8 Replies Latest reply on Apr 22, 2011 2:39 PM by shodgesgt

    no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC

    Rookie

      Hello,

       

      I am having a problem with the patch and compliance on my corporate MACs.  I have created an agent and successfully deployed the agent.  The remote control is functioning normally on the machines, as is the inventory scanner.  The patch manager is not updating, and I have set the schedule to run between 8 and 10 in the morning everyday.  In the Schedule patch and compliance scan window, I notice the command line, /Library/Application\ Support/LANDesk/bin/ldpatch is inputed.  There is no directory or application on the machine in the bin directory.  Am I missing something or is there something else that needs to be done.  Looking through the forums, I cannot seem to find an answer.

       

      What I want to be able to do is patch MAC computers with LANDesk.  if anyone knows of good docs in the community, pleaes comment with their location.

       

      Thanks for any help, anyone can provide me with.

       

      Josh

        • 1. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
          Apprentice

          I think the issue is fixed via SP2, are the clients updated?

           

          steve

          • 2. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
            Rookie

            The installer was created after SP2 was applied to the server.  Is there a pkg I have to apply seperately to the clients?

            • 4. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
              SupportEmployee

              Josh,

               

              It sounds like there is something wrong with your agent package. After applying the patch did you open up your agent configuration and save it so the package is rebuilt with the new files? Most of the time this is done automatically by the patch but I have seen some instances when it didn't happen. If you have done that you might want to contact support and give them your agent config so they can see if they can duplicate it and root cause the problem. I haven't heard of this happening before so I can't really comment on what could be the cause.

               

              In the mean time though to get up and running create a shell script on a mac with the following in it and then use software distribution to push it out to your macs and it will create the ldpatch symbolic link. If the link already exists the script well error out and no change will be made on that machine.

               

               

               

              #!/bin/sh
              #Create ldpatch symbolic link
               
              cd /Library/Application\ Support/LANDesk/bin/
              ln -s ./vulscan /Library/Application\ Support/LANDesk/bin/ldpatch
              
              
              

               

               

              This is all assuming that vulscan is on the client machines in /Library/Application\ Support/LANDesk/bin/

               

              If vulscan is not there then don't bother with the script it will still be broken and you should contact support.

              • 5. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
                Rookie

                Thanks for all of the responses.  It turns out that there was a beta patch I had to apply to the Core server, rebuild the agent, and distribute the agent to the MACs.

                 

                The patch was LD90-SP2-MCP_MAC-2011-0218 in case anyone else runs into this issue.

                 

                -Josh

                • 6. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
                  Rookie
                  We're just beginning to explore LD9 SP2 with Macs to see if it works better than previous versions. It appears to have addressed some problems, but we're having trouble understanding how the patching process is supposed to work.
                  I see in /Library/Application Support/LANDesk/data/ldcron.xml that /Library/Application Support/LANDesk/bin/ldpatch is supposed to run. We noticed that there was no ldpatch there, but based on an earlier suggestion in this thread we created it as a symbolic link to vulscan. (Thanks for that tip.)
                  Now, when I manually run ldpatch (as root), it iterates through all of the known patches and determines whether they apply to the machine. For example, it shows that the vulnerability Firefox3.5.17_Update is detected:
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Looking for Product Firefox3_INTEL
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      File(CPUFAMILY) IS vulnerable
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Checking OS Version...
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      minVersion is 10.4.0, found version is 10.5.8, maxversion is 10.5.15
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      The version found on client box is between 10.4.0 and 10.5.15
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      File(OSVERSION) IS vulnerable
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Find (Firefox.app) result: FSCatalogSearch found 1 files.
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Found the application: /Applications/Firefox.app/ - Its version is 3.5.3. Expected min version is 1.0.0.0. Expected max version is 3.9.9.9.
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Bundle(Firefox.app) IS vulnerable
                  Fri Apr 22 11:35:32 2011 [41287] vulscan :      Product(ID=Firefox3_INTEL, Firefox for INTEL) IS vulnerable
                  Fri Apr 22 11:35:33 2011 [41287] vulscan :      Find (Firefox.app) result: FSCatalogSearch found 1 files.
                  Fri Apr 22 11:35:33 2011 [41287] vulscan :      Found the application: /Applications/Firefox.app/ - Its version is 3.5.3. Expected min version is 3.5.17.
                  Fri Apr 22 11:35:33 2011 [41287] vulscan :      The application version is less than the expected min version.
                  Fri Apr 22 11:35:33 2011 [41287] vulscan :      Detection result(Vul_ID=Firefox3.5.17_Update): "File '/Applications/Firefox.app' version is less than the minimum version specified", expected version is "3.5.17",but version "3.5.3" is found.Fri Apr 22 11:35:33 2011 [41287] vulscan : Reporting vulnerability Firefox3.5.17_Update detected.
                  Fri Apr 22 11:35:33 2011 [41287] vulscan : ***********************************************
                  I was expecting that the vulnerability would be repaired, but I don't see any evidence of an attempted repair in the output of ldpatch/vulscan. At the end of the ldpatch output, I see this:
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning DEU vulnerabilities.
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning ESN vulnerabilities.
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning FRA vulnerabilities.
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning ITA vulnerabilities.
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning JPN vulnerabilities.
                  Fri Apr 22 11:52:49 2011 [41287] vulscan : Scanning SVE vulnerabilities.
                  Fri Apr 22 11:52:51 2011 [41287] vulscan : Repairing auto-fix vulnerabilities.
                  Fri Apr 22 11:52:51 2011 [41287] vulscan :      No detected patches are available to repair!
                  Fri Apr 22 11:52:51 2011 [41287] vulscan : Exit value:229835155
                  Fri Apr 22 11:52:51 2011 [41287] vulscan : Patch exited.
                  I'm not sure I understand how ldpatch is supposed to work -- shouldn't it be running the patches for vulnerabilities it finds? Or do I have to set them to auto-fix for this to happen?
                  • 7. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
                    Rookie

                    The repair task will only patch if you have instructed the agent to repair (based off of the scan and repair settings).  We scan every day without a repair, but once a week (patch night), we set a different local scheduled task to run with repair.

                    • 8. Re: no /Library/Application\ Support/LANDesk/bin/ldpatch on MAC
                      Rookie
                      Thanks Joshua...
                      That sounds very much like what we'd like to do. But I'm not sure I see how to do it -- sorry if I'm being obtuse. I see only a very limited set of options for patch and compliance -- screenshots of dialog boxes attached. I only can schedule a single invocation of it, apparently. Did you have to do any trickery to get both the "scan only" and the "scan and repair" invocations of ldpatch to work as you described?
                      I see in the /Library/Application Support/LANDesk/data/ldcron.xml file this line related to ldpatch:
                      <ldpatch type="shell"> -frequency 7 -frequencytype day -command &quot;/Library/Application\ Support/LANDesk/bin/ldpatch&quot; -base 1302895328 -next 1304104931</ldpatch>
                      I suppose it might be possible to manually add a line for the "scan and repair" invocation of ldpatch, but perhaps there's an easier way to accomplish what you've described.