Patch Management - UBC Information Technology

bewgrosseteteΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

64 εμφανίσεις




0






















Patch Management

Administrator Guide














12/13/2013


1




Introduction



Allow outgoing communication on ports 80 and 443 on your network as the patch management uses the pull
technology.



Edge Admins must have EAD Admin account
for access

the patch management

console.




Supported
operating systems
are all version of Windows 2003, Windows 2008, Windows 7, Windows XP,
RHEL

5,
RHEL

6.



Patch management
agent needs to be installed on
the server that is going to be managed
.



To gain access to the

patch management console, please request it through the UBC IT Systems webform at
http://web.it.ubc.ca/forms/systems
.

How to access the patch management console

The patch management console is available through a web browser at
https://patch.it.ubc.ca
. Log in with your EAD
Admin account to gain access to the console. Once logged in, you will see the servers that have the
patch management
agent installed on them. Please note that if you have specified no group (or an incorrect group) when installing the
patch agent on your server, you may not see it listed. If this is the case, please submit a ticket to UBC IT Systems gro
up
via
http://web.it.ubc.ca/forms/systems
.

Installing the Windows patch management agent

The
Windows
patch management
agent can be installed from the
c
onsole,
however

it requires additional firewall ports
to be opened (Windows Print File Sharing ports).

Alternatively, download the patch management agent from the
console and install it on the server to be managed as per steps below.

1.

Go to
https://patch.it.ubc.ca

and l
og in with your EAD Admin account

2.

Click on the Tools
-
> Download Agent Installer:





12/13/2013


2





3.

Select the appropriate Windows operating system and click Download. Save the file to an easy location as you
will need to refer to it in the next step.

4.

UBC IT has built
a script to allow your server to be registered in the correct group, thus giving you immediate
access to manage your server. Download the batch file from the following link
http://patc
h.it.ubc.ca/download/WindowsPatchAgent.zip

.
Note: Due to
browser security
settings,
the file has
been named WindowsPatchAgent.zip,

please
rename it to

WindowsPatchAgent.bat

after downloading it.

5.

Modify the
WindowsPatchAgent.bat

file by entering your department
group
name
in

the GROUPLIST

field,
e.g.
msiexec /i "c:
\
LMAgent.msi" /qn SERVERIPADDRESS="patch.it.ubc.ca" GROUPLIST=" ENRL
-

Enrolment Services


6.

Modify the batch file to reflect the correct locatio
n of the LMAgent.msi for 32bit
or LMAgentx64.msi file for the
64 bit OS you downloaded earlier.

7.

Double click on the install
batch
file and
accept the defaults
.






12/13/2013


3





8.

Now go back to the Patch Management console and select the Manage
-
>
Groups

menu.

9.

Select the
group you specified in the previous step when installing the agent to view the servers within that
group.




10.

Once the agent is inst
alled it will check in with the patch management
server.

Ensure that the “LPR Installed”
column lists “Yes” for the server.

If the column lists “No”, enable LPR via following steps:

a.

Select the endpoint, and click on “Manage Modules”






12/13/2013


4






b.

Select Patch next to the appropriate endpoint, click OK. After a few minutes you will see LPR status
change to YES.





12/13/2013


5







Installing the Linux patch management agent

The Linux patch management

agent can be installed on Red Hat Enterprise L
inux 5 and 6 (32bit or 64bit).

1.

Log i
nto the server that is to be patched with root privileges.

2.

Download the patch management script to install the required agent

#
wget
http://patch.it.ubc.ca/download/UnixPatchAgent.pl



3.

Install the agent





12/13/2013


6




# perl UnixPatchAgent.pl

When prompted,
enter the endpoint group this server should belong to
. If the group is not
provided (or is incorrect) the server will not be visible in the console. Please contact UBC IT Systems
via
http://web.it.ubc.ca
/forms/systems

to remedy the issue.

Alternatively, you can provide the group as the first argument to the
script:

#
perl UnixPatchAge
nt.pl "TST
-

Test Provisioning"

4.

The server will now be visible in the appropriate group. Ensure that LPR Installed column
is set to “Yes”.




Creating
Subgroups

You can create sub group by right clicking on a group and selecting Create Group.

To add or move an

endpoint
to a

group

f
ollow the steps below.

1.

Click on Manage
-
>
Groups.





12/13/2013


7





2.

Right click on the group that you want to
add an endpoint and select “Endpoint Membership”.








12/13/2013


8




3.

Click “Manage”.



4.

Select the appropriate endpoint and click “Assign”. The endpoint will show in windows above, click OK.






12/13/2013


9




How to schedule patching

Patching can be scheduled by group or by individual e
ndpoints. In this example we will show how to schedule patching
by group as long as all endpoints in the group have the same OS version.

NOTE: Please note that at this time only OS patches should
be deployed using
the patch management service. While
appli
cation patches are available, it is not supported by UBCIT.

1.

Click Manage, Groups.

You should see the groups you have access to.


2.

Right click on the appropriate group, and select Vulnerabilities.





12/13/2013


10






3.

Patching can be selected by Content type, Applicability,
State or Detection Status. It is recommended that yo
u
select the following options:

Applicable for Applicability, Enabled for State, Not Patched for Detection
status.
For Content type it
depends how you want to patch your endpoint. It is recommended that
you select “Critical
and Not Superseded”.





12/13/2013


11




4.

Click on the check box next to Name and all patches will be selected, click Deploy.


a.

Click Next in the Welcome to the Deployment Wizard.






12/13/2013


12




b.

Click Next in the next window (Available Endpoints) showing the
endpoints that will be patched.






12/13/2013


13




c.

Click Next in the next window showing the available patches.






12/13/2013


14




d.

Select radio button to “I ACCEPT the terms and conditions of this end user license agreement” and click Next.






12/13/2013


15




e.

Give appripriate names to your Job and Task.

Na
ming task same as the endpoint or group patch is
recommended. Click on “Change” button to set a schedule.





12/13/2013


16




f.

In the next window select the options to schedule your patching and click Next. See the e.g. in the screen shot






12/13/2013


17




g.

In the next window confirm the sche
dule you set and click Next.














12/13/2013


18




h.

In the next window you will see the packages shceduled for deployment and the options like “chaining” to
reduce reboot, what packages require reboot and quite mode (no user intervention required) etc. You can
hover yo
ur mouse over the symbols to see what each symbol means. Click Next.






12/13/2013


19




i.

In the next window, select whether you want to receive notification, click Next.






12/13/2013


20




j.

In the next window you will see Deployment Confirmation, Click Finish.













12/13/2013


21




k.

If the packages are
not cached
, wait until they have been cached
. You will see the status as “Requesting”, this
could take several minutes depending on how many packages are being cached.

You may deploy without
caching by clicking on the “Deploy Unordered” button.


l.






12/13/2013


22




m.

Click
Close to complete the scheduling.



5.

Click on Manage, Deployment and Tasks to see your newly created patching schedule.





12/13/2013


23




6.

In the Deployment and Tasks window you can select different Views, i.e. by Sch
eduled, Recurring, Completed or
All.



How to
uninstall

the

Linux agent

1.

Login as root. Change the directory to /usr/local/patchagent.

2.

Execute command

sh

uninstall

. When prompted, reply y.

This will unregister the server from the patch
management service.

3.

You can now delete the patch agent directory “rm
-
rf

/usr/local/patchagent”

.