First time setup for Patch Management Solution for Linux
Updated On:16-06-2016 09:35
Patch Management Solution for Linux
What are the steps required to get Patch Management Solution for Linux configured with basic settings and be able to be actively patch computers?
Install the solution:
This is accomplished through SIM as part of an initial installation.
NOTE: Patch Management Solution for Linux does not support Upgrade\Migrations from the 6.x version.
Configure the Core Solution Policy:
From the menu bar select Settings> All Settings. In the left hand tree view select Software> Patch Management> ‘Patch Management Core Solution’ or 'Core Services'.
Use this policy to add managed languages, set up custom severities and specify a location that the Updates will be downloaded to.
Configure the Linux (Red Hat or Novell) specific configuration policy:
From the menu bar select Settings> All Settings. In the left hand tree view select Software> Patch Management> (Novell\RedHat) Settings> ‘Red Hat\Novell’ (Remediation Settings):
There are many options available for this policy split out into four tabs (Software Update Options, Policy and Package Settings, Programs and either Novell Customer Center or Red Hat Network).Look at the options on all three tabs and make any desired changes.
Advisory: The credentials for each vendor must be entered for the solution to be able to download the needed Errata and Channels. Furthermore, these credentials will define which Errata / Channels will be available for deployment per each Vendor agreement of the specified user.
Configure the Vendors Inventory Policy:
From the menu bar select Settings> All Settings. In the left hand tree view select Software> Patch Management> Novell Settings\Red Hat Settings> ‘Default Novell\Red Hat Inventory Policy’.
This policy is used to gather the inventory from the client. The inventory then determines if an update is needed and if it is installed.This information is used to populate the associated filters\targets allowing updates to only run on computers that require them.
Use this policy to define the desired target, scan interval and events to be sent. Note: the Inventory summary events are only used for one report that is not commonly used. It is recommended to leave it unchecked unless the data is needed.
Configure the Software Update Agent Plug-in Settings (Install Updates Schedule):
From the menu bar select Settings> Agents/Plug-ins> All Agents/Plug-ins, In the left hand tree view select Agents/Plug-ins> Software> Software Update Agent for Linux> Settings> ‘Default Software Update Agent Policy’.
Use this to configure the following.
Schedule time for updates to install on the client computers
Overrides of the Maintenance window settings
Notifications that can be displayed on the client computers.
Note: The graphical interface for this policy is shared with the Windows policy. Because of this the Reboot Defaults section is shown however in a Linux environment it is not needed and does not perform an reboots.
Install the Software Update Agent\Plug-in for Linux:
PM 7.0 - 7.1: There is a Task and a Job that can be configured when installing this Agent/Plugin.
Found on the Console >Settings > Agents/Plug-ins > All Agents/Plug-ins.
In the left hand tree view select Software > Software Update Agent for Linux > Rollout> Update Agent Discovery Task
Configure to fit the environment and enter the Email account for Novell, if installing to SUSE computers.
For the job go to the menu bar select Settings > Agents/Plug-ins > All Agents/Plug-ins.In the left hand tree view select Software > Software Update Agent for Linux > Rollout> ‘Software Update Agent Rollout Job’.
Use this policy to define a schedule with the desired options and select the target of computers it will be applied to.
Advisory: Because this Agent/Plugin is deployed using a Task Server Job, the computers must have the Client Task Plugin installed, be registered with a task server and able to communicate with it. If the task is failing verify that it is configured correctly for its Task server.
Note: The Linux Software Update Agent Plug-in can only be installed on a client that is registered to the Red Hat Network Site, and has to maintain internet connection, for that check is executed each time an update is deployed to that client.
Note: The Linux Software Update Agent Plug-in Policy was moved with the Service Pack 1 upgrade and in later versions. It resides on the Console > Settings > All Settings > Agents/Plug-ins > Software > Patch Management > Linux folder.
Download the Red Hat Channel \ Novell Errata Import file:
Found on the Console > Manage > Jobs and Tasks > System Jobs and Tasks > Software > Patch Management.
In the left hand tree view select System Jobs and Tasks> Software> Patch Management>Red Hat Errata import Task or Novell Updates Import Task
Advisory: Before this can run inventory from computers must be returned. Channels will only be available for download if a Computer has returned inventory that channel.
This must run before Errata\Upates can be enabled and deployed.
Configure any desired settings and save the changes.
Note: This process can take some time, allow several hours for it to complete before the next step.
Stage bulletins and KB’s to be deployed:
To access this page go to the menu bar and select Manage> Policies.In the tree view open Software> Patch Management> ‘Patch Remediation Center’
Stage the desired Updates , this includes downloading it to the Notification Server, creating the needed Packages, filters, command lines, associations etc that need to be created and defined
Go to the Console > Actions > Software > Patch Remediation Center:
Highlight the Channel / Erratum / Bulletin > Right-click > Download Packages or Distribute Packages
Note: Multiple Updates can be selected at once; however, keep in mind that the process to download the Software Updates will take priority and any other download processes will be queued. It is best to bundle by the month releases or separately one by one for each Bulletin.
Review the Red Hat / SUSE Compliance Reports
Go to the Console > Reports > All Reports > Software > Patch Management > Compliance; view the report per Red Hat or SUSE targeted Clients as needed
Regarding Compliance Reports display vulnerable Kernels that are not active; please view INFO3650