Patch management overview and workflow

This topic provides an overview of patch management in TrueSight Server Automation, and introduces the set of tasks required to prepare for, set up, and execute patch management jobs.

Patch management overview

Patch management refers to the acquisition, testing, and installation of patches.

The patch administrator analyzes individual servers to determine which patches must be acquired and installed to comply with organizational standards. TrueSight Server Automation automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, TrueSight Smart Reporting for Server Automation reports are available to show compliance.

Notes

BMC recommends that you set up a small test group of servers and run the patch process on the group. Then, expand the process to all servers in the organization.

Supported platforms for patch management

The patch management feature in TrueSight Server Automation supports the following operating systems:

For detailed information about supported operating systems and versions, see the BMC Product Compatibility Utility.

Note

Supported platforms for storing the patch repositories of patch catalogs

Patch catalog

Supported platforms for storing patch repositories

Windows

Windows or Unix

AIX

Any AIX server

Notes:

  • If you are downloading patches using the SUMA option, ensure that you have the SUMA utility installed on your repository server.
  • We recommend using the latest SUMA download option instead of the Fixget download option.
  • Before you use the SUMA download option, ensure that the repository server is running an AIX system.

Red Hat Enterprise Linux (RHEL) using the CDN interface

Red Hat Enterprise Linux 61, 7, 8 or 9

SuSE Linux 15

To patch SuSE 15 targets, you can use any of the following patch repositories:

  • SuSE 111 or 12 system configured with Subscription Management Tool (SMT).
  • SuSE 15 system configured with Repository Mirroring Tool (RMT).

SuSE Linux 12

SuSE Linux with SMT installed.

Note:To patch SuSE 12 targets, ensure that the SuSE patch repository server is configured with SMT.

The following table lists the versions that are installed with SMT out-of-the-box, as well as the versions on which SMT must be manually installed.

Repository server version

SMT installation

SuSE 11 SP31
SuSE 11 SP41

SuSE 12

Note: SuSE recommends upgrading SuSE 12 to SuSE 12 SP1 to avoid dependency issues.

Not configured with SMT out of the box. You must manually install and configure SMT (version 11 SP3) on the repository server before you create a SuSE patch catalog.

SuSE 12 SP1 or later service pack of SuSE 12 (recommended)

SMT is shipped out-of-the-box with the operating system.

Warning: BMC strongly recommends using Zypper when creating a patching job for a patch catalog that was created using the Subscription Management Tool (SMT). For more information, see Zypper patching tool.

SuSE Linux 111

SuSE Linux 12 and 15

SuSE Linux with createrepo and python-urlgrabber installed.

Oracle Enterprise Linux (Public repository)

Any supported RPM-based Linux with createrepo and python-urlgrabber installed

Oracle Enterprise Linux (OL ULN repository)

For Oracle Enterprise Linux 7.x, use a patch repository created on the system that runs Oracle Enterprise Linux 7.x. Similarly, for Oracle Enterprise Linux 8.x, use the patch repository created on the system that runs Oracle Enterprise Linux 8.x.

Solaris

Windows or Unix

Note: If you are using Solaris 11 patches, you can only use a Solaris 11 server for storing the patch repository.

Ubuntu

Windows or Unix

Debian

Windows or Unix

Amazon Linux

For Amazon Linux 2, use a patch repository created on the system that runs Amazon Linux 2.

Rocky Linux

For Rocky Linux, use a patch repository created on the system that runs Rocky Linux.

Cent OS

For CentOS 7, use a patch repository created on the system that runs CentOS 7. Similarly, for CentOS 8, use the patch repository created on the system that runs CentOS 8. Ensure that createrepo and python-urlgrabber are installed on the CentOS system.

Fujitsu Solaris

Windows or Linux

HP-UX

An HP-UX patch repository must reside either directly on the HP-UX (SWA) Server or in a directory that the SWA Server considers to be a local share.

Note that if you are using an offline downloader, you can run the offline downloader on any Windows or Linux machine, but the HP-UX patch repository must still reside on the HP-UX (SWA) Server.

1Support for this platform is deprecated. For the complete list of deprecated platforms, see Deprecated-and-discontinued-features.

Note

Repository servers for any operating system that are remote from the Application Server (for example, across a wan or slow network) are not supported.


Offline and online modes

TrueSight Server Automation includes two patch management modes:

  • Online mode — Patches are downloaded directly from the appropriate product site.
  • Offline mode — Patches are pre-downloaded to a local repository and patches are applied from the repository.

Use Offline mode if you work in an air-gapped environment, where the TrueSight Server Automation Application Server does not have external Internet access. In Offline mode, you use the BMC offline Patch Downloader utility to download metadata and payload information to a server with Internet access. After downloading, you can transfer the metadata and payload information (using removable storage) to the patch repository within the air-gapped environment.

The Patch Downloader utilities run scripts that use XML configuration files (samples are provided) containing required information such as the repository location, as well as filters used during downloading from the vendor website.

Patch management workflow

Patch management consists of the following tasks:

  1. Preparatory tasks
    1. Defining role-based permissions
    2. Configuring Global Configuration parameters

  2. (Offline mode only) Building an offline patch repository
    1. Downloading patch downloader utilities from BMC
    2. Preparing XML configuration files for downloading patch content
    3. Downloading patches to the offline patch repository
  3. Patching tasks
    1. Creating and updating a patch catalog
    2. Creating and running a Patching Job and a Remediation Job

These tasks are described in more detail in the following table:

Task

Description

Preparatory tasks


Defining role-based permissions

To create or update a catalog, you must be assigned a role that includes the necessary permissions. To facilitate division of responsibilities, you can assign permissions to one role or divide them between several roles.

For a list of the required permissions, see Minimum-permissions-for-patching.

For details about assigning roles and permissions, see Managing Authorizations.

For a list of the required permissions for creating Patching Jobs and for deploying patches, see Minimum-permissions-for-patching.

Configuring Global Configuration parameters

Global Configuration parameters provide basic information used during patch catalog creation and updating, as well as for Patch and Remediation Jobs. The following parameter groups are available:

  • All Operating Systems — Configuration parameter options for a proxy server.
  • Platform-specific groups for each platform (such as Windows and Solaris) — Parameters that apply only to that specific platform type
  • Shavlik URL Configuration — Configuration for connecting to Shavlik Technologies to download patch-related metadata for patching Windows software.

    For details about the global configuration parameters, see Global-Configuration-parameter-list.

Building an offline patch repository


(Offline mode only)


Obtaining the Patch Downloader utilities from BMC

From the BMC EPD site, download the appropriate utilities for building your offline repository. The utilities are platform-specific. You must know which platform you plan to use to download your patches.

For details, see Downloading-and-extracting-Offline-Patch-Downloader-utilities.

Preparing XML configuration files for downloading patch content

Use the utilities that you downloaded from the BMC EPD site to prepare the XML configuration files for downloading the patch content.

For details, in Setting-up-the-Offline-Patch-Downloader-utility.

Downloading patches to the offline patch repository

To download the patch content, use the utilities that you downloaded from the BMC EPD site and the XML configuration files that you prepared.

For details, see the appropriate section for the platform type that you want to patch in Setting-up-the-Offline-Patch-Downloader-utility.

Patching

Creating and updating a patch catalog

For both types of repositories, online and offline, you create a patch catalog using the TrueSight Server Automation Console. Patches are added to the catalog as depot objects according to filters that you define for the catalog.

To ensure that you are working with valid patch content, you must run a Catalog Update Job before you run a Patch Job.

For details, see Creating-a-patch-catalog.

Creating and running a Patching and Remediation Job

A Patching Job has two parts:

  • Analysis — Analyzes the configuration of target servers and determines the required patches.
  • Remediation —
    1. Downloads the payload from the vendor sites to the Patch Repository
    2. Packages the payload as a BLPackage
  • Creates a Deploy Job to apply the patches 

    You can choose to run only the Analysis part of a Patching Job, and then run Remediation later, or you can run Remediation immediately after the Analysis. 

    For details about Patching Jobs, see Creating-a-Patching-Job. For details about running Remediation Jobs separately, see Remediating-servers.

Additional Information on installed patches, configuration data, and more

The following methods can be used to obtain additional information:

  • Live browse — Use live browse to look at installed patches on the server, one server at a time. For more information about live browse, see Server-browse-options.

    Note

    Live browse on a server does not list non-security patches.

  • Snapshot Jobs — Snapshots can record the configuration of patches on a target server at a specific point in time. To take a snapshot, you must run a Snapshot Job. For more information, see Creating-and-modifying-Snapshot-Jobs.
  • Reports — For information about patch management reports, see the online technical documentation for TrueSight Smart Reporting for Server Automation.

Where to go from here

See Preparatory-tasks-for-patch-management to set up the patch management environment prior to building an offline patch repository (if you are using offline mode) or creating a patching catalog.

Related videos

The following video demonstrates how to perform Red Hat patching (starting with the creation of a patch catalog, and then execution of a Patching Job and a Remediation Job):

 https://www.youtube.com/watch?v=Q2etiiyJz2c&feature=youtu.be

The following video demonstrates how to perform Windows patching and includes a discussion of the business advantages of automating the patching process with TrueSight Server Automation.

 https://www.youtube.com/watch?v=TIkx2VcpVBw&feature=youtu.be 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*