It has been found that multiple Kernel Updates target Linux Clients within Patch Management Solution for Linux, yet the same updates are not listed in YUM or other compliance tools outside Patch Management:
Patch Management Solution currently utilizes a 'server-side targeting resolution' where all installed data is gathered from the Client's Software Update Plug-in Agent's assessment scan and returned to the SMP Server, and there the Import Patch Data for Linux is referenced against the inventory from the Client to populate the Patch Filter. The Red Hat Compliance Reports are based on the inclusions of the Patch Filter which the IsApplicable/IsInstalled rule logic is compiled for review.
It is by this process that all data is gathered, so every installed Kernel version is listed as IsInstalled and returned to the SMP Server for target analysis. This inventory is where the process above correlates what IsApplicable to the Client by what IsInstalled and marks the vulnerabilities.
Workaround: The Red Hat Compliance Reports will coincide with what is in the YUM, or other compliance tools, provided the inactive Kernel versions are uninstalled, for then the assessment scan will only return the currently installed Kernel version inventory and target the single Kernel version.
Enhancement Request: This behavior was reviewed and the 'Client-side targeting resolution' for the analysis to take place completely on the Client and return the reporting to the SMP to reflect only on what is currently active as seen in other compliance tools was added in ITMS 8.1 as outlined in DOC9606.
Note: Please subscribe to this article to receive a notification when this article is updated when the product is changed.
https://jira.ges.symantec.com/browse/EM-390 - Patch - Install new Linux kernel
Subscribing will provide email updates when this Article is updated. Login is required.