Overview of Linux Patch Management

Only those Linux machines that meet the minimum requirements are eligible to be scanned and patched by an agent. See the System Requirements for complete information.

Linux machines are scanned and patched using agents. The process depends on whether you are using the new contentless Linux patching method or the old content-based method. See Linux Contentless Patching for information about this change.

Watch a related video (02:44)

  1. Identify your Linux machines.
    • If you know the identities or whereabouts of all your Linux machines, you can create a Linux machine group.
    • If you are unsure about the identities and locations of all your Linux machines, perform a power status scan on the My Domain or Entire Network group. The scan will identify the OS type of each machine in the group and your Linux machines will be displayed on the Linux patch tab in Machine View.
  2. Create one or more Linux patch groups and configurations.
    • Create a Linux patch group: This is optional but can give you greater control over your scans and deployments, enabling you to scan for (content-based only) or deploy a particular set of patches. You create separate patch groups for contentless Linux patching and for content-based Linux patching.
    • Create a Linux patch scan configuration (content-based only): You use this configuration to specify exactly how your Linux machines will be scanned. Contentless patching always performs a patch scan for all missing patches before any deployment method so does not require a patch scan configuration.
    • Create a Linux patch deployment configuration: You use this configuration to specify exactly how patches will be deployed to your Linux machines. You create separate patch deployment configurations for contentless Linux patching and for content-based Linux patching.
  3. Create one or more agent policies.

    4. An agent policy defines exactly what an agent can or cannot do. You will create one or more Linux patch tasks in the agent policy. In each task, you specify when the task will run on an agent machine and which configurations should be used during the scan and deployment processes.

    It is perfectly fine to mix Windows tasks and Linux tasks in the same agent policy. Windows tasks will be ignored by your Linux machines, and vice versa.

  4. Install the agent policy.

    5. Each Linux target machine must be properly configured before you can perform a push install of an agent. See System Requirements for more details.

    One option is to perform a "push install" of the agent from the Security Controls console. You can do this a couple of different ways:

    • Within your Linux machine group, select the machines in the bottom pane and then click Install / Reinstall agent.
    • In Machine View, right-click the Linux machines and install the desired agent policy.

      • If you performed a power status scan on your Linux machines, you can also perform this step from the Results list in the navigation pane.

    Another option is to manually install an agent on each of your Linux machines. For details, see Manually Installing Agents.

  5. Use the agent.

    6. The agent will automatically perform its tasks and report the results to the console. You can use Machine View or Scan View to manage the machines that are running an agent policy. If you want to manually control the agent, you do so using a command line utility. For details, see Using an Agent on a Target Machine.

    When a Linux agent needs to deploy a patch, it does so using Yellowdog Updater, Modified (YUM). YUM is a command-line utility that is used for retrieving, installing and managing RPM packages. If you have Linux client machines that reside in a disconnected network, the agent will not be able to utilize YUM and you must set up one or more local repositories.