Walkthrough: Setting up and managing an online patch catalog for Windows

This topic walks you through the process of creating a patch catalog for Microsoft Windows patches.

This topic includes the following sections:

Introduction

The goal of this topic and the corresponding walkthroughs is to demonstrate how system administrators can organize patch information in TrueSight Server Automation by setting up a central location for storing metadata about a type of patch. These locations are known as patch catalogs. By creating patch catalogs customized to your needs, you can more easily select the patches you want to evaluate on servers.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server.

What does this walkthrough show?

This walkthrough shows how to use the TrueSight Server Automation Patch Catalog wizard to create a job that:

  • Runs in "online mode" so it will obtain patch metadata from the Shavlik network
  • Uses filters to limit the amount of information added to the catalog
  • Sets up notifications for the administrator in charge of Windows patching
  • Runs on a recurring schedule to obtain the latest patches information.

After setting up the patch catalog job, the walkthrough demonstrates how to set up a patch smart group (Windows Bulletins newer than 10 days and Vendor Impact equals Critical). This Smart Group can be used as an include filter during a Patching Job to determine if only the patches in the group are missing from the target server(s).

What do I need to do before I get started?

For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the TrueSight Server Automation superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. For example, the walkthrough instructs you to use PatchingUser, an example role for patch administration. To learn how to restrict access, see Walkthrough-Restricting-permissions-for-a-patching-administrator.

How to set and manage a patch catalog for Windows

 

Step

Example screen

1

  1. Log on as BLAdmin or preferably as PatchingUser.
    PatchingUser is the user account that was set up in Walkthrough-Restricting-permissions-for-a-patching-administrator.
  2. Expand the Depot folder and navigate to a subfolder where you want to create a patch catalog.
  3. Right-click the subfolder and select New > Patch Catalog > Windows Patch Catalog.
    The New Patch Catalog panel opens. 
  4. For Name, enter a name for the patch catalog you are creating. For example, enter Microsoft Windows Server 2012.
  5. Under Catalog Mode, make sure Source From Vendor (Online Mode) is selected. 
  6. These fields may be completed dynamically if your organization has globally configured patch access.
  7. For Repository Location (NSH Path), enter a location on a Windows platform where patch information can be stored. This location must have ample free space–typically many gigabytes. Enter the location using a Network Shell-style path.

NewPatchCatalog_WinLin.png

2

  1. Click Add Filter g_V95_AddIcon16.gifand make the following settings on the Add Windows Filter dialog box. 
  2. Select Product.
  3. Click OK. The filter is then added to the new patch catalog.

AddFilterWin.png

3

Optionally, you can schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs. Scheduling is not essential because you can also trigger a Catalog Update Job manually. In production environments, however, BMC recommends that you schedule the job to ensure that a catalog always has the most recent patches. In this example, we set up the job to run immediately and also to run on the first Tuesday of every month afterwards.

  1. Click Job Options.
  2. Click Schedules.
  3. Select Execute job now to indicate the job should run as soon as you save the window. 
  4. Click New Scheduleg_V95_AddIcon16.gif and define the a job schedule. In this example, we want to schedule it to update Tuesday mornings. You may want to use a different time, day, or even update less often.
    1. Click Monthly.
    2. Select First and Tuesday.
    3. Enter a time, such as 08:00.

AddNewSchedule3212017.png

4

Updating the patch catalog is an important task, so if there's a problem, someone will want to know about it. For email notifications to be sent, a mail server must be configured for the Application Server. This step is only required if you want to receive a notification email when this job runs.

  1. Click Scheduled Job Notifications.
  2. Select Send email to.
  3. Enter an email address of someone to be notified if this job fails. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com
  4. Check one or more statuses that will generate an email, for example, Failed.
  5. Select Send SNMP trap to. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps.
  6. Enter a server name or IP address.
  7. Check one or more options, for example, Failed.
  8. Click OK.

ScheduledNotifications3212017.png

5

Optionally, you can define default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.

  1. Click Job Run Notifications.
  2. Select Send email to.
  3. Enter an email address of someone to be notified if this job fails. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com
  4. Check one or more statuses that will generate an email, for example, Failed.
  5. Select Send SNMP trap to. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps.
  6. Enter a server name or IP address.
  7. Check one or more options, for example, Failed.

JobRunNotifications3212017.png

6

  1. Click Depot Object Options.
  2. Make sure that Network URL Type for Payload Deployment is set to Copy To Agent At Staging.
    This setting means TrueSight Server Automation copies     patch payloads from the patch repository to a staging directory on the target server when you are deploying patches.
  3. For Network URL for Payload Deployment, enter a location on a Linux platform where the payload deployment information can be stored. This location must have ample free space–typically many gigabytes. Enter the location using a Network Shell-style path.
  4. For RBAC Policy, browse to and select a predefined ACL Policy. Permissions defined by the ACL Policy are assigned to all Depot objects created in the catalog.
  5. For Max Depot Object Work Items to process in parallel, you can set the maximum number of work items that can be performed in parallel. The default is 15.

JobOptions_Win.png

7

You can specify a list of properties automatically assigned to a job. In this list, you can modify the value of any properties that are defined as editable.

  1. Click Job Properties.
  2. Select a property and click to edit the value.

JobProperties3212017.png

8

You can add individual permissions to a job. You can also set permissions by adding ACL templates or ACL policies.  ACLs control access to all objects, including the sharing of objects between roles.

  1. Click Permissions.
  2. Under Access Control List, add a new authorized role or delete a role as needed.
  3. Under ACL Policies, add a new group policy or replace the ACL with selected policies as needed.
  4. Click OK to save your changes and close the window.

Permissions3212017.png

9

Click Finish.
The Patch Catalog Job starts running. You can watch its progress on the Tasks in Progress pane. 

Inprogress_Win.png

10

  1. When the job completes, you can use the Depot folder and navigate to the location where you created the patch catalog. You selected this location in the first step.
  2. Right-click the catalog, and select Open.
    The pane at right show the definition of the patch catalog job.
  3. Click the Results tab. 
    A green check indicates the job ran successfully. 

Finish_Win.png

11

Create a patch smart group for security patches.

  1. Right-click the patch catalog you just created and select New > Patch Catalog Smart Group.
    A wizard for creating smart groups opens.
  2. For Name, enter a name for the patch catalog smart group, such as Production Patch Policy.
  3. In the list of conditions, take the following steps:
    1. In the first column, select Windows Bulletin.
    2. In the second column, select Date Posted
    3. In the third column, select Newer than days.
    4. In the fourth column, set the number of days to 10.
      Taken together, the row should read "Any Windows Bulletin where DATE_POSTED is newer than days 10." 
    5. In the fifth column, select AND.
    6. Click Apply Changes .
  4. Click Add New Condition g_V95_AddIcon16.gif. Double-click the row representing the new condition and enter the following information:
    1. In the first column, select Windows Bulletin.
    2. In the second column, select Vendor Impact.
    3. In the third column, select equals.
    4. In the fourth column, select Critical.
      Taken together, the row should read "Any Windows Bulletin where VENDOR_IMPACT equals Critical." 
  5. Click Finish.
    A new smart group collects all patches that are newer than 10 days and critical. 

patch catalog wizard smart group.gif


Wrapping it up

Congratulations. You have set up a job that creates a patch catalog for Microsoft Windows 2008. The catalog is created in the Depot. The job will run weekly and obtain the latest patch information from Shavlik. You have also learned how to create a patch catalog smart group so you can easily group all patches that are less than 10 days old and have a vendor impact of critical.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough-Basic-Microsoft-Windows-patch-analysis.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*