Welcome to VCM Patching for UNIX and Linux. When licensed, you can use VCM Patching for UNIX and Linux to determine the patch status of UNIX and Linux machines and deploy patches to those machines.
NOTE Assessments of UNIX and Linux-based machines operate differently from Windows assessments.
UNIX and Linux assessments require new data to be collected, while Windows assessments are performed against previously collected data.
UNIX and Linux patching change actions are saved in the VCM change log in Console > Change Management > VCM or Non VCM Initiated Change > By Data Type > Patch Assessment. These change actions are available to Compliance and Reports.
Prerequisites
n Collect patch assessment data from machines.
n Verify that VCM Patching for UNIX is licensed on the UNIX or Linux machine.
n Verify that your UNIX and Linux machines and operating systems are supported for patch deployment. See the VCM Hardware and Software Requirements Guide.
Procedure
Step 1: Check for updates to bulletins.
Step 2: Collect assessment data.
Step 3: Explore the results, and acquire and store the patches.
Step 4: Install the patches.
Check for Updates to Bulletins
Before you assess the patching state of UNIX and Linux machines, you must check for updates to VCM Patching bulletins.
Prerequisite
Place patch bulletin files on the local machine to load the bulletin updates from a local file.
Procedure
1. Select Patching > UNIX/Linux Platform > Bulletins > By Bulletin.
2. Select Check for Update.
You can check for updates on the Internet or load the updates from patch bulletin files on the local machine.
3. Select Check for Updates via the Internet and click Next.
If updates are found, they are downloaded to the local machine.
Collect Assessment Data from UNIX/Linux Machines
You can collect UNIX/Linux assessment data using bulletins, an assessment template, or the Collect wizard.
n Bulletins: Collect using the Patch Assessment collection filter. Because UNIX/Linux assessments are VCM collections, you can schedule these assessments.
n Assessment template: Collect using a template that filters the patch assessment results.
n Collect wizard: Collect using the Patch Assessment Data Class filter.
NOTE Assessments of UNIX and Linux-based machines operate differently from Windows assessments.
UNIX and Linux assessments require new data to be collected, while Windows assessments are performed against previously collected data.
Assessments of UNIX/Linux machines are run against the patches known by VMware at the time the assessment is performed.
Patch assessments of UNIX/Linux machines are based on the OS version and machine architecture. When you collect assessment data using templates, you must match the bulletins, either 32-bit or 64-bit, to the machine architecture.
For a patch assessment that did not return any results, see the troubleshooting section.
If machine data has not been collected, the assessment results might not appear and the machine will not be available for deployment. If this situation occurs, a patch-machine mismatch status will result. You can display or hide the patch-machine mismatch status in Patching > VCM Patching Administration > UNIX >
Settings > Bulletin and Update.
Prerequisites
n Assessments must have finished successfully.
n The patch signature files (.pls files) must reside on the Collector.
The .pls files determine whether required patches are installed on the machine. By default, VCM Patching downloads the .pls files automatically every 4 hours.
Patch files appear in Console > UNIX > Security > Patches > Assessment or Console > Change Management > Non VCM Initiated > By Machine. During an assessment of the machines using the Patch Assessment Data Class, the .pls files are pushed from the Collector to the machine. A delay might
n If you choose Filters in the following procedure, you must already have pre-configured Filters.
The following procedure runs the assessment using patch bulletins.
Procedure
1. Select the All UNIX Machines machine group.
2. Select Patching > UNIX/Linux Platform > Bulletins > By Bulletin.
3. Select Assess.
4. In the UNIX Patch Assessment wizard, select Default Filter or Filters.
If you selected Filters, select a specific filter.
5. Click Next and Finish to begin the assessment on all machines in the selected machine group.
6. Click the Jobs button on the toolbar and view the progress of the collection.
The assessment on UNIX and Linux machines uses the Patch Assessment collection filter to perform a collection of all machines in the current machine group. The results are reported in the Assessment Results node.
7. Select UNIX/Linux Platform > Assessment Results > All Bulletins and view the results.
Create UNIX/Linux Patch Assessment Filters
Patch assessment filters identify patch bulletins that meet user-defined filtering criteria. These filters limit the bulletins to use in the assessments, which improves the efficiency of the assessment.
Procedure
1. Select Administration > Collection Filters > Filters.
2. In the Collection Filters data grid, select Add Filter.
3. On the Name and Description page, name the filter and click Next.
4. On the Data Type page, select UNIX/Linux.
5. Select Patch Assessment and click Next.
6. On the UNIX Patch Assessment Filters page, to create a subset of the available bulletins, select Include Bulletin(s) that match this criteria.
7. Define the filter criteria using the available settings.
For example, you can create a filter where Platform = Red Hat and Severity = Critical.
8. Click Next and Finish to create the filter.
9. In the Collection Filters data grid, scroll or page to the Patch Assessment in the Data Type column, and locate the new filter in the Name column.
Use the new filter when you run an assessment.
Explore Assessment Results and Acquire the Patches
The Assessment Results data grid displays the UNIX/Linux machines that were assessed, the patch status for each machine, and details about the patches.
Procedure
1. Select Patching > UNIX/Linux Platform > Assessment Results > All Bulletins to display the patch status of all of the machines that were assessed.
2. To display the assessment results for a single bulletin, select By Specific Bulletin and select a bulletin in the center pane.
3. Review the patch status for each machine.
Patched: The patch has been applied to the machine.
Patch-Machine Mismatch: The patch OS version or hardware architecture does not match the machine.
Patch Not Needed: The machine is up-to-date or the intended software product is not installed on the machine.
Not Patched: The patch was not applied to the machine.
Error Occurred: An unexpected condition occurred during the assessment of the machine.
Additional information about the root cause of the exception can be determined by running the Debug Event Viewer at C:\Program Files (x86)\VMware\VCM\Tools\ecmDebugEventViewer.exe.
Signature Not Found: The .pls patch file does not exist on the machine, and therefore the patch status cannot be determined.
Incorrect MD5: The MD5 Hash generated from the patch signature (.pls) file, which contains the content and signature, does not match the expected value on the UNIX/Linux Agent. Be aware that MD5 is NOT validated against the vendor MD5 hash data.
Patch Status Unknown: The patch status of the machine cannot be determined.
If machine data has not been collected, the assessment results might not appear and the machine will not be available for deployment. If this situation occurs, a patch-machine mismatch status will result. You can display or hide the patch-machine mismatch status in Patching > VCM Patching Administration > UNIX >
Settings > Bulletin and Update.