Working with patch policies

You can create patch policies to identify missing patches in Automation Console. This topic provides instructions on adding, viewing, editing, disabling, and removing patch policies. 

To understand the concept of patch policies, see Patch policies. 

Adding a patch policy

On the Manage > Patch Policies page, click Add Policy and do the following:

1. Enter a unique name for the policy.
   Patch policy name must always be unique (up to 150 characters) even if users with different roles are creating it.
2. Click Browse to select a catalog.
   Catalogs are created in TrueSight Server Automation. The Operating System and Operating System Vendor columns provide additional information about the imported catalogs. For example, if a SUSE catalog is added, the operating system shows Linux and the vendor name appears as SUSE. You can select a catalog only if the Sync Status is Complete.

3. Configure the Patch Policy Options that enable you to filter the scans based on these options. Do the following:

   1. Click .
   2. (Windows) Do the following:
      1. Click Patch Classifications, and select the required check boxes to scan assets based on these patch classifications: Security Patches, Security Tools, and Non-Security Patches.
         To skip service packs while scanning assets, select the Exclude Service Packs check box.
      2. From the Include Patch Groups list, select one or more patch groups to include in the scan.
      3. From the Exclude Patch Groups list, select one or more patch groups to exclude from the scan. The patch groups selected in the Include Patch Groups list are disabled for selection.
      4. Save the changes.
   3. (Linux) Do the following:
      
      1. Specify whether you want to scan assets using Update Mode or Install Mode. Use Update Mode to scan for missing RPMs based on the selected patch catalog. Use Install Mode to scan for missing RPMs and install new RPMs and required dependencies based on the selected catalog.
         (SuSE) Select Dist-Upgrade Mode to scan assets only for the distribution upgrade or service pack upgrade.
      2. From the Include Patch Groups list, select one or more patch groups to include in the scan. For Install Mode, this selection is mandatory.
      3. From the Exclude Patch Groups list, select one or more patch groups to exclude from the scan. The patch groups selected in the Include Patch Groups list are disabled for selection.
      4. Save the changes.

      When the patch policy options are not configured, Update Mode is selected by default.

4. To specify assets, do one of the following:

   • Select all assets enrolled in the endpoint manager.
   • Select Asset Groups (server smart groups in Server Automation) and do the following:
     
     1. Click Select Asset Groups.
     2. Select one of these asset group types: Smart Groups or Static Groups
     3. Select one or more groups.
5. In the Policy Schedule section, specify a schedule for the policy:

1. • Daily: Click the clock icon in the Time field, and specify the time.
   • Weekly: 
     
     1. From the Recur Every list, select the number of weeks after which the policy should run again. 
     2. Click the clock icon in the Time field, and specify the time.
     3. Specify the days of the week when the schedule should run.

   • Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:

     • Specify the frequency (first, second, third, or fourth) and the day of the week for the schedule.

     • Specify the day in every month when the schedule should run. 

     • Select the last day of every month.  

     The schedule summary is displayed.

     Can I schedule a policy in another timezone?

     No. Automation Console shows the browser time zone. You can only schedule policy scans in the local time zone.

     Important

     When you create a patch policy, a patching job is created in TrueSight Server Automation and it runs based on the schedule configured during the policy creation. If you want to update the schedule later, make the required changes in Automation Console. Do not use TrueSight Server Automation to make these changes because the Automation Console changes always take precedence.

After you save the patch policy, it is enabled and appears on the Manage Policies page. To search for a policy, enter the policy name in the search field and the results that match the search term are displayed.

When you create a policy, it is saved at the following default path in Server Automation:
Jobs/<userid>_<user_role>/<Policy_Name>

You can change the path. For details, see Working with security groups.

Executing a patch policy

You can run a patch policy immediately after adding it. You cannot execute a policy that is disabled or already running.

If the catalog associated with the policy is disabled in Automation Console, and then you execute the policy immediately, it runs based on the last update of the catalog.

On the Manage > Patch Policies page, do the following:

1. Select a policy and click Actions > Execute now.
2. Click Continue. 

Viewing patch policy results

After a policy runs on the selected assets according to the schedule, the results are displayed on the Patch Policies page.

You can see the policies available in the product and additional information such as name, scope of the policy scan according to the assets, the date and time of the last run, and the status.

On the Manage > Patch Policies page, do the following:

1. Click the policy name.
   The Scan Run Results page shows results of each policy scan according to the schedule.
2. To view results for any previous scan, click on the scan in the Scan Start Time column. 
   The following image shows the results of a policy scan.
   
   The following details are displayed: 

1. • Total number of assets scanned by the policy
   • Number of assets that were scanned successfully or with warnings, and failed scans
   • List of assets scanned by the policy and the number of missing and installed patches on these assets
   • Log for the policy that contains errors and warnings, if any
   • Date, time, and duration of the policy scan
2. To view the policy results for each asset, click the asset name.
   
   You can see each installed and missing patch identified on the selected asset.

Editing a patch policy

On the Manage > Patch Policies page, do the following:

1. Select a policy and click Actions > Edit. 

2. Update the policy details, and click Update. 
   The Operating System and Operating System Vendor columns provide additional information about the imported catalogs. For example, if a SUSE Linux catalog is added, the operating system shows Linux and the vendor name appears as SUSE.

 Missing patches according to the new configurations are displayed after a successful scan.

Disabling and enabling a policy

You may want to stop running scanning policies for a while or the policy may no longer be relevant. To stop the policy from running, disable the policy. When you disable a patch policy, the missing patches identified by the policy also get removed from Automation Console. 

On the Manage > Patch Policies page, do these steps: 

• Select a policy and click Actions > Disable and click Continue. 
  The policy status changes to Disabled and the policy no longer runs according to the schedule. It still appears in the patch policy list. 
• To view details of a disabled policy, click Actions > View. 
• Select a policy and click Actions > Enable.
  The policy status changes to Enabled and the policy runs according to the schedule. New missing patches are reported after a successful scan. 

Removing a patch policy

You cannot delete a policy if it is used by any operation. In such a case, delete the operation first, and then delete the policy. When you delete a patch policy, the missing patches identified by the policy also get removed from Automation Console. 

When you remove a policy from Automation Console it continues to exists in TrueSight Server Automation. 

On the Manage > Patch Policies page, do the following:

1. Select a policy and click Actions > Remove.
2. Click Continue.