Secunia – Scanning and Patching

So you made it this far. Great! Let’s scan your network and publish a patch.

Overview

  • Configure your Network Appliance Agent.
  • Create a Network Appliance Group.
  • Run a scan.
  • Publish a patch.

The Process

Configure the Network Appliance Agent

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Agents. Then right-click your NAA and choose ‘Edit Configuration’.
  2. On the ‘Configuration for Network Appliance Agent’ wizard, configure a check-in frequency and set your maximum simultaneous inspections. I’m running 30 simultaneous inspections on my dedicated scanning VM and haven’t noticed a significant amount of load.

Create a Network Appliance Group

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Groups, then click “New Group”.
  2. Enter a name for the network group, then select a scan type. I chose scan type 1.
  3. On the ‘IP Networks’ tab, enter your gateway and netmask, then click “add”.
  4. On the ‘Agents’ tab, check the box next to your NAA.
  5. On the ‘Scheduling’ tab, configure your scanning schedule, choose “Scan group as soon as possible”, then click “Save”.
  6. Your network appliance group should now be included in the list.

Publish a Patch

  1. Once your scan results come in, navigate to Patch -> Secunia Package System (SPS). Right-click any software program highlighted in blue and choose “Create Update Package”.
  2. On ‘Step 1 of 4: Package Configuration’, click “Next”.
  3. My install skips step 2 for some reason. On ‘Step 3 of 4: Applicability Criteria – Paths’ click “Next”.
  4. On ‘Step 4 of 4: Applicability Criteria – Rules’ click “Publish”.
  5. Run a WSUS Repository synchronization in SCCM, and create a search folder for the vendor of the application you published a patch for. It should show up and be ready for deployment! Pretty cool!

So that’s the Secunia workflow. Stay tuned for a post on SCCM deployment of CSI host and PSI agents.

Advertisements

Installing and Configuring Secunia

Now that you know how cool it is, let’s install and try out the product. This post will cover the initial install and configuration of Secunia. Part 2 will cover network scanning and actually publishing a patch.

Overview

  • Download and Install the CSI Console
  • Connect the CSI Console to your SCCM Server
  • Install a CSI Network Appliance Agent
  • Run a network scan
  • Create a package
  • Publish the package to SCCM

Prerequisites

  • A workstation to run CSI Console.
  • A server to run CSI in Network Appliance mode.
  • A SCCM Server with the SUP role configured.
  • A user account for the Network Appliance service that has admin rights on all target\client computers.

The Process

Download and Install the CSI Console

  1. Download the Secunia CSI Console from the following web page (after login).
    https://ca.secunia.com/
  2. Double-click the setup file “CSISetup.exe” to begin installation.
  3. On the ‘Welcome to the CSI Setup’ screen, click “Next”.
  4. On the ‘License Agreement’ screen check the box and click Next.
  5. On the ‘Readme Information’ screen click “Next”.
  6. On the ‘Choose Install Location’ screen click “Next”.
  7. On the ‘Completing the CSI Setup’ screen click “Finish”.
  8. When prompted to launch Secunia CSI, click “Yes”.
  9. Login to the CSI Console using your Customer Credentials.
  10. Secunia will load if your internet connection is active.
  11. Congrats! The software is installed and launched.

Connecting CSI Console to the SCCM Server

  1. Click Start -> Run, then type “inetcpl.cpl” to load “Internet Options”
  2. On the “Security” tab, click “Trusted Sites” then click the “Sites” button.
  3. Add the following site to the trusted sites list then click “Close”:
    https://csi5.secunia.com
  4. On the Internet Options window, click “OK”.
  5. In Secunia CSI navigate to Patch -> WSUS Configuration, then click “Configure Upsteam Servers”.
  6. If using SCCM, enter the SCCM server hostname and port, then click “Use SSL”, then click “Connect”. The default SCCM WSUS Port number for SSL is 8531.
  7. Next, Secunia asks you to configure the certificate. If you already have a WSUS Signing Certificate, for example from using System Center Updates Publisher, then close the wizard because parts 2 and 3 are not necessary. If you are sure that you do not have a WSUS Signing Certificate, click “Automatically create and install certificate”.
  8. I can’t show the wizard step 3, because importing a new signing certificate would break my WSUS server. However, step 3 just creates a group policy object for the distribution of the certificate to your active directory clients. The process can be seen manually in my previous blog post “Pushing the SCUP Certificate to Clients“.

Install a Network Appliance Agent

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Download Network Agent, then click “csia.exe” to download the agent.
  2. Log into the server designated for the NAA agent as the user with which you’d like to run the service. The user must be an administrator on the host and any clients that will be scanned. I did not have success with the NAA when installing the service using runas, or by configuring the service properties in services.msc. The service would start, but would not report back to the CSI Server.
  3. Once logged into the server, run the following command:
    mkdir %programfiles%\secunia
  4. Now, copy csia.exe into %programfiles%\secunia
  5. Now, run the command prompt, run the following commands to install the agent service:
    CD /D %programfiles%\Secunia
    csia.exe -A -i --skip-wait
  6. In CSI Console, navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Agents. After 4-5 minutes, you should now see the NAA server appear in this list.

Congrats! You are now ready to start scanning and patching your network clients! Look to part 2 for configuring a Network Appliance Group, initiating a scan, and publishing a patch.

Secunia and SCCM – Overview

Secunia takes a lot of the work out of patching applications across the fleet. It runs as an independent agent\scanner which creates a software inventory database of clients on your network. You can then create individual ‘update packages’ and push them to your WSUS server (and\or SCCM server). The best part is that Secunia handles package creation for most applications — you don’t need to know the install\uninstall switches of every application. Here’s a quick overview of how Secunia works and looks. The next post will cover the actual installation and configuration.

Overview

Secunia needs to get a software inventory to function. It can do this via remote scanning or agent-based scanning. Remote scanning refers to scanning a group of agent-less computers on your network via a central server. Agent-based scanning refers to installing an agent on your host that scans itself and reports back to the central server. Remote scanning requires only a couple firewall holes and works well for always-connected computers. Agent-scanning works well for laptops and desktops without a reliable maintenance schedule.

Agent Types

There are 3 agent types:

  • CSI Host Agent – command-line agent that doesn’t interact with the user.
  • CSI Network Appliance Agent – proxy-style command-line agent that can be used to remotely scan its host and subnet(s).
  • PSI – adds a GUI-agent to the CSI that allows the user to install patches if they’re administrator.

The CSI Network Appliance Agent is what you’d install on a dedicated scanning server\VM. CSI Host Agent is great for laptops because it will upload scan results to the central server whenever it can. The PSI is a great compromise for power users who like to manage their own machines, and for IT who still want reporting and the ability to force patch compliance. PSI contains all the features of a CSI host agent (as far as I can tell).

Screenshots!

Here are a few screen shots of Secunia in action.

  • Secunia’s inventory of our network.

  • Secunia patch page, showing the right-click features.

  • The updates, as published to my SCCM Repo.

It’s a pretty cool program. Stay tuned for help installing the system.

SCCM Task Sequences – Windows 7 Build and Capture

Hello friends! I’m going to show you how to construct a Windows 7 “build and capture” task sequence. This post assumes that you’ve already followed the “Getting Started” posts 1 and 2. This task sequence will deploy Windows 7, Install Windows Updates, and capture to an image. In later posts, we’ll explore adding software and customizing the default profile.

The Process

  1. First, right click “Task Sequences” and select New -> Task Sequence.
  2. On the screen “Create a New Task Sequence” select “Build and capture…” and click Next.
  3. On the screen “Task Sequence Information” enter the name “Build and Capture Windows 7”, select a boot image appropriate for your architecture, then click “Next”.
  4. On the screen “Install Windows” select your Windows 7 SP1 package then click “Next”.
  5. On the screen “Configure the network” enter the workgroup “tempgroup” and click “next”. If you’re joining a domain, make sure you enter user credentials. I don’t recommend joining a domain for build-and-capture, since the system will need removed from the domain again before capturing. 
  6. On the screen “Install the ConfigMgr Client” choose your Configuration Manager client package then click “Next”.
  7. On the screen “Include Updates in Image” choose “Don’t install any software updates” then click “Next”.
  8. On the screen “Install Software Packages” click “Next”.
  9. On the screen “System Preparation” click “Next”.
  10. On the screen “Image Properties” enter a name and version then click “Next”.
  11. On the screen “Capture Image Settings” enter the source path “\\sccm\captures$\build1.wim”, enter domain credentials, then click “Next”.
  12. On the “Summary” screen click “Next”.
  13. On the “Wizard Completed” screen click “Close”.
  14. Next, right-click your new task sequence and select “Edit”.
  15. Click Add -> General -> Restart Computer to add a “Restart Computer” task. Place this new task after “Setup windows and ConfigMgr” and choose the radio button “The currently installed default operating system”. Then, uncheck “Notify the user before restarting”.
  16.  Click Add -> MDT -> Use Toolkit Package to add a “Use Toolkit Package” task. Place this task after “Restart Computer” then select your MDT Toolkit package.
  17.  Click Add -> General -> Run Command Line to add a “Run Command Line” task. Rename this task to “Install Windows Updates”. Then enter the command line:
    cscript.exe "%SCRIPTROOT%\ZTIWindowsUpdate.wsf"

    Click “OK” to save these new tasks.

Now, advertise and use your task sequence! It should work properly. Enjoy!

OpsMgr ADMP Errors – AD Replication Partner Op Master Consistency

This morning, my system is showing the following alert.

Alert Title:
Could not determine the FSMO role holder.
Description:
AD Replication Partner Op Master Consistency : Unable to determine domain naming Op Master on domain controller ‘<myDC>’.

At the same time, I see another alert.

Alert Title:
AD Client Side – Script Based Test Failed to Complete
Description:
AD Replication Partner Op Master Consistency : The script ‘AD Replication Partner Op Master Consistency’ failed to executethe following LDAP query: ‘<LDAP://dc3.chemistry.ohio-state.edu/CN=Configuration,DC=chemistry,DC=ohio-state,DC=edu>;(&(objectClass=crossRefContainer)(fSMORoleOwner=*));fSMORoleOwner;Subtree’. The error returned was ‘The server is not operational.’ (0x80040E37)

This is happening because my DC’s are backing up with VMWare VDR in the middle of the night, and the rule is set to run every 60 seconds. Per the referenced blog post below, I set the rule to 12 mins (seems like enough). I still might get the error though — I really need to sit down and figure out how to set PC’s in maintenance mode when quiesced snapshots are taken. It should be trivially easy, according to the VMWare tech manuals.

Reference:

OpsMgr Errors – AD_Client_Update_DCs.vbs

Got this alert on one of the machines I have configured for AD client monitoring.

Error Text:
Command executed: “C:\Windows\system32\cscript.exe” /nologo “AD_Client_Update_DCs.vbs” winfs.chemistry.ohio-state.edu CHEMISTRY false 3 {ABFB3D66-E484-7150-CAB9-0901473EEC93}
Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 72\541\
One or more workflows were affected by this.
Workflow name: AD_Client_Update_DCs
Instance name: AD Client Monitoring

Resolution:

  1. Open Authoring -> Rules
  2. Override the rule, “AD Client Updates DCs”. Add any of your domain controllers to the ‘domain controller’ field, and set ‘Site Discovery Mode’ to 3.

References: