Transcription
Symantec PatchManagement Solution forLinux 8.5 powered byAltiris technology UserGuide
Symantec Patch Management Solution for Linux 8.5 powered by Altiris technology User GuideDocumentation version: 8.5Legal NoticeCopyright 2019 Symantec Corporation. All rights reserved.Symantec, the Symantec Logo, the Checkmark Logo and Altiris are trademarks or registered trademarksof Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.This Symantec product may contain third party software for which Symantec is required to provide attributionto the third party (“Third Party Programs”). Some of the Third Party Programs are available under opensource or free software licenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free software licenses. Please see theThird Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantecproduct for more information on the Third Party Programs.The product described in this document is distributed under licenses restricting its use, copying, distribution,and decompilation/reverse engineering. No part of this document may be reproduced in any form by anymeans without prior written authorization of Symantec Corporation and its licensors, if any.THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLYINVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIALDAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THISDOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TOCHANGE WITHOUT NOTICE.The Licensed Software and Documentation are deemed to be commercial computer software as definedin FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial ComputerSoftware - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software andCommercial Computer Software Documentation," as applicable, and any successor regulations, whetherdelivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S. Governmentshall be solely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043https://www.symantec.com
Symantec SupportAll support services will be delivered in accordance with your support agreement and thethen-current Enterprise Technical Support policy.Contacting Technical SupportCustomers with a current support agreement may access Technical Support information atthe following URL:www.symantec.com/business/support/Before contacting Technical Support, make sure you have satisfied the system requirementsthat are listed in your product documentation. Also, you should be at the computer on whichthe problem occurred, in case it is necessary to replicate the problem.When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changesLicensing and registrationIf your Symantec product requires registration or a license key, access our technical supportWeb page at the following URL:www.symantec.com/business/support/
ContentsSymantec Support . 4Chapter 1Introducing Patch Management Solution forLinux . 7About Patch Management Solution for Linux . 7Where to get more information . 8Chapter 2Chapter 3Implementing Patch Management Solution forLinux .10Implementing Patch Management Solution for Linux .Installing the software update plug-in .Configuring Linux remediation settings .Downloading the software updates catalog .Distributing Software Updates .Running Compliance and Vulnerability Reports .About downloading and distributing software updates .Downloading and distributing software updates .Viewing the software update delivery report .101212131515161720Performing Advanced Configuration . 21Upgrading the software update plug-in .Uninstalling the software update plug-in .Configuring software updates download location .Creating and assigning custom severity levels .Configuring software updates installation settings .Configuring the system assessment scan interval .Relocating or checking the integrity of software update packages .Staging software bulletins .Chapter 42122222324242526Replicating Patch Management Solution for Linuxdata in hierarchy . 28About replicating Patch Management Solution for Linux data inhierarchy . 28
ContentsAppendix ATechnical reference . 30About hierarchy and data replication direction . 30About Patch Management Solution security roles . 31Index. 33Patch Management Solution Glossary . 356
Chapter1Introducing PatchManagement Solution forLinuxThis chapter includes the following topics: About Patch Management Solution for Linux Where to get more informationAbout Patch Management Solution for LinuxPatch Management Solution for Linux ensures that your Red Hat Linux, SUSE Linux computershave the most up-to-date patches applied and protected against security threats. Starting from8.1 RU1, Patch Management Solution for Linux is also supported on CentOS computers.The solution lets you inventory the managed Linux computers for security vulnerabilities andthen reports on the findings. It provides you with the tools that let you download and distributethe needed software updates. Patch Management Solution for Linux lets you set up an automaticupdate schedule to ensure that managed computers are up-to-date and protected on anon-going basis.Note: Starting from 8.1, Patch Management Solution for Linux requires Perl version 5.6 or laterto be installed on your Red Hat Linux, SUSE Linux, and CentOS Linux computers. PATHenvironment variable must have the correct reference to Perl location.See “Implementing Patch Management Solution for Linux” on page 10.
Introducing Patch Management Solution for LinuxWhere to get more informationWhere to get more informationUse the following documentation resources to learn about and use this product.Table 1-1Documentation resourcesDocumentDescriptionLocationRelease NotesInformation about newfeatures and importantissues.The Supported Products A-Z page, which is available atthe following pen your product's support page, and then under CommonTopics, click Release Notes.User GuideInformation about how to use this product,including detailed technical information andinstructions forperforming commontasks.The Documentation Library, which is available in theSymantec Management Console on the Help menu.The Supported Products A-Z page, which is availableat the following pen your product's support page, and then underCommon Topics, click Documentation.HelpInformation about how touse this product,including detailedtechnical information andinstructions forperforming commontasks.The Documentation Library, which is available in theSymantec Management Console on the Help menu. Click the page and then press the F1 key.Help is available at thesolution level and at thesuite level. Use the Context command, which is available in theSymantec Management Console on the Help menu.Context-sensitive help is available for most screens in theSymantec Management Console.You can open context-sensitive help in the following ways:This information isavailable in HTML helpformat.In addition to the product documentation, you can use the following resources to learn aboutSymantec products.8
Introducing Patch Management Solution for LinuxWhere to get more informationTable 1-2Symantec product information resourcesResourceDescriptionLocationSymWISE SupportKnowledgebaseArticles, incidents, andissues about Symantecproducts.Knowledge BaseCloud Unified Help SystemAll available ITManagement Suite andsolution guides areaccessible from thisSymantec Unified HelpSystem that is launchedon cloud.Unified Help SystemSymantec ConnectAn online resource thatcontains forums, articles,blogs, downloads,events, videos, groups,and ideas for users ofSymantec products.The links to various groups on Connect are as follows: Deployment and Imaging Discovery and Inventory ITMS Administrator Mac Management Monitor Solution and Server Health Patch Management Reporting ServiceDesk and Workflow Software Management Server Management Workspace Virtualization and Streaming9
Chapter2Implementing PatchManagement Solution forLinuxThis chapter includes the following topics: Implementing Patch Management Solution for Linux Distributing Software UpdatesImplementing Patch Management Solution for LinuxPatch Management Solution for Linux requires some components to be configured or enabledbefore others to function correctly. The recommended workflow is as follows:See “About Patch Management Solution for Linux” on page 7.Table 2-1Process for implementing Patch Management Solution for LinuxStepActionDescriptionStep 1Install or upgrade thesolution.Use Symantec Installation Manager to install the solution.Step 2Install or upgrade theSymantec ManagementAgent.Install or upgrade the Symantec Management Agent for UNIX, Linux,and Mac on every computer to which you want to send patches.For more information, see topics about installing or upgrading theSymantec Management Agent in the IT Management SuiteAdministration Guide.See “Where to get more information” on page 8.
Implementing Patch Management Solution for LinuxImplementing Patch Management Solution for LinuxTable 2-1Process for implementing Patch Management Solution for Linux (continued)StepActionDescriptionStep 3Install or upgrade thesoftware update plug-in.Install the plug-in that manages all of the Patch Management Solutionfor Linux functionality on a client computer.See “Installing the software update plug-in” on page 12.See “Upgrading the software update plug-in” on page 21.Step 4Configure the PatchManagement Solution coresettings.(Optional)Configure the software update files storage location settings.See “Configuring software updates download location” on page 22.Step 5Type the credentials.Type the SUSE organization credentials (Mirror Credentials) and RedHat network account credentials.You do not need to type any credentials for CentOS.Step 6Configure the softwareConfigure the time to perform software update installation.updates installation settings.See “Configuring software updates installation settings” on page 24.Step 7Configure the systemassessment scan interval.Configure the time to run the system assessment scan, whichinventories managed computers for the software updates that theyrequire.See “Configuring the system assessment scan interval ” on page 24.Step 8Download the Linux software Download the software updates for SUSE, Red Hat, and CentOS.updates metadata.Configure the metadata update schedule.See “Downloading the software updates catalog” on page 13.Table 2-2Process for installing software updatesStepActionDescriptionStep 1Review and distributeavailable software updates.Identify which software errata or announcements you need to install,then download updates and create software update policies.See “Staging software bulletins” on page 26.See “Downloading and distributing software updates” on page 17.Step 2View the results.View the results in the Software Update Delivery Summary reportand compliance reports.See “Viewing the software update delivery report” on page 20.11
Implementing Patch Management Solution for LinuxImplementing Patch Management Solution for LinuxInstalling the software update plug-inSee “Installing the software update plug-in” on page 12.Note: If you have a large number of computers where you want to install the software updateplug-in, consider deploying it during off-peak hours to minimize network traffic. Deploying thesoftware update plug-in can take some time, depending on the number of managed computersand the Symantec Management Agent settings.To install the software update plug-in1In the Symantec Management Console, on the Actions menu, click Agents/Plug-ins Rollout Agents/Plug-ins.2In the left pane, expand Software Patch Management Software Update Plug-inInstall.3(Optional) In the right pane, make any necessary changes.For help, press F1 or, on the Help menu, click Context.4In the upper right corner of the page, click the colored circle, and then click On.5Click Save changes.The next step is to configure software update package distribution and program settings.Configuring Linux remediation settingsYou can configure the distribution settings for Linux software update, and package distributionand program settings.See “Implementing Patch Management Solution for Linux” on page 10.To configure remediation settings1In the Symantec Management Console, on the Settings menu, click All Settings.2In the left pane, click Software Patch Management.3Do one of the following: Click SUSE Settings SUSE Patch Remediation Settings. Click Red Hat Settings Red Hat Patch Remediation Settings. Click CentOS Settings CentOS Patch Remediation Settings.4In the right pane, configure the settings.5Click Save changes.12
Implementing Patch Management Solution for LinuxImplementing Patch Management Solution for LinuxDownloading the software updates catalogYou need to download the SUSE, Red Hat, and CentOS software updates catalog (patchmanagement metadata, or patch management import files) before you can distribute updates.See “Implementing Patch Management Solution for Linux” on page 10.You can download the software updates catalog from the following URLs: Red Hathttps://cdn.redhat.com SUSEhttps://scc.suse.com/ s.org/pipermail/centos-announce/Starting from 8.1 RU1, CentOS Base and Updates channels are supported.Note: Only the errata and updates for the latest CentOS release are available for import.After each CentOS release, the Import Patch Data for CentOS task deletes all inaccessiblefor download errata and updates for previous releases from patch management metadata,disregarding the setting of the option Delete data for excluded software channels. Thesoftware update policies with the deleted errata and updates get also deleted.You can disable the deletion of the errata and updates for previous releases from patchmanagement metadata by creating the following non-default registry key value:"DWORD: HKEY LOCAL ositoryCleanup" 0Note: Ensure that the firewall settings and the proxy configuration of the network allowscommunication with the URLs.You may want to create a schedule for this task as well. This procedure ensures that you havethe latest, most accurate data, and your software update tasks are kept up-to-date. Symantecrecommends that you configure the task to run weekly.Note: If the Altiris Log Viewer is open, close it before you perform this task. By closing theviewer, you can improve the task’s performance by as much as 50 percent.Before you perform this step, ensure that you have configured the system assessment scaninterval.13
Implementing Patch Management Solution for LinuxImplementing Patch Management Solution for LinuxSee “Configuring the system assessment scan interval ” on page 24.To download the software updates catalog immediately1In the Symantec Management Console, on the Home menu, click Patch Management.2On the Patch Management home page, in the left pane, do one of the following: Expand Red Hat Linux, and then , under Settings, click MetaData Import Task.This task downloads the Red Hat errata metadata. Expand SUSE Linux, and then, under Settings, click MetaData Import Task.This task downloads the SUSE patches metadata. Expand CentOS Linux, and then, under Settings, click MetaData Import Task.This task downloads the CentOS metadata.3In the right pane, under Select software channels for import, click Import channels.4When the software channels import is complete, check the channels for which you wantto download the patch management metadata. Checking the base channels (operatingsystem names) selects all of the child items in the tree for download.To import the update, you need to choose a channel according to the name of your OS.For example, to get the updates for Red Hat Enterprise Linux 6 Workstation, select theRed Hat Enterprise Linux 6 Workstation (RPMs) channel.For Red Hat, you can expand the tree and check any additional components, such asdevelopment tools.For SUSE, you can reduce the metadata download time by unchecking unnecessarysubchannels. However, Symantec recommends that for each of the Update channelsyou also check the respective Pool channel. Doing so improves dependency resolving.5(Optional) Make any wanted changes.6Click Save changes.7Under Task Status, click New Schedule.8In the New Schedule dialog box, click Now, and then click Schedule.To configure a schedule for downloading the software updates catalog1On the Import Patch Data for SUSE, Import Patch Data for Red Hat, or Import PatchData for CentOS page, under Task Status, click New Schedule.2In the New Schedule dialog box, click Schedule, and then configure a schedule on whichto run this task.Symantec recommends that you configure the task to run weekly.3Click Schedule.14
Implementing Patch Management Solution for LinuxDistributing Software UpdatesDistributing Software UpdatesRunning Compliance and Vulnerability ReportsThe following pages provide patch management summary information at a glance: Red Hat Software Update Compliance Portal page SUSE Software Update Compliance Portal page CentOS Software Update Compliance Portal pageThe pages are comprised of a number of Web Parts displaying results from commonly usedreports.You cannot customize this portal page directly. If you want, you can add patch managementWeb Parts to other configurable portal pages. For example, the My Portal page.You can access the portal page by clicking Home Patch Management, and then, in the leftpane, under SUSE,
Table 2-1 Process for implementing Patch Management Solution for Linux(continued) Step Action Description In
