Walkthrough: Setting up and managing an online patch catalog for Linux

This topic walks you through the process of setting up a patch catalog for a Red Hat Linux. It also explains how to set up a smart group that automatically selects a subset of the patches in the patch catalog.

This topic includes the following sections:

The video at right demonstrates the process of setting up a patch catalog for Linux.


  https://youtu.be/fLkd8eJBEoQ

Introduction

This topic is intended for system administrators who are tasked with managing patches. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BladeLogic calls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers throughout your data center.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can be used for a particular operating system, such as Red Hat Linux 6.0. With well designed patch catalogs, it is easier to select the patches that are used when evaluating the patch configuration of designated servers. 

After you have created a patch catalog, you can create patch catalog smart groups, which can be dynamically populated with patches from the patch catalog that meet certain criteria. This smart group can be used as a filter during a Patching Job to determine whether patches in the group are missing on target servers.

What does this walkthrough show?

This walkthrough shows how to use the BSA Patch Catalog wizard to create a job that obtains patches from the Red Hat network.

The job sets up notifications for the administrator in charge of Linux patching if the Patch Catalog job should fail. The job is scheduled to run monthly to obtain the latest patches.

This walkthrough also shows how to set up a patch smart group that automatically selects patches from the patch group that are critical security advisories.

What do I need to do before I get started?

Ensure that you complete the following pre-requisite steps prior to creating a patch catalog for Linux platforms:

  • For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
  • You must know which server you want to use as a patch repository.

For RHEL 7

For Red Hat Enterprise Linux 7, you must also:

  • Ensure that the following packages are pre-installed on the server that hosts the patch repository:
    • reposync (part of the yum-utils rpm) - For RHEL 7, you perform RHEL patching using the more advanced CDN (reposync) interface.
    • createrepo
    • python-urlgrabber
  • Have an account with the Red Hat Network from which you can obtain patch data.
  • Obtain the required certificates.
See Creating a patch catalog for Red Hat Enterprise Linux for the detailed steps.

As CDN is supported for BMC Server Automation 8.9.02 and later, this note is applicable for all RHEL filters.

How to set and manage a patch catalog for UNIX



 StepExample screen
1
  1. Log on as BLAdmin or preferably as PatchingUser.
    PatchingUser is the user account that was set up in Walkthrough: Restricting permissions for a patching administrator.
  2. Expand the Depot folder and navigate to a subfolder where you want to create a patch catalog.
  3. Right-click the subfolder and select New > Patch Catalog > Red Hat Linux Patch Catalog.
    The New Patch Catalog wizard opens. 
  4. For Name, enter a name for the patch catalog you are creating. For example, enter Red Hat 6 x86_64.
2
  1. Click Next.
    The Red Hat Linux Catalog page appears.
    On this page we specify the patch information to obtain for this patch catalog.
  2. Under Catalog Mode, make sure Source From Vendor (Online Mode) is selected. 
    Working in online mode obtains patch data directly from the Red Hat Network.
  3. Under Red Hat Network Credentials, enter a user name and password that has been granted access to the Red Hat Network.  
    These fields may be completed dynamically if your organization has globally configured patch access.
  4. For Repository Location (NSH Path), enter a location on a Linux platform where patch information can be stored. This location must have ample free space–typically many gigabytes. Enter the location using a Network Shell-style path.
  5. Make sure that Network URL Type for Payload Deployment is set to Copy To Agent At Staging.
    This setting means BSA copies patch payloads from the patch repository to a staging directory on the target server when you are deploying patches.
  6. Click Add Filter and make the following settings on the Edit Red Hat Filter dialog box. 
    1. Select Red Hat Network.
    2. For Channel, select a channel from the list provided.
    3. Select By Errata Type. Leave all the sub-options selected.
    4. Click OK.
3

Optionally, on this page you can set up a notification so the Patch Catalog Job sends an email if the job fails for some reason. Updating the patch catalog is an important task, so if there's a problem, someone will want to know about it.
For email notifications to be sent, a mail server must be configured for the Application Server. This step is only required if you want to receive a notification email when the job runs.

  1. Click Next
    The Notifications page appears. 
  2. Select Send email to.
  3. Enter an email address of someone to be notified if this job fails.
  4. Check Failed.

4

Optionally, you can schedule a regular update to the Catalog Job, as described below. Scheduling is not essential because you can also trigger a Catalog Update Job manually. In production environments, however, BMC recommends that you schedule the job to ensure that a catalog always has the most recent patches. 

  1. Click Next.
    The Schedules page appears.
    On this page we set up the job to run immediately and also to run on the first Tuesday of every month afterwards.
  2. Select Execute job now to indicate the job should run as soon as you finish the wizard. 
  3. Click New Schedule and define the a job schedule. In this example, we want to schedule it to update Tuesday mornings. You may want to use a different time, day, or even update less often.
    1. Click Monthly.
    2. Select First and Tuesday.
    3. Enter a time, such as 08:00.
    4. Click OK.
5

Click Finish.
The Patch Catalog Job starts running. You can watch its progress on the Tasks in Progress pane. 

6
  1. When the job completes, you can use the Depot folder and navigate to the location where you created the patch catalog. You selected this location in the first step.
  2. Right-click the catalog, and select Open.
    The pane at right show the definition of the patch catalog job.
  3. Click the Results tab. 
    A green check indicates the job ran successfully. 
7

Create a patch smart group for security patches.

  1. Right-click the patch catalog you just created and select New > Patch Catalog Smart Group.
    A wizard for creating smart groups opens.
  2. For Name, enter a name for the patch catalog smart group, such as Production Patch Policy.
  3. In the list of conditions, take the following steps:
    1. In the first column, select Redhat Errata.
    2. In the second column, select ERRATA_TYPE
    3. In the third column, select equals.
    4. In the fourth column, select Security Advisory.
      Taken together, the row should read "Any Redhat Errata where ERRATA_TYPE equals Security Advisory." 
    5. In the fifth column, select AND.
    6. Click Apply Changes .
  4. Click Add New Condition . Double-click the row representing the new condition and enter the following information:
    1. In the first column, select Redhat Errata.
    2. In the second column, select ERRATA_SEVERITY.
    3. In the third column, select equals.
    4. In the fourth column, select Critical.
      Taken together, the row should read "Any Redhat Errata where ERRATA_SEVERITY equals Critical." 
    5. Click Apply Changes.
  5. Click Finish.
    A new smart group collects all Red Hat patches that are critical security advisories. 

Wrapping it up

Congratulations. You have set up a job that creates a patch catalog for Red Hat Linux 6. The job will run monthly and obtain the latest patches from the Red Hat Network. If the job fails for any reason, an email notification is sent You have also learned how to create a patch catalog smart group so you can easily group all patches that are critical security advisories.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to test your Linux servers for patch compliance. See Walkthrough: Basic Red Hat Linux patch analysis.

Was this page helpful? Yes No Submitting... Thank you

Comments