Secunia CSI is a patch management system add-on for SCCM. It is a software inspector that scans machines for any missing operating system or application updates. It has the ability to keep your environment patched, thereby virtually eliminating security holes caused by out-of-date software. Complete information about their suite of products can be found at https://secunia.com.
This series of articles of articles will focus the Corporate Software Inspector and its integration with SCCM 2012. This tool requires an agent on machines that scans them looking for out-of-date software. It then reports back to a web site where the administrator can view the devices that are out-of-date.
If you do not have Secunia CSI, you can request a 7-day trial at the website above. This will get you access to the web console. If you would like to see the SCCM integration client, you must also request that. This client brings the web site to your SCCM console.
First, we must tie our CSI environment to our SCCM server. To do this, log into to your CSI account and select the “Scanning” option. Select the “SCCM Inventory Import” option, and then “Configure SCCM” at the bottom. Input your SCCM server name in the box and press Save.
Next, go to the “SCCM Import Schedules” option. Here, specify when to have CSI import the inventory from your SCCM environment. Remember that this process takes resources from your SCCM servers, so I would recommend running this import once a day during non-peak hours. To create a new schedule, click the “New SCCM Import Schedule” button on the top of the page. We will come back to the rest of the Scanning node later.
Next, go to the “Patching” node. Select the “WSUS / SCCM” option under Configuration. Here, we need to configure the connection between CSI and your WSUS server. To do that, click the “Configure Upstream Server” button. Fill your WSUS server name and port and click “Connect”. This will test the connection to ensure that they can communicate. Now follow the wizard and create the package creation certificate. Next, you tell the system if you use WSUS or SCCM to distribute updates. If you use WSUS, the certificate will need to be deployed to client machines. The wizard assists you in creating a group policy to do this.
Now that we have the system configured, let’s look at some of the other screens.
This is the “Dashboard” view of the web console. This will give you an overview of your environment every time you log into the system. As you can see, it breaks the chart into programs and operating systems. CSI comes with clients for Windows, Mac OS X, and Red Hat Linux, so those are the operating systems that it is able to monitor and patch.
Here are the options for scanning. As you can see, we have a few options for network appliances and Android, as well as Windows. To download the agents, click on the “Download Local Agent” option. This allows you to download the agents for Windows, OS X, and Red Hat. The options for PSI for Windows and Android are a personal version of Secunia that can monitor Windows clients and Android devices that are not on your network or in your SCCM environment. PSI is a separate product and is out of the scope of this series, but more information can be found at https://secunia.com/vulnerability_scanning/personal/.
“Filter Scan Results” contain a few important options. First, the “Scan Path” option allows you to whitelist or blacklist directories. If you set a whitelist of directories, ONLY those directories will be scanned. Use this option sparingly, and only after careful consideration. Blacklisting a directory will exclude that directory from scans. If you do not specify anything, the agent will scan the entire device.
Next, “Custom Scan Rules” allow you to set up rules for programs that are not included in the CSI scanner. This allows you to monitor custom-developed software.
Finally, under “Completed Scans”, you can see detailed data about each scan. As you can see from this snapshot, I had a partial success because I do not have Windows update enabled on the device.
Results & Reporting
These nodes allow administrators to see the results of the scans and their business impact. We will start with “Host Smart Groups” under Results. Here we can see an overview of all of our groups of devices. Because this is the default “All Hosts” group, it says that this group as a “High” business impact, meaning that if this group had a security breach because of a missing patch, the business impact would be high. The business impact is specified when a group is created.
The rest of the “Results” section has various other charts depicting the state of your devices. I encourage you to look through them and identify which ones you can use to snapshot your environment and see its health.
The reporting section is very customizable. Here, the administrator can create custom reports to show what is happening in the environment. I encourage you to look through this section and identify reports that can help with keeping your environment secure and up-to-date.
The Administration options contain the settings for user access. The first screen (“User Management”) shows all of the users that have access. You can add another user by clicking either “Create New User” or “Create New Administrator”. With a user, the administrator can specify what the user can do.
With an administrator, the user is granted all rights to the system, and they cannot be restricted.
Next, the “Active Directory” screen allows you to tie the system to your AD for group policy. This is what allows you to publish certificates via GPO. Configure this setting if needed.
Finally, the administrator can specify password requirements for the environment. Specify these as needed for your environment.
There are two nodes to pay attention to under “Configuration”. The first one is “Settings”. One option to pay attention to here is “Activate Collect Network Info”. This option allows the CSI agent to gather IP and MAC address information about the client. Next, pay attention to the email recipient options. This where you define who can receive emails and SMS messages from the system. Finally, pay attention to the “Windows Update Settings” option. This defines where the CSI agent will get its updates. Set this according to your environment.
Next, look at the “Suggest Software” node under “Configuration”. This node can be used to submit new software to Secunia to update. If you run across something in your environment that is not being patched by Secunia, submit it here.
Come back next week for an overview of the SCCM integration client that bring CSI into your SCCM console.