Compliance-based adaptations in managed virtual systems

US 9,852,001 B2
Filed: 10/26/2015
Issued: 12/26/2017
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing a policy associated with a virtual appliance, the method comprising:

receiving a virtual appliance event request;

receiving first data about the virtual appliance in response to receiving the virtual appliance event request, wherein the first data about the virtual appliance was extracted prior to initiating the virtual appliance and prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;

receiving second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;

determining whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;

determining whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and

in response to determining that at least one of the internal non-compliance and the external non-compliance exists, at least one of denying the virtual appliance event request, providing a notification of non-compliance, adapting the virtual appliance, and adapting the environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.

148 Citations

50 Claims

1. A method for enforcing a policy associated with a virtual appliance, the method comprising:
- receiving a virtual appliance event request;
  
  receiving first data about the virtual appliance in response to receiving the virtual appliance event request, wherein the first data about the virtual appliance was extracted prior to initiating the virtual appliance and prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receiving second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determining whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determining whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of the internal non-compliance and the external non-compliance exists, at least one of denying the virtual appliance event request, providing a notification of non-compliance, adapting the virtual appliance, and adapting the environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual appliance, software that has been removed from the virtual appliance, and software that has not been updated on the virtual appliance.
  - 3. The method of claim 1, wherein adapting the virtual appliance includes insertion of data into the virtual appliance.
  - 4. The method of claim 1, wherein adapting the virtual appliance includes at least one of updating a virus definition, installing anti-virus software, installing a security patch, executing an anti-virus scanning application, removing malware, and disabling malware.
  - 5. The method of claim 4, wherein the malware includes at least one of a virus, worm, trojan horse, rootkit, spyware, and adware.
  - 6. The method of claim 1, wherein adapting the virtual appliance includes adjusting security settings associated with the virtual appliance.
  - 7. The method of claim 1, wherein adapting the virtual appliance includes deleting unauthorized content from the virtual appliance.
  - 8. The method of claim 1, wherein adapting the virtual appliance includes obtaining necessary licensing associated with the virtual appliance.
  - 9. The method of claim 1, wherein the notification of non-compliance is automatically issued to an administrator to obtain licensing associated with the virtual appliance.
  - 10. The method of claim 1, wherein adapting the virtual appliance includes scheduling at least one of an agent and a process to carryout remedial action, and scheduling at least one of an agent or process includes at least one of requesting, transferring, downloading, and installing at least one of security updates for the virtual appliance and security patches for the virtual appliance, searching for and eradicating malware associated with the virtual appliance, and registering the virtual appliance for use in a managed system.
  - 11. The method of claim 1, wherein adapting the virtual appliance includes restricting access permissions, so that the virtual appliance can only access certain content, resources, and areas of a managed system.
  - 12. The method of claim 1, wherein adapting the virtual appliance includes at least one of adding, updating, and deleting user account information, so as to limit account authority associated with the virtual appliance.
  - 13. The method of claim 1, wherein adapting the virtual appliance includes validating adaptations made to the virtual appliance.
  - 14. The method of claim 13, wherein validating adaptations made includes repeating policy-based compliance testing that was used to determine the virtual appliance was non-compliant.
  - 15. The method of claim 1, wherein the virtual appliance is part of a group that includes a plurality of virtual appliances, and the virtual appliance is adapted when a quorum of the plurality of virtual appliances have been adapted.
  - 16. The method of claim 1, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.
  - 17. The method of claim 1, wherein the virtual appliance is adapted to comply with the first policy-based compliance scheme by, within the virtual appliance, at least one of modifying, inserting, deleting, and configuring at least one of a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.
  - 18. The method of claim 1, wherein the environment is adapted to comply with the second policy-based compliance scheme by, in the environment outside the virtual appliance, at least one of registering, integrating, acquiring, modifying, inserting, deleting, and configuring at least one of a configuration management database, an asset management database, a license manager, a server, a license, a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.

19. An apparatus for enforcing a policy associated with a virtual appliance, the apparatus comprising:
- a hardware processor, anda machine readable medium storing instructions which, when executed by the hardware processor, cause the hardware processor to;
  
  receive a virtual appliance event request;
  
  receive first data about the virtual appliance in response to receiving the virtual appliance event request, wherein the first data about the virtual appliance was extracted prior to initiating the virtual appliance and prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receive second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determine whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determine whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of the internal non-compliance and the external non-compliance exists, at least one of deny the virtual appliance event request, provide a notification of non-compliance, adapt the virtual appliance, and adapt the environment.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. The apparatus of claim 19, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual appliance, software that has been removed from the virtual appliance, and software that has not been updated on the virtual appliance.
  - 21. The apparatus of claim 19, wherein adapting the virtual appliance includes insertion of data into the virtual appliance.
  - 22. The apparatus of claim 19, wherein adapting the virtual appliance includes at least one of updating a virus definition, installing anti-virus software, installing a security patch, executing an anti-virus scanning application, removing malware, and disabling malware.
  - 23. The apparatus of claim 19, wherein adapting the virtual appliance includes adjusting security settings associated with the virtual appliance.
  - 24. The apparatus of claim 19, wherein adapting the virtual appliance includes deleting unauthorized content from the virtual appliance.
  - 25. The apparatus of claim 19, wherein adapting the virtual appliance includes obtaining necessary licensing associated with the virtual appliance.
  - 26. The apparatus of claim 19, wherein the notification of non-compliance is automatically issued to an administrator to obtain licensing associated with the virtual appliance.
  - 27. The apparatus of claim 19, wherein adapting the virtual appliance includes scheduling at least one of an agent and a process to carryout remedial action, and scheduling at least one of an agent or process includes at least one of requesting, transferring, downloading, and installing at least one of security updates for the virtual appliance and security patches for the virtual appliance, searching for and eradicating malware associated with the virtual appliance, and registering the virtual appliance for use in a managed system.
  - 28. The apparatus of claim 19, wherein adapting the virtual appliance includes restricting access permissions, so that the virtual appliance can only access certain content, resources, and areas of a managed system.
  - 29. The apparatus of claim 19, wherein adapting the virtual appliance includes at least one of adding, updating, and deleting user account information, so as to limit account authority associated with the virtual appliance.
  - 30. The apparatus of claim 19, wherein adapting the virtual appliance includes validating adaptations made to the virtual appliance.
  - 31. The apparatus of claim 19, wherein the virtual appliance is part of a group that includes a plurality of virtual appliances, and the virtual appliance is adapted when a quorum of the plurality of virtual appliances have been adapted.
  - 32. The apparatus of claim 19, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.
  - 33. The apparatus of claim 19, wherein the virtual appliance is adapted to comply with the first policy-based compliance scheme by, within the virtual appliance, at least one of modifying, inserting, deleting, and configuring at least one of a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.
  - 34. The apparatus of claim 19, wherein the environment is adapted to comply with the second policy-based compliance scheme by, in the environment outside the virtual appliance, at least one of registering, integrating, acquiring, modifying, inserting, deleting, and configuring at least one of a configuration management database, an asset management database, a license manager, a server, a license, a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.

35. A non-transitory machine readable medium storing a program for enforcing a policy associated with a virtual appliance, which when executed by a processor, causes the processor to:
- receive a virtual appliance event request;
  
  receive first data about the virtual appliance in response to receiving the virtual appliance event request, wherein the first data about the virtual appliance was extracted prior to initiating the virtual appliance and prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receive second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determine whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determine whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of the internal non-compliance and the external non-compliance exists, at least one of deny the virtual appliance event request, provide a notification of non-compliance, adapt the virtual appliance, and adapt the environment.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 36. The non-transitory machine readable medium of claim 35, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual appliance, software that has been removed from the virtual appliance, and software that has not been updated on the virtual appliance.
  - 37. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes insertion of data into the virtual appliance.
  - 38. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes at least one of updating a virus definition, installing anti-virus software, installing a security patch, executing an anti-virus scanning application, removing malware, and disabling malware.
  - 39. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes adjusting security settings associated with the virtual appliance.
  - 40. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes deleting unauthorized content from the virtual appliance.
  - 41. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes obtaining necessary licensing associated with the virtual appliance.
  - 42. The non-transitory machine readable medium of claim 35, wherein the notification of non-compliance is automatically issued to an administrator to obtain licensing associated with the virtual appliance.
  - 43. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes scheduling at least one of an agent and a process to carryout remedial action, and scheduling at least one of an agent or process includes at least one of requesting, transferring, downloading, and installing at least one of security updates for the virtual appliance and security patches for the virtual appliance, searching for and eradicating malware associated with the virtual appliance, and registering the virtual appliance for use in a managed system.
  - 44. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes restricting access permissions, so that the virtual appliance can only access certain content, resources, and areas of a managed system.
  - 45. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes at least one of adding, updating, and deleting user account information, so as to limit account authority associated with the virtual appliance.
  - 46. The non-transitory machine readable medium of claim 35, wherein adapting the virtual appliance includes validating adaptations made to the virtual appliance.
  - 47. The non-transitory machine readable medium of claim 35, wherein the virtual appliance is part of a group that includes a plurality of virtual appliances, and the virtual appliance is adapted when a quorum of the plurality of virtual appliances have been adapted.
  - 48. The non-transitory machine readable medium of claim 35, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.
  - 49. The non-transitory machine readable medium of claim 35, wherein the virtual appliance is adapted to comply with the first policy-based compliance scheme by, within the virtual appliance, at least one of modifying, inserting, deleting, and configuring at least one of a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.
  - 50. The non-transitory machine readable medium of claim 35, wherein the environment is adapted to comply with the second policy-based compliance scheme by, in the environment outside the virtual appliance, at least one of registering, integrating, acquiring, modifying, inserting, deleting, and configuring at least one of a configuration management database, an asset management database, a license manager, a server, a license, a file, a parameter, a setting, data, a procedure call, a scheduled event, an agent, and a process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ManageIQ, Inc. (International Business Machines Corporation)
Original Assignee
ManageIQ, Inc. (International Business Machines Corporation)
Inventors
Fitzgerald, Joseph, Barenboim, Oleg
Primary Examiner(s)
Truong, Camquy

Application Number

US14/922,979
Publication Number

US 20160055026A1
Time in Patent Office

792 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0712   in a virtual computing plat...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Compliance-based adaptations in managed virtual systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

148 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Compliance-based adaptations in managed virtual systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links