Walkthrough: Basic Red Hat Linux patch analysis
This topic walks you through the process of using TrueSight Server Automation to analyze the Red Hat Linux systems in your environment to see if there are systems that require patches and updates.
This topic includes the following sections:
The video at right demonstrates the process of patch analysis for Linux Red Hat systems.
Introduction to patch management
This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch analysis for Linux systems using TrueSight Server Automation. In the example shown here, we are analyzing for missing or outdated RPMs and Errata.
Patch management refers to the acquisition, testing, and installation of patches to ensure that servers are always in compliance with organizational policies.
Due to the number of servers being managed, multiplied by the vast amount of patches released by the software and OS vendors, patch management has become one of the most time consuming tasks for many IT organizations. TrueSight Server Automation automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.
Patch management in TrueSight Server Automation consists of two primary tasks:
- Patch analysis—The process of figuring out which systems need which patches.
- Patch remediation—Delivering the necessary fixes to those systems. Remediation is described in a separate walkthrough.
TrueSight Server Automation supports analysis, download, and deployment of patches for all of the major operating systems.
What does this walkthrough show?
This walkthrough shows how to use a Patch Analysis Job to identify missing critical patches on Red Hat Enterprise Linux 6 servers. The Patch Analysis Job created in the walkthrough:
- Is based on an existing patch catalog
- Uses Update mode (to identify missing or outdated patches)
- Uses a single include list based on the patch smart group set up in the walkthrough for creating a Red Hat patch catalog.
- Does not create "remediation artifacts," which are created in a later walkthrough
- Sets up notifications for the administrator in charge of Windows patching
- Runs on a recurring schedule to obtain the latest patches
The walkthrough also shows how to view Patch Analysis results for Red Hat Enterprise Linux 6 systems and to determine which critical patches need to be applied.
What do I need to do before I get started?
- For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the TrueSight Server Automation superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
- You must have already created a patch catalog (described in a Walkthrough: Setting up and managing an online patch catalog for Linux).
How to do patch analysis on Red Hat Linux systems
Create the Patching Job.
Define the general settings on the New Linux Patching Job General panel.
On the Analysis Options panel, specify whether the job should run in Install mode or Update mode. Install mode is used to install new RPMs on systems as well as any required dependencies. Update mode checks for outdated RPMs based on what is in the catalog. Use Update mode for Linux patching and Install made when installing new RPMs.
On this panel you can also specify the include and exclude lists that form the basis of your patch analysis. Patch Analysis Jobs analyze patches by collecting an "include" list and then removing any patches from an "exclude" list. The contents of patch smart groups can change based on patch characteristics. It is possible for a patch to appear in both the include and the exclude list. If that occurs, the patch is not analyzed. Remember, the include list minus the exclude list yields the patches to be analyzed.
If you do not specify an include or exclude list, the analysis uses all RPMs in the catalog that are applicable to the target severs. In this walk through we use a patch smart group that includes a limited set of Errata.
TrueSight Server Automation can automatically select the appropriate rpm version or versions while including or excluding an rpm package in an RHEL patch analysis job. To enable this version optimization, select the By Package Name Only option while including or excluding patches. Whenever any rpm package is selected with the By Package Name Only option, TrueSight Server Automation automatically performs the following:
You can still individually specify rpm versions for include or exclude by selecting the By Complete Package Name option. When this option is selected, TrueSight Server Automation does not automatically include or exclude any rpm version that is not manually selected by the user from the catalog. Whenever any rpm package is selected with the By Complete Package Name option, TrueSight Server Automation automatically performs the following:
The exclude operation takes precedence over the include operation. Therefore, If a package is excluded with the By Package Name Only option, all versions of the package will be excluded from analysis, even if specific versions are manually included.
On the Remediation Options panel, you define what to do when a target is not compliant with the patches you are analyzing. TrueSight Server Automation can automatically create the BLPackages and Deploy Job needed to correct any patching deficiencies that the job discovers.
On the Targets panel, select the servers that are the targets of this Linux Patching Job.
On the Default Notifications panel, configure the default notification settings. The defaults are used for all runs of this job unless you override them with notification settings for a scheduled job.
This example sends an email to the patch administrator for any targets that have failed analysis, and appends detailed patch analysis results with the e-mail.
On the Schedules panel, you can set up an execution schedule for the job and you can choose to execute it immediately.
For this example we run the job immediately and also schedule it to run on the first Tuesday of every month afterwards.
Once the job starts to execute, the Tasks in Progress pane (typically at lower right) shows the tasks running at this moment. In a typical TrueSight Server Automation production environment you will see many jobs running at the same time performing many different tasks.
To show the Tasks in Progress pane in full screen mode, double-click the Tasks in Progress tab. This gives you more room to expand the columns in the pane. To return the view to its original size, double-click the tab again.
Wait for the job to finish and click Refreshif needed
To view the results of the patching job:
Identify servers with missing patches.
The right panel shows a summary of the job results, including the numbers of missing RPMs and Errata for each server.
Identify the missing patches.
Optionally, you may want to examine the properties of an RPM or Errata before applying it to your servers.
Wrapping it up
We have seen how TrueSight Server Automation lets you analyze patches for the Linux operating system. The next step is to deliver the appropriate fixes to the operating systems.
Where to go from here
See Walkthrough: Basic patch remediation for a description of how to package and deploy patches to servers requiring remediation. The walkthrough describes a process for Windows, but the process is the same for Linux.