of these needs. That feature
can be completely replaced by the vulnerability set
feature and we do plan on removing the vulnerability filter
feature entirely in our next major release. If you have
vulnerability filters in use today, please begin to move
them to the vulnerability set feature. You will quickly
begin to see the power of vulnerability sets compared to
the old filter concept.
For the time being, I guess I will submit a Feature enhancement request to introduce a rule expression for vuln sets that would allow me to filter out vulnerability checks based on the time/date the check was released by mcafee.