Abstract: Systems and methods are provided for vulnerability proofing updates to an IHS (Information Handling System). An update system receives a notification of an update including updated configurations for hardware components of the IHS. The update system queries the IHS for vulnerability proofing requirements for updates that modify configurations of hardware components of the IHS. In response to the query, vulnerability proofing requirements are retrieved from a persistent data storage of the IHS and transmitted to the update system, where the vulnerability proofing requirements specify catalogs of known vulnerabilities of hardware components. The update system determines whether the updated configurations are identified as vulnerable in the one or more of catalogs. If the updated configurations are not identified in the catalogs, the update is transmitted to the IHS. If configurations from the update are identified in the catalogs, the update is terminated and the IHS is notified.

Abstract: Systems and methods provide vulnerability proofing procedures for booting of an IHS (Information Handling System). A request to boot the IHS is detected. One or more boot configurations are determined that include configurations for operation of one or more of the hardware components of the IHS. One or more catalogs are accessed that specify known vulnerabilities of hardware components. The boot configurations are used to identify any hardware component configurations that have known vulnerabilities that are listed in the catalogs. If known vulnerabilities are identified in the boot configuration, further booting of the IHS may be disabled until the boot configuration is modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing an IHS (Information Handling System) while being administered using a bootable image. Launching of a bootable image by the one or more CPUs is detected and one or more IHS configurations to be made using the bootable image are identified. One or more catalogs specifying known vulnerabilities of hardware components are accessed and used to determine whether any of the IHS configurations to be made using the bootable image are identified as vulnerable in one or more of the catalogs. Configuration of the IHS using the bootable image is blocked until the configurations to be made using the bootable image are modified to include no configurations with vulnerabilities identified in the plurality of catalogs.

Abstract: Systems and methods are provided for vulnerability proofing updates to an IHS. An update package is detected that includes configurations for one or more of the hardware components of the IHS. One or more catalogs are accessed that specify known vulnerabilities of hardware components. The updated configurations of the hardware component that are included in the update package are used to identify any hardware component configurations that have known vulnerabilities that are listed in the catalogs. If known vulnerabilities are identified in the updated configurations, further booting of the IHS may be disabled until the update package is modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the use of risk scores in the administration of hardware components of an IHS (Information Handling System). Proposed configurations for a first of the hardware components of the IHS are detected, where the proposed configurations are associated with a risk score. Catalogs specifying known vulnerabilities of hardware components are accessed and used to determine whether any of the proposed configurations of the first hardware component are identified as vulnerable in one or more of the catalogs. When a vulnerability for the proposed configuration is identified in the catalogs, the risk score of the configuration is increased based on the vulnerabilities identified in the plurality of catalogs. When the risk score is increased to an elevated level, the hardware component is disabled until the proposed configurations are changed to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the installation of new hardware components in an IHS (Information Handling System). The coupling of a new hardware component to the IHS is detected. A profile is identified that is to be used in provisioning the new hardware component that has been coupled to the IHS. The profile may include various configurations for the coupled hardware component. One or more catalogs are accessed that specify known vulnerabilities of hardware components. Configurations from the profile for the coupled hardware component are used to identify any configuration that have known vulnerabilities that are listed in the catalogs. If known vulnerabilities are identified in the configuration for the new hardware component, further use of the new hardware component by the IHS is disabled until the profile is modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the launching of application instances by an IHS (Information Handling System). The launching of an application instance on the IHS is detected, where the application instance is launched using an application template that includes configurations for one or more hardware components of the IHS. One or more catalogs are accessed that specify known vulnerabilities of hardware components. Hardware component configurations included in the application template are identified as vulnerable in one or more of the catalogs. If the application template includes configurations that are identified as vulnerable in the catalogs, launching of the application is prevented until the hardware component configurations within the application template are modified to include no configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods provided for vulnerability proofing updates to an IHS (Information Handling System). Upon receipt of an update to hardware component configurations of the IHS, vulnerability proofing requirements for modifications to the hardware component configurations are retrieved, including requirements for modifications that are validated for operation of a computational workload by the IHS. Based on the vulnerability proofing requirements, catalogs specifying known vulnerabilities of hardware components are consulted to determine whether the modifications are identified as vulnerable in the catalogs and whether remediations to the identified vulnerabilities are validated for operation of the workload. If the modifications are not identified as vulnerable in the catalogs, the update is transmitted to the IHS. If the modifications are identified as vulnerable in the catalogs and remediations to the identified vulnerabilities are not validated for operation of the workload, the update is terminated.

Abstract: Systems and methods are provided for vulnerability proofing subsystems of hardware components of an IHS (Information Handling System). A request to modify configurations of a hardware component of the IHS is detected. Catalogs specifying known vulnerabilities of hardware components are accessed to determine whether any of the modified hardware configurations are identified as vulnerable in one or more of the catalogs. When vulnerabilities are identified in the modified configurations for the hardware component, other hardware components of the IHS are identified that are interdependent on the hardware component as part of an IHS subsystem. Hardware configurations for any of the hardware components of the subsystem are evaluated for vulnerabilities based on the catalogs.

Abstract: Systems and methods provided vulnerability proofing of an IHS (Information Handling System) while it is being provisioned for deployment, such as upon receipt at a datacenter. An initial provisioning of the IHS is detected, where no provisioning of the IHS has been conducted other than the factory provisioning of the IHS. A profile is identified that is to be used in provisioning the IHS, where the profile includes configurations for one or more hardware components of the IHS. One or more catalogs are accessed that specify known vulnerabilities of hardware components. For each of the hardware configurations in the profile, configurations that are vulnerable are identified based on the catalogs of known vulnerabilities. If vulnerabilities are identified, further provisioning of the IHS is blocked until the profile is modified to include no hardware configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the administration of hardware components of an IHS. A proposed configuration for a hardware component of the IHS is detected. Multiple catalogs specifying known vulnerabilities of hardware components are accessed, such as a catalog of known vulnerabilities provided by a manufacturer of the hardware component and such as a catalog of known vulnerabilities provided by a manufacturer of the IHS. The proposed configuration of the hardware component is evaluated as being vulnerable in the first catalog and also in the second catalog. If the proposed configuration is identified as vulnerable in either the first catalog or in the second catalog, the hardware component is disabled until the proposed configurations for the hardware component are changed to include no configurations with vulnerabilities identified in either the first or second catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the use of machine learning recommendations by an IHS. A machine learning recommendation is detected that provides configurations for one or more of the hardware components of the IHS. Catalogs specifying known vulnerabilities of hardware components are accessed to determine whether any of the hardware configurations from the machine learning recommendations are identified as vulnerable in one or more of the catalogs. If a machine learning recommendation is identified as vulnerable, use of the machine learning recommendation by the IHS is blocked until the recommendation is modified to include no recommended hardware configurations with vulnerabilities identified in the catalogs.

Abstract: Systems and methods are provided for vulnerability proofing the use of an IHS (Information Handling System) in a computing cluster. Notification is received by the IHS of modifications to configurations of a computing cluster that includes the IHS. Vulnerability proofing requirements for computing cluster configurations including the IHS are retrieved from a persistent data storage of the IHS. Based on the vulnerability proofing requirements, catalogs comprising known vulnerabilities of IHS hardware components are accessed. Modifications to the computing cluster configurations are identified as vulnerable in one or more of the catalogs. When modifications to the computing cluster configurations are identified as vulnerable, participation by the IHS in the computing cluster is suspended until the modifications to the computing cluster configurations are changed to include no configurations with vulnerabilities identified in the catalogs.

Abstract: An information handling system may include a processor and a management controller communicatively coupled to the processor and configured to perform out-of-band management of the information handling system, the management controller further configured to, in response to a request from a management utility remote from the information handling system to create a firmware image for an item of firmware for a cluster comprising the information handling system retrieve a firmware update package, store the firmware update package in a repository integral to the management controller, and communicate a uniform resource locator to the management utility setting forth a path of the firmware update package within the repository, such that the management utility may later use the uniform resource locator to perform a firmware update for another information handling system of the cluster.

Abstract: An information handling system includes a shared device, first and second compute nodes, and a chassis management controller. The first compute node includes a first management controller, which initiates a firmware update for firmware in the shared device. The first management controller detects that that the firmware update is complete. In response to the firmware update being completed, the management controller sends rollback information for the firmware to the chassis controller. The chassis controller stores the rollback information as a rollback image within a storage location of a memory. The chassis controller further sends the rollback information to the second compute node. The second compute node includes a second management controller, which in turn receives the rollback information from the chassis controller, and updates the rollback information within the second compute node.

Abstract: A method for managing a resource system includes obtaining, by a hardware resource manager, a firmware update lockdown request for a lockdown for a firmware device of the resource system, in response to the firmware update lockdown request: identifying a firmware protocol corresponding to the firmware device, generating a firmware lockdown command corresponding to the firmware device based on the firmware protocol, and initiating updating of a lockdown policy based on the firmware lockdown command.

Abstract: An information handling system includes a memory, a chassis management controller, and a management controller. The memory stores an update catalog and an update sequence catalog. The chassis management controller determines one or more components to update and provides an update request associated with the components. In response to the reception of the update request, the management controller retrieves the update catalog and the update sequence catalog from the memory and determines whether updates for all the components will be completed successfully. In response to the determination that the updates for all the components will be completed successfully, the management controller provides a list of updates for the chassis management controller to install in the information handling system. Otherwise, the management controller provides a user of the information handling system with a set of pre-requisite component versions to include within the update request.

Abstract: An information handling system includes a service module that may detect an action performed on a passthrough device, invoke an application programming interface on a hypervisor, receive a response to the action on the passthrough device from the hypervisor, and push management information to a management controller. The hypervisor may detect the passthrough device, proxy an operating system call associated with the action to a guest operating system of the virtual machine over the application programming interface, and transmit the response received from the guest operating system to the service module. The guest operating system may echo the operating system call on a virtual machine, and proxy the response to the operating system call to the hypervisor.

Abstract: An information handling system may include a processor and a management controller communicatively coupled to the processor and configured to perform out-of-band management of the information handling system, the management controller further configured to, in response to a request from a management utility remote from the information handling system to create a firmware image for an item of firmware for a cluster comprising the information handling system retrieve a firmware update package, store the firmware update package in a repository integral to the management controller, and communicate a uniform resource locator to the management utility setting forth a path of the firmware update package within the repository, such that the management utility may later use the uniform resource locator to perform a firmware update for another information handling system of the cluster.

Abstract: Technology described herein can globally perform management of security tokens of plural nodes of a multi-node system. In an embodiment, a system can comprise an interconnected group of server nodes, and an administrator node communicatively connected to the interconnected group of server nodes and comprising a processor, and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise selecting a server node of the interconnected group of server nodes as a leader server node, resulting in a selection of the leader server node, in response, receiving, by the administrator node from the leader server node, a request for a new security token, and sending, to the leader server node, the new security token, and broadcasting, by the leader server node across a link layer discovery (LLDP) network, the new security token to additional nodes of the interconnected group of nodes.