CloudIQ: Security assessment report identifies PowerEdge device risk level as high when Secure Boot is enabled.

Zusammenfassung: CloudIQ Cybersecurity report continues to identify PowerEdge device risk level as high for Secure Boot even after enabling on the target system.

Dieser Artikel gilt für Dieser Artikel gilt nicht für Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden. In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Andere Ressourcen ansehen

Symptome

The security assessment report for the PowerEdge device remains in a high state even after remediating the Secure Boot attribute.
CloudIQ Security Assessment showing high risk level due to secure boot disabled.

Ursache

iDRAC's system configuration hash has not updated after making device attribute change for secure boot.

OpenManage Enterprise leverages the iDRAC's system configuration hash to determine if device settings have been modified. Once a change in the hash value has been detected, OpenManage Enterprise triggers a configuration inventory collection from the target. This new configuration inventory information is sent to CloudIQ to be used in calculating the security assessment.

The current system inventory hash can be retrieved from the device using either WinRM or Redfish.
 
WinRM call to pull iDRAC System Configuration hash value 
winrm e cimv2/root/dcim/DCIM_iDRACCardString -u:<Username> root -p <Password> -r:https://<DRAC_IP_ADDRESS>/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic
Output: 
DCIM_iDRACCardString
    AttributeDisplayName = System Configuration Hash
    AttributeName = SystemConfigHash
    CurrentValue = a1ce859471708c9f8f34ef5093e6b354712887af93a5d9183ed0660f57da593f
    DefaultValue = null    Dependency = null    DisplayOrder = 1
    FQDD = iDRAC.Embedded.1
    GroupDisplayName = Inventory HASH
    GroupID = InventoryHash.1
    InstanceID = iDRAC.Embedded.1#InventoryHash.1#SystemConfigHash
    IsReadOnly = true    MaxLength = 256
    MinLength = 0
    PendingValue = null

Redfish GET to pull iDRAC System Configuration hash value 
https://<DRAC_IP_ADDRESS>:443/redfish/v1/Managers/iDRAC.Embedded.1/Attributes?%24select=InventoryHash.1.SystemConfigHash
Output: 
{
     "@Redfish.Settings": {
         "@odata.context": "/redfish/v1/$metadata#Settings.Settings",
         "@odata.type": "#Settings.v1_3_0.Settings",
         "SettingsObject": {
             "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1/Settings"
         },
         "SupportedApplyTimes": [
             "Immediate",
             "AtMaintenanceWindowStart"
         ]
     },
     "@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
     "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
     "@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
     "Attributes": {
         "InventoryHash.1.SystemConfigHash": "187ff97183d88b55619652035722ee0be745ae981680db5d8afc4dfeb1c6a199" 
     },
     "Description": "This schema provides the oem attributes",
     "Id": "iDRACAttributes",
     "Name": "OEMAttributeRegistry"
 }

Lösung

First, ensure that your device is running iDRAC version 6.10.80.00 or higher. Then check that the software inventory hash is not null by using either the WinRM or Redfish method. If the software inventory hash is null, change any iDRAC based setting, and then change it back to the original value. These actions populate the hash value. Lastly, trigger a device synchronization task from device actions in the CloudIQ portal.

Betroffene Produkte

iDRAC9, CloudIQ, Dell EMC OpenManage Enterprise, OpenManage Enterprise APEX AIOps Observability
Artikeleigenschaften
Artikelnummer: 000205986
Artikeltyp: Solution
Zuletzt geändert: 09 Juli 2025
Version:  4
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.