How can I add the severity of a patch to the inventory data for a computer?

Version 1

    Verified Product Versions

    LANDESK Management Suite 2016.x

    Question:


    How can I add the severity of a patch to the inventory?  I want to generate queries for computers that are missing critical patches but that is currently not part of the inventory information.  

     

     

    Answer:


    This can be done using a couple of rules inside of Data Translation Services.  Follow the steps below to add this information to the  inventory tree. 

     

    1.  Edit the file  \Program Files\LANDesk\ManagementSuite\Datamartpm.xml.

    2.  Add the following line to the  ComputerVulnerability  table section under the last column tag:      Severity type=Varchar(30) displayName=Severity > 

    3.  Save the file.

    4.  Run the following command from the  \Program Files\LANDesk\ManagementSuite  directory.      coredbutil /xml=datamartpm.xml      Then select  Build Components  when the dialog appear.

    5.  Reload the LANDesk console.  If you look in the Query dialog, you should now see a  Severity  attribute of the  Security and Patch Definitions  component.

    6.  Go into the Data Translation Services console and create a new  Import Data  rule.

    7.  Enter a name for the rule, in this example we will use  Set Patch Severity , and click  Next.

    8.  Select  Management Suite ,  Computer Data  and click  Next.

    9.  Enter the information for your Management Suite database and click  Next.

    10. Enter  Vulnerability  for the table, or select it from the list.

    11. In the  Where statement  textbox enter the following:      Vul_ID = !Computer.Security and Patch Definitions.Vulnerability ID! 

    12. Click  Next.

    13. Click  Add  to add a column to import.

    14. For the  LANDesk Attribute  select  Computer.Security and Patch Definitions.Severity.

    15. For the  Column  select  Severity.

    16. For the  Data Type  select  STRING.

    17. Click  OK . 18. Click  Add  to add a second column. 19. For the  LANDesk Attribute  select  Computer.Security and Patch Definitions.Vulnerability ID .  It is necessary to add this column, since it will be used to match the Vulnerability that the computer reported to the vulnerability that is in the Vulnerability table.  Since it already exists as part of the computer data, it will not be imported, but is used as the Key field to match the two records. 20. For the  Column  select  Vul_ID . 21. For the  Data Type  select  STRING . 22. Click  OK.

    23. Select the second attribute (Computer.Security and Patch Definitions.Vulnerability ID) and click  Key.

    24. Click  Next.

    25. Click  Finish. 

     

    Since the Security and Patch information is not sent in as part of a regular inventory scan, it is not usefel to set this rule Active.  Instead we recommend that you schedule this rule to run on a regular basis (perhaps every night, but often enough that the data is updated before you run a report.  To schedule a rule, right click on the rule and select  Schedule .  Once you schedule the rule, you can change the settings for it, by looking in the Scheduled Tasks tool.  The name will be _.  Depending on how many vulnerabilities you are scanning there may be thousands for each computer.  This may then take a long time to run the rule.  However, since this data is sent in as part of a Security scan, it will not get overwritten and will stay once it is set.  So it is not necessary to always run the rule to keep the data from getting erased during an inventory scan. 

     

    It is possible to set the rule to run only against computers that it needs to be run against.  To do this follow these steps: 

     

    1.  Create a new Query in the console.

    2.  Give it a  Name , in this example,  Computers needing Severity information.

    3.  Select  Computer.Security and Patch Definitions.Vulnerability ID  as the  Machine Component.

    4.  Select  Exists  as the operator.

    5.  Click  Insert.  This will select all computers that have patch information.

    6.  Select  AND  from the drop down.

    7.  Select  Computer.Security and Patch Definitions.Severity  as the second  Machine Component.

    8.  Select  Not Exists  as the operator.

    9.  Click  Insert.

    10. Click  Save.

    11. Right click on the DTS rule and select  Set Targets.

    12. Expand  Queries  on the right and select the query you just created.

    13. Drag the query to the left.  It should now be in the queries list on the left.

    14. Click  OK. 

     

    You have now setup the rule that will import the Severity type from the Vulnerability table in Patch Manager and add to the inventory of a Management Suite computer.  However, the Severity column is an integer.  To make it more useful, we should change it into a string, the same as shows up in the Security and Patch Manager console.  The simplest way to do this is with a Normalize rule that converts the number into a string.  Follow these steps to setup this rule: 

     

    1.  Create a new Normalize rule.

    2.  Enter a  Name  for the rule, in this example we will use  Normalize Severity Name.

    3.  Select  Computer.Security and Patch Definitions.Severity  as the  Database Attribute  and click  Next.

    4.  Select  0  from the  Existing Values  list and click  Add Map.

    5.  Change the map from  0  to  Service Pack.

    6.  Drag 0 from the  Existing Values  list to the  Service Pack  map.  0 should now show up under Service Pack.

    7.  Repeat steps 4-6 for 1-6, using the following text:     1 - Critical     2 - High     3 - Medium     4 - Low     5 - N\A     6 - Unknown

    8.  Click  Finish . 

     

    Since these two rules need to run together to properly set the patch severity, you should schedule this rule to run as well, after the first rule is complete.  Since this rule will run much faster than the import rule, you may not need to set Targets for it.  However, if you wish to set targets, create a query where Computer.Security and Patch Definitions.Severity = 0, 1, 2, 3, 4, 5, or 6.  This will ensure that only computers that need the rule run will have it run for them.  Also, since you want to run these two rules together, you can also create a rule group.  So instead of dragging a computer down to the import rule and then dragging it to the normalize rule, you can drag it onto the group and both rules will run in sequence.  To do this complete the following: 

     

    1.  Right click on the bottom of the left treeview in the Data Translation Services console.

    2.  Select  Add Group.

    3.  Give the groug a name, in this example,  Patch Severity.

    4.  Click on  Import Data  in the treeview and drag the import rule onto the group, in this case we called the rule Set Patch Severity.

    5.  Click on  Normalize  in the treeview and drag the normalize rule onto the group, in this case we called the rule Normalize Severity Name. 

     

    You should see the two rules in the Patch Severity Group.  Make sure that the Group Run Order is set to so Set Patch Severity runs before Normalize Severity Name.  If you need to change this, right click on the Group and select Set Group Run Order.  To further help customize this, you can also schedule the two rules to run one after the other, however this is not handled in the UI.  When a rule is scheduled it creates a script file that executes the rule.  It is possible to combine these two script files into one so that the normalize rule is run immediately after the import rule is finished.  To do this follow these steps: 

     

    1.  Right click on the import rule, in this example  Set Patch Severity , and click  Schedule.

    2.  Set the parameters you wish and click  OK.

    3.  Right click on the normalize rule, in this example,  Normalize Severity Name , and click  Schedule.

    4.  Set the parameters you wish and click  OK.

    5.  Go the \Program Files\LANDesk\ManagementSuite\Scripts directory on the core server.  You will see the two script files with names of _.ini.

    6.  Edit the Set Patch Severity ini file.  The test should look something like this:      LOCEXEC0=C:\Program Files\LANDesk\ManagementSuite\MPRUNSCHED.EXE 225 , ASYNC  7.  Change the  ASYNC  to  SYNC .  This way the next step will not complete until the rule has completed running.

    8.  Edit the Normalize Severity Name.ini file.

    9.  Copy the LOCEXEC line into the Set Patch Severity file and modify so it looks something like below:      LOCEXEC1=C:\Program Files\LANDesk\ManagementSuite\MPRUNSCHED.EXE 226 , ASYNC     

    10. Save the Set Patch Severity file. 

     

    NOTE: The numbers after MPRUNSHED.EXE are specific to your database and that instance of the rule.  If you delete the rule and recreate it or import it into a different core server, the numbers will change and you will need to reschedule the rule to generate a new script file and find out what the ID number is of that new rule.  Now when the Set Patch Severity Scheduled Task is run, it will first import the patch severity field and then normalize the name. (NOTE: Replace with the character)