Wiki.novell.com

Post-installation: refreshing channel data

← Older revision

Revision as of 10:17, 12 July 2013

(2 intermediate revisions by one user not shown)

Line 1:

Line 1:

 

= New Features in SUSE Manager 1.7 =

 

= New Features in SUSE Manager 1.7 =

 

 

−

This betatest comes with the latest upcoming features for SUSE Manager 1.7, which includes support for
Inter Server Sync - connect a SUSE Manager Server to another SUSE Manager Server instead of NCC for content distribution.

+

This betatest comes with the latest upcoming features for SUSE Manager 1.7, which includes support for
:

 

 

−

== Installation Instructions (
Server
) ==

+

* Inter
Server
Sync - connect a SUSE Manager Server to another SUSE Manager Server instead of NCC for content distribution;

 

+

* CVE Audit - find out what systems need to be patched for a certain CVE identifier.

 

 

−

Take care, that you have the latest official updates installed. susemanager-schema should have version 1.7.56.18 .

+

= Common installation instructions (Server) =

 

 

 

Stop spacewalk services

 

Stop spacewalk services

Line 11:

Line 12:

 

 

 

Update already installed packages

 

Update already installed packages

−

   $> zypper ar -f http://beta.suse.com/private/SUSE-Manager-beta/
features/inter-server-sync
manager-
iss
-beta

+

   $> zypper ar -f http://beta.suse.com/private/SUSE-Manager-beta/
<BETA_PATH>
manager-
<BETA_NAME>
-beta

−

   $> zypper dup --from manager-
iss
-beta

+

   $> zypper dup --from manager-
<BETA_NAME>
-beta

 

+

 

 

+

Schema upgrade

 

+

  $> spacewalk-schema-upgrade

 

 

 

Start spacewalk services

 

Start spacewalk services

 

   $> spacewalk-service start

 

   $> spacewalk-service start

 

+

 

+

= Inter Server Sync-specific instructions =

 

 

 

== Configure the Master Server to accept connections from a SUSE Manager Slave Server ==

 

== Configure the Master Server to accept connections from a SUSE Manager Slave Server ==

Line 42:

Line 48:

 

 

 

We have enhanced the yast module which setup a SUSE Manager Server to be able to setup a Slave server.

 

We have enhanced the yast module which setup a SUSE Manager Server to be able to setup a Slave server.

−

To test this, please install a new SUSE Manager Server from the appliance ISO and update all the packages before you  

+

To test this, please install a new SUSE Manager Server from the appliance ISO and update all the packages before you start the yast module:

−

start the yast module:

+

 

 

 

Update already installed packages

 

Update already installed packages

Line 118:

Line 123:

 

Register a SUSE Manager Slave to its parent and get updates from the parent is currently not

 

Register a SUSE Manager Slave to its parent and get updates from the parent is currently not

 

supported. To every beta tester the question, if this is needed and wanted.

 

supported. To every beta tester the question, if this is needed and wanted.

 

+

 

+

= CVE audit-specific instructions =

 

+

 

+

== Post-installation: refreshing channel data ==

 

+

 

+

CVE Audit needs to refresh channel data periodically in the background in order to produce correct results. This is scheduled, by default, at 23:00 every night. You can also schedule a run manually, right after installation, in order to have proper results without waiting until the next day:

 

+

 

+

* Go to the Admin page;

 

+

* Click on "Task schedules" from the left menu;

 

+

* Click on the "cve-server-channels-default" schedule link;

 

+

* Click on the "cve-server-channels-bunch" bunch link;

 

+

* Click on the "Single Run Schedule" button;

 

+

* After some minutes, refresh the page and check that the scheduled run status is FINISHED.

 

+

 

+

A direct link is also available in the CVE Audit for your convenience.

 

+

 

+

== Typical Usage ==

 

+

 

+

* Go to the Audit page;

 

+

* Input a 13-char CVE identifier;

 

+

* Optionally, un-check patch statuses you are not interested in (see below);

 

+

* Click on "Audit systems".

 

+

 

+

A list of systems is displayed, with usual pagination and navigation buttons. Each system has a "patch status" which describes its situation with respect to the CVE identifier. Possible statuses are:

 

+

* Affected, patch available in a channel which is not assigned: system is affected by the vulnerability and SUSE Manager has a patch for it but, at the moment, that channel is not assigned to the system itself;

 

+

* Affected, patch available in an assigned channel: system is affected by the vulnerability, SUSE Manager has a patch for it in a channel that is assigned to the system;

 

+

* Patch status unknown: SUSE Manager does not know the CVE identifier, thus it cannot determine if the system is affected or not;

 

+

* Not affected: the system does not have any installed packages that would be patchable;

 

+

* Patched: a patch has already been installed.

 

+

 

+

For a more precise definition of these statuses, see Notes.

 

+

 

+

For each system, the "Next Action" column contains suggestions on the steps to take in order to address vulnerabilities (installing a certain patch or assigning a new channel). When applicable, a list of "candidate" channels or patches is also displayed for your convenience.

 

+

 

+

== API Usage ==

 

+

 

+

An API method is available to run CVE audits from custom scripts, <code>audit.listSystemsByPatchStatus</code>. Details on how to use it are available in the API guide.

 

+

 

+

== Notes ==

 

+

 

+

As stated above audit results are correct only if the assignment of channels to systems did not change since the last scheduled refresh (normally, at 23:00 every night). If a CVE audit is needed and channels were assigned or unassigned to any system during the day, a manual run is recommended.

 

+

 

+

Systems are said to be "affected", "not affected" or "patched" not in an absolute sense, but ''based on information that SUSE Manager knows about''.

 

+

This implies that concepts such as "affectedness to a vulnerability" have particular meanings in this context and more precisely, the following definitions apply:

 

+

* system affected by a certain vulnerability: a system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability;

 

+

* system not affected by a certain vulnerability: a system which has no installed package that is also in a relevant patch marked for the vulnerability;

 

+

* system patched for a certain vulnerability: a system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability;

 

+

* relevant patch: a patch known by SUSE Manager in a relevant channel;

 

+

* relevant channel: a channel managed by SUSE Manager which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed to the system or a past or future service pack channel for the system.

 

+

 

+

A notable consequence of the above definitions is that results can be inccorrect in cases of unmanaged channels, unmanaged packages and/or noncompliant systems.