Walkthrough: Basic patch remediation

This topic walks you through the process of automating the deployment of patches and updates for Microsoft Windows operating systems, using BMC BladeLogic Server Automation (BSA).

This topic includes the following sections:

The video at right demonstrates the process of patch remediation.

https://youtu.be/SXAhfQ_mYtM

Introduction

This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch remediation for Windows systems using BSA.

Patch analysis is the process of figuring out which systems need which patches, and is described in a different walkthrough.
Patch remediation is delivering those fixes to the operating system or application.

BSA supports analysis, download, and deployment of patches for all of the major operating systems. See "Patch management support" under Supported platforms for version 8.7.

What is patch remediation?

Patch remediation is the process of packaging and deploying the required patches to targets requiring remediation. BSA creates the necessary BLPackages and Deploy Jobs to remediate the targets identified in the patch analysis phase.

After reviewing the results of your Microsoft Windows Patching Job, the next step is to create and run Remediation Jobs. In a Remediation Job, you specify the servers that you want to update and the patches that you want to apply.
The Remediation Job downloads the patches if they are not already downloaded, creates packages, and creates the Deploy Jobs.

What does this walkthrough show?

This walkthrough continues the patching story developed in Walkthrough: Basic Microsoft Windows patch analysis, which identified missing critical patches on Windows 2008 servers. Using the results of that Patch Analysis Job, this walkthrough:

Demonstrates how you can set up a remediation job that patches all servers
Sets up notifications for the results of the job
Runs the remediation job immediately
Examines the results of the remediation job
Runs the original Patch Analysis Job again to show that all target servers are correctly patched

Although this walkthrough describes a Windows 2008 scenario, the same techniques can apply to patching other operating systems.

What do I need to do before I get started?

For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
You must have also created a patch catalog (described in a separate walkthrough) and run the Patch Analysis Job (also described in a separate walkthrough).

How to deploy the required patches to targets

Step	Example screen
This process follows directly from the procedure described in Walkthrough: Basic Microsoft Windows patch analysis. In the BSA console, under Jobs, navigate to the folder for your Windows Patching Job. The examples in this procedure use the folder structure Jobs > Patch Analysis Jobs > Windows Patch Analysis. Right-click the Patching Job in the folder under the Jobs folder. Select Show Results.
In the Windows Patching Job results, click the Object View. The right pane shows a list of hotfixes and patches. (You can also deploy patches and hotfixes from the server view. See Choosing remediation targets and patches.) Select one or a set of patch names in the right pane.In our example, we identified during patch analysis a critical missing patch that fixes potential security vulnerability, which is missing on both servers. Right-click and select Deploy Selected Patches. The New Patch Remediation Job wizard opens. The New Patch Remediation Job wizard opens. The Remediation Job creates the following items: A Deploy Job for each server specified in the Remediation Job. A Deploy Job updates a server with the patch software. A Batch Job that you can use to run all of the Deploy Jobs. BLPackages, which are software packages containing the patches needed for the Deploy Jobs.
On the General panel: In the Name field, enter a suitable job name. This example uses the hotfix number. In the Save in field, enter or browse to a location in the Jobs folder where you want to save this Remediation Job. Click Next.
On the Remediation Options panel: In the Package name prefix field, type a suitable prefix for package names. The default is the Remediation Job name. In the Save package(s) in field, type or browse to the location in the Depot folder where you want to save the software packages (BLPackages) that this job creates. In the Save Batch/Deploy Job(s) in field, type or browse to the location where you want to save the Batch Job and the Deploy Jobs that this job creates. Usually, you can leave the ACL Policy for Package(s) Deploy Job(s) field blank. Click Deploy Job Options.
On the Deploy Job Options panel, on the Job Options tab: In the Logging Level field, select an option. This examples uses the default of Errors and warnings. The All Information option provides verbose deployment information. The details in the verbose information can help to troubleshoot issues. From the Reboot Options drop-down list, select an option. (See Assigning default values for Deploy Jobs for explanations of these options.) This example uses the Ignore item defined reboot setting and reboot at the end of job reboot option. Typically, this option is appropriate. Accept the defaults for other fields.
This example uses the default settings for the Deploy phases tab. For information about these options, see Deploy Job - Phase Options.
Select the Phases and Schedules Tab. We want the Remediation Job to execute immediately after the creation of the Remediation artifacts. Select Execute job now. Click OK to return to Deploy options. Click Next.
On the Job Run Notifications, click Next. Bypassing this panel will use the default notifications that were set up in the Patch Analysis Job in the previous walkthrough.
On the Schedule panel, select Execute job now. Click Finish to accept the default settings for the remaining two wizard panels, Properties and Permissions.
The executing job appears in the Tasks in Progress view on the console. After the Remediation Job executes, you can view its results under the original Patching Job with which it is associated. You will see multiple jobs being executed, as the Remediation Job spawns a Deploy Job and a Batch Job.
In the Object Explorer locate the folder in which the Remediation Job stores the Batch Job and the Deploy Jobs that it created, (This location was specified in step 4 above). Right-click the job and select View Results. Review the status of the patch deploy phases. As you can see, all three phases were successful.
To verify that the patch has been installed successfully, let's run the original Patch Analysis Job again. In the Object Explorer, navigate to the folder for the Patching Job. Right-click the job and select Execute.
Switch to the Patch Analysis Job Results tab in the Object View and wait for the job to finish. Refresh if needed.
Once the run has finished, view the results. Expand the Object View. Expand the Installed item. As you can see, the patch was successfully installed on both servers.

Wrapping it up

You have now seen how BSA manages the collection, analysis, and deployment of patches and hotfixes for the Microsoft Windows operating systems. The process for Linux is very similar.

Where to go from here

Walkthrough: Basic Red Hat Linux patch analysis

Page tree