SYSTEM AND METHOD FOR SELF POLICING OF AUTHORIZED CONFIGURATION BY END POINTS

US 20090094462A1
Filed: 10/03/2007
Published: 04/09/2009
Est. Priority Date: 10/03/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving one or more change approval packages at a computer system, each of the change approval packages including authorized change identification data that identifies one or more authorized changes to the computer system;

storing the received authorized change identification data in a storage area accessible from the computer system;

receiving a change package at the computer system, the change package including a change to the computer system and metadata that identifies the change;

comparing the received metadata with the stored authorized change identification data;

installing the change on the computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and

rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and program product is provided that distributes authorized changes to the organization'"'"'s entities and has the individual computer systems police configuration changes. A system receives change approval packages, each of the change approval packages including authorized change identification data that identifies authorized changes to the system. The authorized change identification data are stored in a storage area of the system. Subsequently, a change package is received by the computer system. The change package includes a change to the computer system and metadata that identifies the change. The metadata is compared with the authorized change identification data. If the metadata matches one of the authorized change identification data, then the change is installed, otherwise the change is rejected.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving one or more change approval packages at a computer system, each of the change approval packages including authorized change identification data that identifies one or more authorized changes to the computer system;
  
  storing the received authorized change identification data in a storage area accessible from the computer system;
  
  receiving a change package at the computer system, the change package including a change to the computer system and metadata that identifies the change;
  
  comparing the received metadata with the stored authorized change identification data;
  
  installing the change on the computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the change approval package is a result of an approved request for change that is stored in an authorized configurations area of a separate configuration management database prior to being received at the computer system.
  - 3. The method of claim 1 wherein the change is a software file and the authorized change identification data includes a first hash result, the method further comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change includes installing the software file on the computer system in response to the first hash result being equal to the second hash result.
  - 4. The method of claim 3 wherein, when the first hash result does not equal the second hash result, the method further comprises:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the computer system in response to the users reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 5. The method of claim 4 further comprising:
    - sending the manual override request to the user over a computer network, wherein the user is using a second computer system; and
      
      receiving the reply from the user over the computer network.
  - 6. The method of claim 1 wherein the storage area is included in a second computer system and the method further comprises:
    - sending the received authorized change identification data to the second computer system where it is stored in the storage area; and
      
      after receiving the change package;
      
      requesting the stored authorized change identification data from the second computer system; and
      
      receiving the stored authorized change identification data from the second computer system in response to the requesting.
  - 7. The method of claim 1 further comprising:
    - creating a request for change;
      
      upon approval of the request for change, storing one or more authorized configuration changes in a configuration management database that is hosted by a configuration management server, wherein authorized configurations of one or more computer systems, including the computer system, are stored in the configuration management database, and wherein actual configurations of one or more computer systems, including the computer system, are also stored in the configuration management database, wherein the actual configurations are obtained by performing a discovery process on the one or more computer systems;
      
      processing one or more software files that correspond to one or more of the change approval packages using a hashing algorithm, the processing resulting in a first set of hash results;
      
      distributing the change approval packages that correspond to the request for change to the computer system, wherein at least one of the change approval packages includes one of the first set of hash results, wherein, when received by the computer system, the change approval packages are stored in a local authorized configurations data store that is accessible from the computer system;
      
      sending the change to the computer system, wherein the change includes a selected one of the software files;
      
      processing at the computer system the selected software file using the hashing algorithm, the processing resulting in a second hash result; and
      
      comparing one of the first hash results that was included in the change approval package that corresponds to the change package received at the computer system, wherein installing the change includes installing the software file on the computer system in response to the first hash result included in the change approval package being equal to the second hash result.

8. A information handling system comprising:
- one or more processors;
  
  a memory accessible by at least one of the processors;
  
  a nonvolatile storage area accessible by at least one of the processors;
  
  a network interface that connects the information handling system to a computer network;
  
  a set of instructions stored in the memory and executed by at least one of the processors in order to perform actions of;
  
  receiving, via the network interface from a second information handling system connected to the computer network, one or more change approval packages, each of the change approval packages including authorized change identification data that identifies one or more authorized changes to the computer system;
  
  storing the received authorized change identification data in the nonvolatile storage area;
  
  receiving, via the network interface from a third information handling system connected to the computer network, a change package at the computer system, the change package including a change to the computer system and metadata that identifies the change;
  
  comparing the received metadata with the stored authorized change identification data;
  
  installing the change on the computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The information handling system of claim 8 wherein the change approval package is a result of an approved request for change that is stored in an authorized configurations area of a separate configuration management database prior to being received at the information handling system.
  - 10. The information handling system of claim 8 wherein the change is a software file and the authorized change identification data includes a first hash result, and wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change includes installing the software file on the computer system in response to the first hash result being equal to the second hash result.
  - 11. The information handling system of claim 10 wherein, when the first hash result does not equal the second hash result, the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the computer system in response to the user'"'"'s reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 12. The information handling system of claim 11 further comprising:
    - sending the manual override request to the user over the computer network via the network interface, wherein the user is using a second information handling system, andreceiving the reply from the user over the computer network via the network interface.
  - 13. The information handling system of claim 8 wherein the action of receiving the change approval packages further includes actions comprising:
    - identifying a sender of each of the change approval packages;
      
      retrieving a list of one or more authorized senders from a nonvolatile storage area, wherein one or more of the change approval packages are stored in response to the sender of the one or more change approval packages being included in the list of authorized senders, and wherein at least one of the change approval packages are rejected in response to the sender of the at least one change approval packages not being included in the list of authorized senders.

14. A computer program product stored in a computer readable medium, comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions that include:
- receiving one or more change approval packages at a computer system, each of the change approval packages including authorized change identification data that identifies one or more authorized changes to the computer system;
  
  storing the received authorized change identification data in a storage area accessible from the computer system;
  
  receiving a change package at the computer system, the change package including a change to the computer system and metadata that identifies the change;
  
  comparing the received metadata with the stored authorized change identification data;
  
  installing the change on the computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14 wherein the change approval package is a result of an approved request for change that is stored in an authorized configurations area of a separate configuration management database prior to being received at the computer system.
  - 16. The computer program product of claim 14 wherein the change is a software file and the authorized change identification data includes a first hash result, wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change includes installing the software file on the computer system in response to the first hash result being equal to the second hash result.
  - 17. The computer program product of claim 16 wherein, when the first hash result does not equal the second hash result, wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the computer system in response to the users reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 18. The computer program product of claim 17 wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - sending the manual override request to the user over a computer network, wherein the user is using a second computer system; and
      
      receiving the reply from the user over the computer network.
  - 19. The computer program product of claim 14 wherein the storage area is included in a second computer system and the method further comprises:
    - sending the received authorized change identification data to the second computer system where it is stored in the storage area; and
      
      after receiving the change package;
      
      requesting the stored authorized change identification data from the second computer system; and
      
      receiving the stored authorized change identification data from the second computer system in response to the requesting.
  - 20. The computer program product of claim 14 wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - creating a request for change;
      
      upon approval of the request for change, storing one or more authorized configuration changes in a configuration management database that is hosted by a configuration management server, wherein authorized configurations of one or more computer systems, including the computer system, are stored in the configuration management database, and wherein actual configurations of one or more computer systems, including the computer system, are also stored in the configuration management database, wherein the actual configurations are obtained by performing a discovery process on the one or more computer systems;
      
      processing one or more software files that correspond to one or more of the change approval packages using a hashing algorithm, the processing resulting in a first set of hash results;
      
      distributing the change approval packages that correspond to the request for change to the computer system, wherein at least one of the change approval packages includes one of the first set of hash results, wherein, when received by the computer system, the change approval packages are stored in a local authorized configurations data store that is accessible from the computer system;
      
      sending the change to the computer system, wherein the change includes a selected one of the software files;
      
      processing at the computer system the selected software file using the hashing algorithm, the processing resulting in a second hash result; and
      
      comparing one of the first hash results that was included in the change approval package that corresponds to the change package received at the computer system, wherein installing the change includes installing the software file on the computer system in response to the first hash result included in the change approval package being equal to the second hash result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Madduri, Hari Haranath

Granted Patent

US 8,413,130 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/572 Secure firmware programming...

SYSTEM AND METHOD FOR SELF POLICING OF AUTHORIZED CONFIGURATION BY END POINTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SELF POLICING OF AUTHORIZED CONFIGURATION BY END POINTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links