System and method for self policing of authorized configuration by end points

US 8,413,130 B2
Filed: 10/03/2007
Issued: 04/02/2013
Est. Priority Date: 10/03/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving one or more change approval packages at a first computer system from a second computer system including a configuration management database, each of the change approval packages including authorized change identification data that identifies one or more authorized changes of at least one configuration item in the first computer system, and wherein each change approval package is a result of an approved request for change that is stored in an authorized configurations area of the configuration management database prior to being received at the first computer system;

storing the received authorized change identification data in an authorization configuration storage area associated with the first computer system;

in response to the storing, receiving a change package at the first computer system, the change package including a change to at least one configuration item in the first computer system and metadata that identifies the change;

comparing, by the first computer system, the received metadata with the stored authorized change identification data;

installing the change on the first computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and

rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data, wherein the rejecting prevents unauthorized application of the change package to the first computer system before the change package is applied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and program product is provided that distributes authorized changes to the organization'"'"'s entities and has the individual computer systems police configuration changes. A system receives change approval packages, each of the change approval packages including authorized change identification data that identifies authorized changes to the system. The authorized change identification data are stored in a storage area of the system. Subsequently, a change package is received by the computer system. The change package includes a change to the computer system and metadata that identifies the change. The metadata is compared with the authorized change identification data. If the metadata matches one of the authorized change identification data, then the change is installed, otherwise the change is rejected.

Citations

17 Claims

1. A computer-implemented method comprising:
- receiving one or more change approval packages at a first computer system from a second computer system including a configuration management database, each of the change approval packages including authorized change identification data that identifies one or more authorized changes of at least one configuration item in the first computer system, and wherein each change approval package is a result of an approved request for change that is stored in an authorized configurations area of the configuration management database prior to being received at the first computer system;
  
  storing the received authorized change identification data in an authorization configuration storage area associated with the first computer system;
  
  in response to the storing, receiving a change package at the first computer system, the change package including a change to at least one configuration item in the first computer system and metadata that identifies the change;
  
  comparing, by the first computer system, the received metadata with the stored authorized change identification data;
  
  installing the change on the first computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data, wherein the rejecting prevents unauthorized application of the change package to the first computer system before the change package is applied.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the change is a software file and the authorized change identification data includes a first hash result, the method further comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change further comprises installing the software file on the first computer system in response to the first hash result being equal to the second hash result.
  - 3. The method of claim 2 wherein, when the first hash result does not equal the second hash result, the method further comprises:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the first computer system in response to the user'"'"'s reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 4. The method of claim 3 further comprising:
    - sending the manual override request to the user over a computer network, wherein the user is using a third computer system; and
      
      receiving the reply from the user over the computer network.
  - 5. The method of claim 1 wherein the authorization configuration storage area is included in the second computer system and the method further comprises:
    - sending the received authorized change identification data to the second computer system where it is stored in the authorization configuration storage area; and
      
      after receiving the change package;
      
      requesting the stored authorized change identification data from the second computer system; and
      
      receiving the stored authorized change identification data from the second computer system in response to the requesting.
  - 6. The method of claim 1 further comprising:
    - creating a request for change;
      
      upon approval of the request for change, storing one or more authorized configuration changes in the configuration management database that is hosted by the second computer system, wherein authorized configurations of one or more computer systems, including the first computer system, are stored in the configuration management database, and wherein actual configurations of one or more computer systems, including the first computer system, are also stored in the configuration management database, wherein the actual configurations are obtained by performing a discovery process on the one or more computer systems;
      
      processing one or more software files that correspond to one or more of the change approval packages using a hashing algorithm, the processing resulting in a first set of hash results;
      
      distributing the change approval packages that correspond to the request for change to the first computer system, wherein at least one of the change approval packages includes one of the first set of hash results, wherein, when received by the first computer system, the change approval packages are stored in a local authorized configurations data store that is accessible from the first computer system;
      
      sending the change to the first computer system, wherein the change includes a selected one of the software files;
      
      processing at the first computer system the selected software file using the hashing algorithm, the processing resulting in a second hash result; and
      
      comparing, by the first computer system, one of the first hash results that was included in the change approval package that corresponds to the change package received at the first computer system, wherein installing the change further comprises installing the software file on the first computer system in response to the first hash result included in the change approval package being equal to the second hash result.

7. A information handling system comprising:
- one or more processors;
  
  a memory accessible by at least one of the processors;
  
  a nonvolatile storage area accessible by at least one of the processors;
  
  a network interface that connects the information handling system to a computer network;
  
  a set of instructions stored in the memory and executed by at least one of the processors in order to perform actions of;
  
  receiving, via the network interface from a second information handling system connected to the computer network, the second information handling system including a configuration management database, one or more change approval packages, each of the change approval packages including authorized change identification data that identifies one or more authorized changes of at least one configuration item in the information handling system, and wherein each change approval package is a result of an approved request for change that is stored in an authorized configurations area of the configuration management database prior to being received at the information handling system;
  
  storing the received authorized change identification data in an authorization configuration storage area included in the nonvolatile storage area;
  
  in response to the storing, receiving, via the network interface from a third information handling system connected to the computer network, a change package at the information handling system, the change package including a change to the information handling system and metadata that identifies the change;
  
  comparing the received metadata with the stored authorized change identification data;
  
  installing the change on the information handling system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data, wherein the rejecting prevents unauthorized application of the change package to the information handling system before the change package is applied.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The information handling system of claim 7 wherein the change is a software file and the authorized change identification data includes a first hash result, and wherein the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change further comprises installing the software file on the information handling system in response to the first hash result being equal to the second hash result.
  - 9. The information handling system of claim 8 wherein, when the first hash result does not equal the second hash result, the set of instructions, when executed, cause at least one of the processors to perform further actions comprising:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the information handling system in response to the user'"'"'s reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 10. The information handling system of claim 9 further comprising:
    - sending the manual override request to the user over the computer network via the network interface; and
      
      receiving the reply from the user over the computer network via the network interface.
  - 11. The information handling system of claim 7 wherein the action of receiving the change approval packages further includes actions comprising:
    - identifying a sender of each of the change approval packages;
      
      retrieving a list of one or more authorized senders from the nonvolatile storage area, wherein one or more of the change approval packages are stored in response to the sender of the one or more change approval packages being included in the list of authorized senders, and wherein at least one of the change approval packages are rejected in response to the sender of the at least one change approval packages not being included in the list of authorized senders.

12. A computer program product stored in a computer readable storage medium, comprising functional descriptive material that, when executed by an information handling system, causes the information handling system to perform actions that include:
- receiving one or more change approval packages at a first computer system from a second computer system including a configuration management database, each of the change approval packages including authorized change identification data that identifies one or more authorized changes of at least one configuration item in the first computer system, and wherein each change approval package is a result of an approved request for change that is stored in an authorized configurations area of the configuration management database prior to being received at the first computer system;
  
  storing the received authorized change identification data in an authorization configuration storage area associated with the first computer system;
  
  in response to the storing, receiving a change package at the first computer system, the change package including a change to the first computer system and metadata that identifies the change;
  
  comparing, by the first computer system, the received metadata with the stored authorized change identification data;
  
  installing the change on the first computer system in response to the comparison revealing that the received metadata matches one of the stored authorized change identification data; and
  
  rejecting the change in response to the comparison revealing that the received metadata does not match any of the stored authorized change identification data, wherein the rejecting prevents unauthorized application of the change package to the first computer system before the change package is applied.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12 wherein the change is a software file and the authorized change identification data includes a first hash result, and wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - processing the software file using a hashing algorithm, the processing resulting in a second hash result; and
      
      wherein installing the change further comprises installing the software file on the first computer system in response to the first hash result being equal to the second hash result.
  - 14. The computer program product of claim 13 wherein, when the first hash result does not equal the second hash result, wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - requesting a manual override from a user;
      
      receiving a reply from the user;
      
      installing the change which includes installing the software file on the first computer system in response to the user'"'"'s reply being an override authorization; and
      
      rejecting the change in response to not receiving an override authorization in the user'"'"'s reply.
  - 15. The computer program product of claim 14 wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - sending the manual override request to the user over a computer network, wherein the user is using a third computer system; and
      
      receiving the reply from the user over the computer network.
  - 16. The computer program product of claim 12 wherein the authorization configuration storage area is included in the second computer system and the method further comprises:
    - sending the received authorized change identification data to the second computer system where it is stored in the authorization configuration storage area; and
      
      after receiving the change package;
      
      requesting the stored authorized change identification data from the second computer system; and
      
      receiving the stored authorized change identification data from the second computer system in response to the requesting.
  - 17. The computer program product of claim 12 wherein the functional descriptive material causes the data processing system to perform additional actions comprising:
    - creating a request for change;
      
      upon approval of the request for change, storing one or more authorized configuration changes in a configuration management database that is hosted by the second computer system, wherein authorized configurations of one or more computer systems, including the first computer system, are stored in the configuration management database, and wherein actual configurations of one or more computer systems, including the first computer system, are also stored in the configuration management database, wherein the actual configurations are obtained by performing a discovery process on the one or more computer systems;
      
      processing one or more software files that correspond to one or more of the change approval packages using a hashing algorithm, the processing resulting in a first set of hash results;
      
      distributing the change approval packages that correspond to the request for change to the first computer system, wherein at least one of the change approval packages includes one of the first set of hash results, wherein, when received by the first computer system, the change approval packages are stored in a local authorized configurations data store that is accessible from the first computer system;
      
      sending the change to the first computer system, wherein the change includes a selected one of the software files;
      
      processing at the first computer system the selected software file using the hashing algorithm, the processing resulting in a second hash result; and
      
      comparing, by the first computer system, one of the first hash results that was included in the change approval package that corresponds to the change package received at the first computer system, wherein installing the change further comprises installing the software file on the first computer system in response to the first hash result included in the change approval package being equal to the second hash result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Madduri, Hari Haranath
Primary Examiner(s)
Zhen, Wei
Assistant Examiner(s)
BROPHY, MATTHEW J

Application Number

US11/866,420
Publication Number

US 20090094462A1
Time in Patent Office

2,008 Days
Field of Search

None
US Class Current

717/168
CPC Class Codes

G06F 21/572 Secure firmware programming...

System and method for self policing of authorized configuration by end points

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for self policing of authorized configuration by end points

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links