4.3 Managing Patches

In the Patches page you can view and take actions on patches that display as a result of the DAU fingerprints that come from devices in the zone. These are manual actions you can do directly from the Patches page, or you can create patch policies in the Patch Policies page that do the patch actions automatically based on the schedules you define in patch policies and patch configuration.

Manual actions in the Patches page include searching for patches, creating new patches from existing bundles, caching patches, and then deploying patches to managed devices. You can also do several house keeping functions to maintain the usefulness of the Patches page, including deleting, disabling, enabling, and even exporting patch entries.

4.3.1 Configure the Patch Display

This section explains features of the Patches page and how to use them.

To configure how many items show in the Patches panel, select a different item count in the drop-down menu at the bottom-right corner of the panel.

To sort patches alphanumerically, click on any column header in the table and it will sort based on that column. Clicking a header a second time reverses the order.

4.3.2 Interpret Page Content

The items in this section explain how to interpret what you see on the Patches page, to include:

  • Patch Name

  • Total Patches Available

  • Patch Impact

  • Patch Statistics

  • Patch Release Date

Patch Name

The Patch Name is the name that identifies a patch. This name typically includes the vendor or manufacturer of the patch, the specific application, and version information.

An example of a patch name is shown as follows. It indicates that Adobe is the vendor, Adobe Flash Player is the application, and 21.0.0.242 is the version information:

Microsoft Patches:

  • All Microsoft security patches are titled with their Microsoft Security Bulletin number in the format MS0x-yyy, where 0x indicates the year the patch was released and yyy indicates the sequential number of the released patch. These patches are critical and must be installed as soon as possible.

  • Names of all Microsoft non-security patches include the Knowledge Base (KB) article number. These patches can be installed at your discretion.

  • The names of Microsoft service packs and third-party patches do not usually contain a KB number and never a Microsoft Security Bulletin number. Test these service packs thoroughly to ensure that they have the expected results.

For more information on the naming conventions for patches, refer to Comprehensive Patches and Exposures (CVE), which is a list of standardized names for patches and other information exposures. Another useful resource is the National Patch Database, which is the U.S. government repository of standards-based patch management data.

Total Patches Available

The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel. In the following figure, the total number of available patches is 106:

Patch Impact

The Impact is the type of patch defined on the basis of the severity of the patch; the type can be Critical, Recommended, Informational, or Software Installers. Each impact is described as follows:

  • Critical: ZENworks has determined that this type of patch is critical, and should be installed as soon as possible. Most of the recent security updates fall in this category.

  • Recommended: ZENworks has determined that this patch, although not critical or security related, is useful and should be applied to maintain the health of your computers. You should install patches that fall into this category.

  • Informational: This type of patch detects a condition that ZENworks has determined is informational. Informational patches are used for information only. There is no actual patch to be installed.

  • Software Installers: These types of patches are software applications. Typically, this includes software installers. The patches show Not Patched if the application has not been installed on a machine.

Patch Management impact terminology for its patch subscription service closely follows the vendor impact terminology for patch criticality. Each operating system has a vendor-specific impact rating and that impact is mapped to a ZENworks rating as described in this section. Patch Management, following the recommendations of Lumension Security, increases or steps up the severity of the impact rating. For example, Microsoft classifications for Critical, Important, and Moderate patches are all classified as Critical by ZENworks.

The following table lists the mapping between ZENworks and Microsoft patch classification terminology:

Table 4-3 ZENworks and Microsoft Patch Impact Mapping

ZENworks Patch Impacts

Windows

Other

Critical

Critical Security

Important

Moderate

NA

Recommended

Recommended

Low

Example: Microsoft Outlook 2003 Junk E-mail Filter Update

NA

Informational

NA

NA

Software Installers

Software Distribution

Example: Microsoft Windows Malicious Software Removal Tool (Virus Removal)

Adobe 8.1 software installer

Source: Lumension Security

Patch Statistics

Patch statistics show the relationship between a specific patch and the total number of devices (or groups) within ZENworks Server that meet a specific status. The patch statistics appear in two columns on the far right side of the Patches page. Each column status is described as follows:

  • Patched: Displays a link indicating the total number of devices to which the corresponding patch has been applied.

    Click a link to display a page that lists the patched devices, in alphabetical order.

    The Patched page provides the following information about the devices to which a patch has been applied.

    Item

    Definition

    Device Name

    The name of the device registered with ZENworks Patch Management to which the patch is deployed.

    Last Contact

    The last time the device contacted the Patch Management Server.

    Device Type

    Server or Workstation.

    DNS

    The name of the DNS server.

    IP Address

    The IP address of the device.

    Action menu: The Action menu provides two options: Remove and Export.

    You can uninstall the patch by using the Remove option in the Action menu. If a patch does not support uninstallation, the Remove option in the Action menu is disabled.

    You can export the data on one or more selected patches to a .csv file by using the Export option.

  • Not Patched: Displays a link indicating the total number of devices to which the corresponding patch has not been applied.

    The Not Patched page provides the following information about the devices to which a patch has been applied.

    Item

    Definition

    Device Name

    The name of the device registered with ZENworks Patch Management to which the patch is to be deployed.

    Last Contact

    The last time the device contacted the Patch Management Server.

    Device Type

    Server or Workstation.

    DNS

    The name of the DNS server.

    IP Address

    The IP address of the device.

    You can deploy the patch to these devices by using the Deploy Remediation option in the Action menu.

  • Information: The Information page displays detailed information for a selected patch.

    You can view the following information for a patch:

    Property Name

    Definition

    Name

    The name of the patch.

    Impact

    The impact of the patch as determined by ZENworks. See Patch Impact.

    Status

    Status of the patch; can be Enabled, Disabled (Superseded) or Disabled (By User).

    Vendor

    The name of the vendor.

    Released on

    The date the patch was released by the vendor.

    Vendor Product ID

    The ID number given to the product by the vendor.

    Description

    The description of the patch; includes detailed information concerning the defect or issue resolved by this patch, deployment notes, and the prerequisites for deployment.

    Number of Devices Patched

    The number of devices to which the patch has been applied.

    Number of Devices Not Patched

    The number of devices to which the patch has not been applied.

    Number of Devices Not Applicable

    The number of devices to which the patch does not apply.

    CVE Code

    The Common Vulnerabilities and Exposures ID for the patch, if applicable.

    URL

    A URL that has more information about the patch.

    Size

    The size of the patch.

The patches shown in the Patches page have different icons indicating their current status. The following table describes the icons for each patch:

Patch Icon

Significance

Indicates the patches that are disabled.

Disabled patches are hidden by default. Use the Include Disabled filter in the Search panel to show these items.

Indicates that only the fingerprint information for the patch has been brought down from the ZENworks Patch Subscription Network. This icon represents the patches that are not cached.

Indicates that a download process for the bundles associated with the selected patch is pending.

Indicates that a download process for the bundles associated with the selected patch has started. This process caches those bundles on your ZENworks Server.

Indicates that the fingerprints and remediation patch bundles that are necessary to address the patch have been cached in the system. This icon represents the patches that are cached and ready for deployment.

Indicates that an error has occurred while trying to download the bundle associated with the selected patch.

Patch Release Date

The date the patch was released by the vendor is displayed in the right column under Released On. Click the Released On column to sort patches by their release date. All the patches released in the last 30 days are displayed in bold font.

4.3.3 Search for Patches

The Search panel on the Patches page offers extensive search and data filtering options that allow you to search for specific patches and filter result sets based on the status and impact of the patches. Searching and filtering can be performed independently of each other or can be combined to provide extensive drill-down capabilities.

To search for a patch:

  1. Type all or part of the patch name in the Patch Name text box.

  2. Select applicable filter options; the CVE identifier must be typed.

  3. Click Search.

To filter from all existing patches:

  1. Leave the Patch Name text box empty.

  2. Select applicable filter options.

  3. Click Search.

NOTE:Click Reset to return to the default settings.

The following table describes the result of selecting each filter option under Status:

Status Filter

Result

Patched

Search results include all the patches in the patch list that have been applied to one or more devices.

Not Patched

Search results include all the patches in the patch list that have not been applied to any device.

Not Applicable

Search results include all the patches in the patch list that do not apply to the device.

Include Disabled

Search results include all the patches in the patch list that have been disabled by the administrator.

The following table describes the result of selecting each filter option under Impact (Impact Filters in Search):

Impact Filter

Result

Critical

Search results include all the patches in the patch list that are classified as Critical by ZENworks.

Recommended

Search results include all the patches in the patch list that are classified as Recommended by ZENworks.

Informational

Search results include all the patches in the patch list that are classified as Informational by ZENworks.

Software Installers

Search results include all the patches in the patch list that are classified as Software Installers by ZENworks.

Table 4-4 Vendor Filters and Cache Status Filter in Search

Filter

Result

Platform

Search results include all the patches relevant to the operating system in the patch list.

Vendor

Search results include all the patches relevant to the vendor in the patch list.

Cache Status

Search results include all the patches relevant to their cache status on the local server.

CVE Identifier

Search results include all the patches that have the common vulnerabilities and exposures ID that you type.

4.3.4 Create a Custom Patch

The Patch Wizard assists in selecting existing patch bundles and modifying patch details to create a custom patch. If you are not using an existing bundle, you will need to create a bundle of the patch contents before creating a customized patch. For more information, see Creating Bundles in the ZENworks Software Distribution Reference.

When you select the New menu item on the Patches page or Recently Released Patches panel, the Patch Wizard appears as shown below:

To create a customized patch:

  1. Click the New menu item on the Patches page to open Step 1 of the Patch Wizard.

  2. Click the Browse icon and navigate to the desired bundle in the Browse for Folder dialog box.

  3. After selecting the desired bundle, click OK to confirm the bundle selection.

    NOTE:You can associate only one bundle with a patch.

  4. Click Next to advance the Wizard to Step 2 to where you can add or modify details about the patch. Any of the fields can be modified.

  5. Add new details and modify existing details about the patch if required, and click Next.

  6. Step 3 of the Patch Wizard displays the patch name and a summary about the patch. Click Finish if you are satisfied with the new patch.

NOTE:After creating a new patch, you cannot immediately deploy it to any devices. This is because the Patch Management Server does not recognize the patch yet. To enable deployment, perform a subscription update after the new patch is created.

4.3.5 Delete a Patch

The Patches section enables you to remove patches from the Patch Management System.

To delete a patch:

  1. Select the check boxes for the patches you want to delete, and click the Delete menu item.

    A message appears, asking you to confirm patch deletion.

  2. Click Yes to confirm the deletion. Click No to return to the Patches page.

    When you delete patches, all associated bundles that are not deployed are also removed. To add the deleted bundles back to the Patch Management System, perform a subscription update.

    IMPORTANT:If any of the patches you are deleting are deployed, those patches and their associated bundles are not deleted. In this case, when you click Yes to the Delete Patches message, another prompt will open, informing you of the dependencies to deployed bundles and their bundle identification numbers. These bundles can be from patch policies and/or patch remediations.

    Any indicated dependencies must be resolved before the patches associated to them can be deleted. The services-messages log shows the patches that cannot be automatically or manually deleted because of dependencies. The location of the log is provided below:

    • Linux: /var/opt/novell/log/zenworks/services-messages.log

    • Windows: %ZENWORKS_HOME%\logs\services-messages.log

4.3.6 Execute Action Menu Options

From the Action menu you can perform one of five actions to patches that are selected in the Patches page. Descriptions of these actions are provided below:

  • Deploy Remediation: To use this option, select the check boxes for the patches you want to deploy and select Deploy Remediation from the Action menu options to open the Deploy Remediation Wizard. For more information, see Deploying Patches Manually.

  • Enable: After selecting one or more disabled patches, click this option to enable them. Disabled patches will only display in the Patches page if the Include Disabled check box is selected when a search is executed.

  • Disable: After selecting one or more patches, click this option to disable them. The selected patch is removed from the list and will only be displayed when the Include Disabled check box is selected during a completed search.

    Disabling a patch also disables all the bundles associated with it.

  • Update Cache: Initiates the download process for the bundles associated with the selected patch and caches those bundles on your ZENworks Server.

    The remediation patch bundles must be cached before they are installed on the target device.

    To use this option:

    1. Select one or more patches in the patches list.

    2. In the Action menu, click Update Cache.

      The patch icon changes color to indicate process initiation. When the download is in progress, the icon changes to white . When caching is complete, the color of the patch icon changes to green. This indicates that the patch remediation is ready to be deployed.

  • Export: Details such as the status and impact of all patches can be exported into a comma-separated value (CSV) file. You can choose to save the file in a different file format after opening it from the download option.

    To use this option, select the patches you want to export and click Export in the Action drop-down menu.

    The result and follow-on steps after clicking Export will vary depending on your browser and browser settings. The file may download immediately to your local download folder, or the browser may present you with an option to open or to save the file.

NOTE:To know when a patch is downloaded, view the Message Log panel for that patch in the Bundles section.