Community
 
 
 

Radia - General Discussions

1323 followers
 
Avatar
Ishant Walia

patch deployment and patch connect best practise

Hi Experts,

Kindly help me in below concern.

How to get the information of patches pending /deployed (patch inventory)on fresh agent devices.

I get to know that need to run Patch Connect without any bulletin and it will get the information of patch inventory. Is it the process? because its not happening in my case.

Can i automate the download the latest patch ?

How to remove to old patches from Radia ?

Please help me understand this.

 

Thanks, 

5 comments
0

Please sign in to leave a comment.

 
 

Previous 5 comments

Avatar
Arne Halsteinslid

Hi Ishant!

By running a patch discovery job on you clients you will get a report on which patches are already installed and which patches are missing. But, beware, the base for this report is the content of your Radia patch database, in other words, ONLY the patches that you have acquired.
For instance, if you have not acquired patch MS-KB4088776 then the report will not mention that patch at all (neither which devices have it installed nor which devices are missing it). Also note that you may opt to acquire just the metadata for patches, leaving out the patch data. By acquiring only the metadata you can still run a patch discovery analysis, and subsequently acquire the full patch content for the patches that are missing.
The command for running a patch discovery analysis, which will NOT install any patches (no matter what policies are set) is:
radskman dname=PATCH,sname=DISCOVER_PATCH

As mentioned in a previous mail, yes, you can automate the download of the latest Microsoft patches due to the fact that the patch bulletin names follow the 'MS-KB*' naming convention. But, as also mentioned earlier, you must first configure your patch manager acquisition job and select the products that are relevant, and, koding 'MS-KB*' for the BULLETINS keyword will bring down ALL patches conforming to 'MS-KB*', not just the most recent ones. They way you can get around not acquiring a bunch of old, superseded patches could be to first acquire just the metadata for 'MS-KB*', as mentioned above, and then acquire with BULLETINS MS-KB* after this initial acquisition.

Old/superseded patches can be removed by:
- Deleting all policies for the patches to be removed
- Configuring and running a 'Retire' job to delete them from the CSDB and SQL
Example: If you set the BULLETINS keyword to 'NONE' and the RETIRE keyword to 'MS-KB4088776' then MS-KB4088776 will be removed both from the CSDB and SQL

Finally, patch deployment consists of minimum the following tasks:
1) Acquring the patches that you need, typically based on info from Microsoft Security Guide (https://portal.msrc.microsoft.com/en-us/security-guidance), MBSA analysis on your clients, or, Radia patch discovery job Reporting info
2) Setting policies for the patches you wish to deploy (just as for application deployment)
3) Running a patch job on your clients: radskman dname=PATCH

Best regards,
Arne Halsteinslid
Solution Architect
Commercial Data Servers AS
www.cds.no

Comment actions Permalink
Avatar
Woody Allen

Arne,

 

This is very interesting. How would I configure the acquisition job on the Core to only pull metadata. Would that be by command line, or is there a way to specify in the console?

Comment actions Permalink
Avatar
Nigel Ryan

Woody,

When you create an acquisition job using the Console you can specify you can specify MODEL for the Mode, this will only acquire the metadata and not the patches, which enables you to scan your estate for vulnerabilities via the Discover as Arne says. The other Mode option BOTH acquires the metadata and the patches themselves, this generally should not be done into production.  Note: If you have  an acquisition job already and you change the Mode you then also have to specify YES for the Force value or it will ignore the change.

 

Nigel

Comment actions Permalink
Avatar
Nigel Ryan

Ishant, 

The Radia product manuals can be found at http://<radiacore>:3466/docs

You should read through the User Guide and the Administrator User Guide.

The Patch Management Reference Guide is also comprehensive 

 

Nigel

Comment actions Permalink
Avatar
Ishant Walia

Hi All,

I need to acquire Metadata. So, I created a job for MS-KB* and set it to Model only and started it.

But i'm not able to see anything in acquisition history.

Is the job started ? is anything i'm missing ?

 

Please help

Comment actions Permalink

Top Contributors