Walkthrough: Basic Red Hat Linux patch analysis

This topic walks you through the process of using BMC BladeLogic Server Automation (BSA) to analyze the Red Hat Linux systems in your environment to see if there are systems that require patches and updates.

This topic includes the following sections:

The video at right demonstrates the process of patch analysis for Linux Red Hat systems.

https://youtu.be/o794kmapurw

Introduction to patch management

This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch analysis for Linux systems using BSA. In the example shown here, we are analyzing for missing or outdated RPMs and Errata.

Patch management refers to the acquisition, testing, and installation of patches to ensure that servers are always in compliance with organizational policies.

Due to the number of servers being managed, multiplied by the vast amount of patches released by the software and OS vendors, patch management has become one of the most time consuming tasks for many IT organizations. BSA automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.

Patch management in BSA consists of two primary tasks:

Patch analysis—The process of figuring out which systems need which patches.
Patch remediation—Delivering the necessary fixes to those systems. Remediation is described in a separate walkthrough.

BSA supports analysis, download, and deployment of patches for all of the major operating systems. See "Patch management support" under Supported-platforms-for-version-8-7.

What does this walkthrough show?

This walkthrough shows how to use a Patch Analysis Job to identify missing critical patches on Red Hat Enterprise Linux 6 servers. The Patch Analysis Job created in the walkthrough:

Is based on an existing patch catalog
Uses Update mode (to identify missing or outdated patches)
Uses a single include list based on the patch smart group set up in the walkthrough for creating a Red Hat patch catalog.
Does not create "remediation artifacts," which are created in a later walkthrough
Sets up notifications for the administrator in charge of Windows patching
Runs on a recurring schedule to obtain the latest patches

The walkthrough also shows how to view Patch Analysis results for Red Hat Enterprise Linux 6 systems and to determine which critical patches need to be applied.

What do I need to do before I get started?

For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough-Restricting-permissions-for-a-patching-administrator.
You must have already created a patch catalog (described in a Walkthrough: Setting up and managing a patch catalog for Linux).

How to do patch analysis on Red Hat Linux systems

	Step	Example screen
1	Create the Patching Job. In the BSA console, under Jobs, navigate to an existing folder or create a new folder for your Linux Patching Job. Right-click the folder and select New > Patching Jobs > Red Hat Linux Patching Job.
2	Define the general settings on the New Linux Patching Job General panel. In the Name field, provide a name for this job. Verify that the value in the Save in field is where you want to store this job. You can browse to another location if necessary. In the Specify a Catalog field, browse to a patch catalog in the Depot folder. An updated catalog must already exist. (See Walkthrough: Setting up and managing a patch catalog for Linux.) Click Next.
3	On the Analysis Options panel, specify whether the job should run in Install mode or Update mode. Install mode is used to install new RPMs on systems as well as any required dependencies. Update mode checks for outdated RPMs based on what is in the catalog. Use Update mode for Linux patching and Install made when installing new RPMs. On this panel you can also specify the include and exclude lists that form the basis of your patch analysis. Patch Analysis Jobs analyze patches by collecting an "include" list and then removing any patches from an "exclude" list. The contents of patch smart groups can change based on patch characteristics. It is possible for a patch to appear in both the include and the exclude list. If that occurs, the patch is not analyzed. Remember, the include list minus the exclude list yields the patches to be analyzed. If you do not specify an include or exclude list, the analysis uses all RPMs in the catalog that are applicable to the target severs. In this walk through we use a patch smart group that includes a limited set of Errata. Select Analyze only for updates available for installed RPMs on target server (Update Mode). Selecting this option analyzes for for missing or outdated patches. Install Mode is not used for patching and instead is used for installing new RPMs. Determine which patch catalog smart groups you want to include and exclude. Click Add New Include/Exclude. The Include/Exclude Selection dialog box opens. At the bottom of the dialog box, select Include or Exclude. In the list of smart groups at left, select a smart group and move it to the list at right. Note Do not include the default RPMs or Errata patch smart groups. Include or exclude additional smart groups. Click OK. Click Next.
4	On the Remediation Options panel, you define what to do when a target is not compliant with the patches you are analyzing. BSA can automatically create the BLPackages and Deploy Jobs needed to correct any patching deficiencies that the job discovers. Ensure that the Create remediation artifacts field is cleared. In this example, we are only analyzing patches. You can create remediation artifacts later. Click Next.
5	On the Targets panel, select the servers that are the targets of this Linux Patching Job. In the left panel, navigate to a server smart group or to an individual server. Click the > button to move the selection from the left panel to the right panel. Continue to select groups or servers until you have a complete list of servers for the analysis. Click Next.
6	On the Default Notifications panel, configure the default notification settings. The defaults are used for all runs of this job unless you override them with notification settings for a scheduled job. This example sends an email to the patch administrator for any targets that have failed analysis, and appends detailed patch analysis results with the e-mail. Select Send email to. Enter an email address of someone to be notified if this job fails. Check Failed. Select Append patch analysis results to email. Click Next.
7	On the Schedules panel, you can set up an execution schedule for the job and you can choose to execute it immediately. For this example we run the job immediately and also schedule it to run on the first Tuesday of every month afterwards. Select Execute job now to indicate the job should run as soon as you finish the wizard. Click New Schedule and define the a job schedule. Click Monthly. Select First and Tuesday. Enter a time, such as 011:00. Click OK. Click Finish to complete the patching wizard and create and execute your job.
8	Once the job starts to execute, the Tasks in Progress pane (typically at lower right) shows the tasks running at this moment. In a typical BSA production environment you will see many jobs running at the same time performing many different tasks. Tip To show the Tasks in Progress pane in full screen mode, double-click the Tasks in Progress tab. This gives you more room to expand the columns in the pane. To return the view to its original size, double-click the tab again. Wait for the job to finish and click Refresh if needed
	To view the results of the patching job: Right-click the Patching Job in the folder under the Jobs folder. Select Show Results. The job results appear in the pane at right.
9	Identify servers with missing patches. Expand the job run. Expand Server View. Click Successful Targets. The right panel shows a summary of the job results, including the numbers of missing RPMs and Errata for each server.
10	Identify the missing patches. Expand Successful Targets. Click a server. The right panel lists the specific missing RPMs and errata for that server.
11	Optionally, you may want to examine the properties of an RPM or Errata before applying it to your servers. Right-click one of the missing RPMs and select Open Patch to get all information that the OS vendor publishes about the patch. Information for an Errata includes a list of all associated RPMs. Information for an RPM includes its install and the uninstall commands. Select the Extended Properties tab. This tab provides additional information about this RPM. Click Close to close the window.

Wrapping it up

We have seen how BSA lets you analyze patches for the Linux operating system. The next step is to deliver the appropriate fixes to the operating systems.

Where to go from here

See Walkthrough-Basic-patch-remediation for a description of how to package and deploy patches to servers requiring remediation. The walkthrough describes a process for Windows, but the process is the for Linux.

Related BladeLogic ZipKit on BMC Communitites

The following BladeLogic ZipKit provides a pre-configured component template that performs a number of actions to determine patch readiness on Linux systems:

Blade ZipKit - Component Template - Patch Readiness for Linux