How to troubleshoot vulscan in Linux

Overview: This document provides a quick overview of troubleshooting vulscan on the Linux platform. The following platforms are supported for vulnerabilities and repair however only the 32-bit LANDesk agent can repair vulnerabilities at this time.

SLES 9, 10, 10SP1, and 10SP2

RHEL 3, 4, and 5

It is important to note that there are a few vulnerabilities that involve every file on the Linux system. These vulnerabilities may take a very long time to scan for on a busy production server as they need to scan every single file. In some reports the scan process can take longer than a day to complete.

Note: Please see DOC-8273 for detailed information on how to setup vulnerability scanning on the Linux platform. This document will also provide instructions on registering each machine with Red Hat or Suse in order to download the actual patches themselves and make a repair task possible.

Log Location: /var/log/vulscan.log (older 8.8 and prior agents) /opt/landesk/logs/vulscan.log (9.0 and 9.5 agents)

Vulscan Options:

./vulscan -?

Usage: vulscan [options]

               -c <core>               use <core> as the core server

               -s <share>             use <share> as the data share name on the core

               -p <platform>         use  <platform> as the platform id

               -r <repairfile>          use <repairfile> as the repair definition file. Implies repair mode and "-n".

               -i <inventoryfile>     use <inventoryfile> for guid information

               -d <inputfile>          use <inputfile> as the vulnerability definition to scan instead of talking to the core. Implies scan mode and "-n".

               -n                          do not try to talk to the core.

               -S                         do not scan after fixing. (used in conjunction with -x)

               -f <cfgfile>              use <cfgfile> for configuration information

               -o <outputfile>         write results to <outputfile> instead of sending results to core

               -l <language>          use <language> as the request language

               -V##                       verbose output <-V2 is more verbose than -V1)

               -v                            show version and exit

               -x <vulid>                patch vulnerability id specified in <vulid>. This can be set to 'all', vulscan will query the core server for all available updates.

               -h or -?                    show this message and exit

Note: the -r and -d flags are mutually exclusive. The program can only be run in scan mode, or repair mode.

Troubleshooting:

Vulscan will periodically attempt to POST the scan results to the core server when it finishes processing a section. Using the "-o" paramter may help in troubleshooting problems with vulscan appearing to exit prematurely or halt in memory. Also the "-V##" switch can go up to 255 which will result in the most verbose logging.