Walkthrough: Setting up and managing an online patch catalog for Linux


This topic walks you through the process of setting up a patch catalog for a Red Hat Linux. It also explains how to set up a smart group that automatically selects a subset of the patches in the patch catalog.

This topic includes the following sections:

The video at right demonstrates the process of setting up a patch catalog for Linux.

Introduction

This topic is intended for system administrators who are tasked with managing patches. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BladeLogic calls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers throughout your data center.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can be used for a particular operating system, such as Red Hat Linux 6.0. With well designed patch catalogs, it is easier to select the patches that are used when evaluating the patch configuration of designated servers. 

After you have created a patch catalog, you can create patch catalog smart groups, which can be dynamically populated with patches from the patch catalog that meet certain criteria. This smart group can be used as a filter during a Patching Job to determine whether patches in the group are missing on target servers.

What does this walkthrough show?

This walkthrough shows how to use the BSA Patch Catalog wizard to create a job that obtains patches from the Red Hat network.

The job sets up notifications for the administrator in charge of Linux patching if the Patch Catalog job should fail. The job is scheduled to run monthly to obtain the latest patches.

This walkthrough also shows how to set up a patch smart group that automatically selects patches from the patch group that are critical security advisories.

What do I need to do before I get started?

  • For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough-Restricting-permissions-for-a-patching-administrator.
  • You must have an account with the Red Hat Network from which you can obtain patch data.
  • You must know which server you want to use as a patch repository.

How to set and manage a patch catalog for UNIX

 

Step

Example screen

1

  1. Log on as BLAdmin or preferably as PatchingUser.
    PatchingUser is the user account that was set up in Walkthrough-Restricting-permissions-for-a-patching-administrator.
  2. Expand the Depot folder and navigate to a subfolder where you want to create a patch catalog.
  3. Right-click the subfolder and select New > Patch Catalog > Red Hat Linux Patch Catalog.
    The New Patch Catalog wizard opens. 
  4. For Name, enter a name for the patch catalog you are creating. For example, enter Red Hat 6 x86_64.

RHCatalogGeneral.gif

2

  1. Click Next.
    The Red Hat Linux Catalog page appears.
    On this page we specify the patch information to obtain for this patch catalog.
  2. Under Catalog Mode, make sure Source From Vendor (Online Mode) is selected. 
    Working in online mode obtains patch data directly from the Red Hat Network.
  3. Under Red Hat Network Credentials, enter a user name and password that has been granted access to the Red Hat Network.  
    These fields may be completed dynamically if your organization has globally configured patch access.
  4. For Repository Location (NSH Path), enter a location on a Linux platform where patch information can be stored. This location must have ample free space–typically many gigabytes. Enter the location using a Network Shell-style path.
  5. Make sure that Network URL Type for Payload Deployment is set to Copy To Agent At Staging.
    This setting means BSA copies 
    patch payloads from the patch repository to a staging directory on the target server when you are deploying patches.
  6. Click Add Filter g_V95_AddIcon16.gifand make the following settings on the Edit Red Hat Filter dialog box. 
    1. Select Red Hat Network.
    2. For Channel, select a channel from the list provided.
    3. Select By Errata Type. Leave all the sub-options selected.
    4. Click OK.

RHCatalogRedHat.gif

3

Optionally, on this page you can set up a notification so the Patch Catalog Job sends an email if the job fails for some reason. Updating the patch catalog is an important task, so if there's a problem, someone will want to know about it.
For email notifications to be sent, a mail server must be configured for the Application Server. This step is only required if you want to receive a notification email when the job runs.

  1. Click Next
    The Notifications page appears. 
  2. Select Send email to.
  3. Enter an email address of someone to be notified if this job fails.
  4. Check Failed.

RHCatalogNotifications.gif

4

Optionally, you can schedule a regular update to the Catalog Job, as described below. Scheduling is not essential because you can also trigger a Catalog Update Job manually. In production environments, however, BMC recommends that you schedule the job to ensure that a catalog always has the most recent patches. 

  1. Click Next.
    The Schedules page appears.
    On this page we set up the job to run immediately and also to run on the first Tuesday of every month afterwards.
  2. Select Execute job now to indicate the job should run as soon as you finish the wizard. 
  3. Click New Scheduleg_V95_AddIcon16.gif and define the a job schedule. In this example, we want to schedule it to update Tuesday mornings. You may want to use a different time, day, or even update less often.
    1. Click Monthly.
    2. Select First and Tuesday.
    3. Enter a time, such as 08:00.
    4. Click OK.

RHCatalogSchedules.gif

5

Click Finish.
The Patch Catalog Job starts running. You can watch its progress on the Tasks in Progress pane. 

PatchingTasksInProgress.gif

6

  1. When the job completes, you can use the Depot folder and navigate to the location where you created the patch catalog. You selected this location in the first step.
  2. Right-click the catalog, and select Open.
    The pane at right show the definition of the patch catalog job.
  3. Click the Results tab. 
    A green check indicates the job ran successfully. 

PatchCatalogResults.gif

7

Create a patch smart group for security patches.

  1. Right-click the patch catalog you just created and select New > Patch Catalog Smart Group.
    A wizard for creating smart groups opens.
  2. For Name, enter a name for the patch catalog smart group, such as Production Patch Policy.
  3. In the list of conditions, take the following steps:
    1. In the first column, select Redhat Errata.
    2. In the second column, select ERRATA_TYPE
    3. In the third column, select equals.
    4. In the fourth column, select Security Advisory.
      Taken together, the row should read "Any Redhat Errata where ERRATA_TYPE equals Security Advisory." 
    5. In the fifth column, select AND.
    6. Click Apply Changes .
  4. Click Add New Condition g_V95_AddIcon16.gif. Double-click the row representing the new condition and enter the following information:
    1. In the first column, select Redhat Errata.
    2. In the second column, select ERRATA_SEVERITY.
    3. In the third column, select equals.
    4. In the fourth column, select Critical.
      Taken together, the row should read "Any Redhat Errata where ERRATA_SEVERITY equals Critical." 
    5. Click Apply Changes.
  5. Click Finish.
    A new smart group collects all Red Hat patches that are critical security advisories. 

 

PatchSmartGroup.gif

 

Wrapping it up

Congratulations. You have set up a job that creates a patch catalog for Red Hat Linux 6. The job will run monthly and obtain the latest patches from the Red Hat Network. If the job fails for any reason, an email notification is sent You have also learned how to create a patch catalog smart group so you can easily group all patches that are critical security advisories.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to test your Linux servers for patch compliance. See Walkthrough-Basic-Red-Hat-Linux-patch-analysis.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*