Walkthrough: Basic Red Hat Linux patch analysis

This topic walks you through the process of using TrueSight Server Automation to analyze the Red Hat Linux systems in your environment to see if there are systems that require patches and updates. 

This topic includes the following sections:

The video at right demonstrates the process of patch analysis for Linux Red Hat systems.

icon-play2x.png https://youtu.be/o794kmapurw

Introduction to patch management

This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch analysis for Linux systems using TrueSight Server Automation. In the example shown here, we are analyzing for missing or outdated RPMs and Errata.

Patch management refers to the acquisition, testing, and installation of patches to ensure that servers are always in compliance with organizational policies.

Due to the number of servers being managed, multiplied by the vast amount of patches released by the software and OS vendors, patch management has become one of the most time consuming tasks for many IT organizations. TrueSight Server Automation automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.

Patch management in TrueSight Server Automation consists of two primary tasks:

  • Patch analysis—The process of figuring out which systems need which patches. 
  • Patch remediation—Delivering the necessary fixes to those systems. Remediation is described in a separate walkthrough

TrueSight Server Automation supports analysis, download, and deployment of patches for all of the major operating systems. 


What does this walkthrough show?

This walkthrough shows how to use a Patch Analysis Job to identify missing critical patches on Red Hat Enterprise Linux 6 servers. The Patch Analysis Job created in the walkthrough:

  • Is based on an existing patch catalog
  • Uses Update mode (to identify missing or outdated patches)
  • Uses a single include list based on the patch smart group set up in the walkthrough for creating a Red Hat patch catalog.
  • Does not create "remediation artifacts," which are created in a later walkthrough
  • Sets up notifications for the administrator in charge of Windows patching
  • Runs on a recurring schedule to obtain the latest patches

The walkthrough also shows how to view Patch Analysis results for Red Hat Enterprise Linux 6 systems and to determine which critical patches need to be applied.

What do I need to do before I get started?

How to do patch analysis on Red Hat Linux systems

 

Step

Example screen

1

Create the Patching Job.

  1. In the console, under Jobs, navigate to an existing folder or create a new folder for your Linux Patching Job.
  2. Right-click the folder and select New > Patching Jobs > Red Hat Linux Patching Job

LinuxPatchNewJob.gif

2

Define the general settings on the New Linux Patching Job General panel.

  1. In the Name field, provide a name for this job.
  2. Verify that the value in the Save in field is where you want to store this job. You can browse to another location if necessary.
  3. In the Specify a Catalog field, browse to a patch catalog in the Depot folder. An updated catalog must already exist. (See Walkthrough-Setting-up-and-managing-an-online-patch-catalog-for-Linux.)
  4. Click Next

LinuxPatchGeneral.gif

3

On the Analysis Options panel, specify whether the job should run in Install mode or Update mode. Install mode is used to install new RPMs on systems as well as any required dependencies. Update mode checks for outdated RPMs based on what is in the catalog. Use Update mode for Linux patching and Install made when installing new RPMs.

On this panel you can also specify the include and exclude lists that form the basis of your patch analysis. Patch Analysis Jobs analyze patches by collecting an "include" list and then removing any patches from an "exclude" list. The contents of patch smart groups can change based on patch characteristics. It is possible for a patch to appear in both the include and the exclude list. If that occurs, the patch is not analyzed. Remember, the include list minus the exclude list yields the patches to be analyzed. 

If you do not specify an include or exclude list, the analysis uses all RPMs in the catalog that are applicable to the target severs. In this walk through we use a patch smart group that includes a limited set of Errata.

  1. Select Analyze only for updates available for installed RPMs on target server (Update Mode).
    Selecting this option analyzes for for missing or outdated patches. Install Mode is not used for patching and instead is used for installing new RPMs.
  2. Determine which patch catalog smart groups you want to include and exclude. 
    1. Click Add New Include/Exclude
      The Include/Exclude Selection dialog box opens.
    2. At the bottom of the dialog box, select Include or Exclude.

    3. In the list of smart groups at left, select a smart group and move it to the list at right.

      Note

      Do not include the default RPMs or Errata patch smart groups.

    4. Include or exclude additional smart groups.
    5. Click OK.
  3. Click Next.


TrueSight Server Automation can automatically select the appropriate rpm version or versions while including or excluding an rpm package in an RHEL patch analysis job. To enable this version optimization, select the By Package Name Only option while including or excluding patches. Whenever any rpm package is selected with the By Package Name Only option, TrueSight Server Automation automatically performs the following:

  • In case of an include patch operation—includes the latest rpm version of the package from the catalog, even if that version is not manually selected
  • In case of an exclude patch operation—excludes all rpm versions of the package from the catalog, even if all versions are not manually selected

You can still individually specify rpm versions for include or exclude by selecting the By Complete Package Name option. When this option is selected, TrueSight Server Automation does not automatically include or exclude any rpm version that is not manually selected by the user from the catalog. Whenever any rpm package is selected with the By Complete Package Name option, TrueSight Server Automation automatically performs the following:

  • In case of an include patch operation—includes the latest rpm version of the package, from the selected rpm packages
  • In case of an exclude patch operation—excludes all rpm versions of the package, from the selected rpm packages
Important

The exclude operation takes precedence over the include operation. Therefore, If a package is excluded with the By Package Name Only option, all versions of the package will be excluded from analysis, even if specific versions are manually included.



NewRedHatPatchingJob.png

4

 

 On the Remediation Options panel, you define what to do when a target is not compliant with the patches you are analyzing. TrueSight Server Automation can automatically create the BLPackages and Deploy Job needed to correct any patching deficiencies that the job discovers.


  1. Ensure that the Create remediation artifacts field is cleared. In this example, we are only analyzing patches. You can create remediation artifacts later.
  2. Click Next.

LinuxPatchRemediationOptions.gif

5

On the Targets panel, select the servers that are the targets of this Linux Patching Job.

  1. In the left panel, navigate to a server smart group or to an individual server.
  2. Click the > button to move the selection from the left panel to the right panel.
  3. Continue to select groups or servers until you have a complete list of servers for the analysis.
  4. Click Next

LinuxPatchTargets.gif

6

On the Default Notifications panel, configure the default notification settings. The defaults are used for all runs of this job unless you override them with notification settings for a scheduled job. 

This example sends an email to the patch administrator for any targets that have failed analysis, and appends detailed patch analysis results with the e-mail.

  1. Select Send email to.
  2. Enter an email address of someone to be notified if this job fails.
  3. Check Failed.
  4. Select Append patch analysis results to email.
  5. Click Next.

LinuxPatchDefaultNotifications.gif

7

On the Schedules panel, you can set up an execution schedule for the job and you can choose to execute it immediately.

For this example we run the job immediately and also schedule it to run on the first Tuesday of every month afterwards.

  1. Select Execute job now to indicate the job should run as soon as you finish the wizard. 
  2. Click New Schedule g_V95_AddIcon.png and define the a job schedule.
    1. Click Monthly.
    2. Select First and Tuesday.
    3. Enter a time, such as 011:00.
    4. Click OK.
  3. Click Finish to complete the patching wizard and create and execute your job.

LinuxPatchSchedule.gif

8

Once the job starts to execute, the Tasks in Progress pane (typically at lower right) shows the tasks running at this moment. In a typical TrueSight Server Automation production environment you will see many jobs running at the same time performing many different tasks.

Tip

To show the Tasks in Progress pane in full screen mode, double-click the Tasks in Progress tab. This gives you more room to expand the columns in the pane. To return the view to its original size, double-click the tab again.

Wait for the job to finish and click Refresh RefreshIcon.gifif needed

LinuxPatchTasksInProgress.gif

 

To view the results of the patching job:

  1. Right-click the Patching Job in the folder under the Jobs folder.
  2. Select Show Results.
    The job results appear in the pane at right. 

LinuxPatchShowResults.gif

9

Identify servers with missing patches.

  1. Expand the job run.
  2. Expand Server View.
  3. Click Successful Targets.

The right panel shows a summary of the job results, including the numbers of missing RPMs and Errata for each server. 

LinuxPatchMissingRPMs.gif

10

Identify the missing patches.

  1. Expand Successful Targets.
  2. Click a server. The right panel lists the specific missing RPMs and errata for that server. 

LinuxPatchMissingRPMsForOneServer.gif

11

Optionally, you may want to examine the properties of an RPM or Errata before applying it to your servers.

  1. Right-click one of the missing RPMs and select Open Patch to get all information that the OS vendor publishes about the patch. Information for an Errata includes a list of all associated RPMs. Information for an RPM includes its install and the uninstall commands.
  2. Select the Extended Properties tab. This tab provides additional information about this RPM.
  3. Click Close to close the window.

LinuxPatchRPMDetails.gif

Wrapping it up

We have seen how TrueSight Server Automation lets you analyze patches for the Linux operating system. The next step is to deliver the appropriate fixes to the operating systems.

Where to go from here

See Walkthrough-Basic-patch-remediation for a description of how to package and deploy patches to servers requiring remediation. The walkthrough describes a process for Windows, but the process is the same for Linux.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*