Creating and Editing a Linux Patch Deployment Configuration

The name that you wish to assign to this configuration.

This box is used to specify the folder path that this configuration will reside in within the Linux Patch Deployment Configurations list in navigation pane. If you do not specify a path, the configuration will reside at the root level of the My Linux Patch Deployment Configurations list. For more details, see Organizing Linux Patch Groups and Configurations.

A description of the configuration.

If enabled, all patches that were identified as missing by the scan that is run as part of the deployment will be deployed.

If enabled, only those patches that were identified as missing by the scan that is run as part of the deployment and that match the configured criteria will be deployed.

• Deploy by Severity: If enabled, allows you to specify the types of patches and the severity levels that you want to include in a deployment. Icons show which Linux distributions support each level.
  • Security: Security bulletin-related patches. You can choose to deploy one or more specific severity levels.
    • Security critical: Vulnerabilities that can be exploited by an unauthenticated remote attacker or vulnerabilities that break guest/host operating system isolation. The exploitation results in the compromise of confidentiality, integrity, availability user data, or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and the host.
    • Security important: Vulnerabilities whose exploitation results in the compromise of confidentiality, integrity, or availability of user data and processing resources. Such flaws could allow local users to gain privileges, allow authenticated remote users to execute arbitrary code, or allow local or remote users to easily cause a denial of service.
    • Security moderate: Flaws where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to some compromise of the confidentiality, integrity, or availability of user data and processing resources. These are the types of vulnerabilities that could have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
    • Security low: All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.
  • Bug fix: Vendor patches that fix bugs.
  • Enhancement: Vendor patches that provide feature enhancements.

  Enhancement is not available for Oracle v7 and Red Hat v7.

• Deploy by Patch Group: If enabled, allows you to specify one or more patch groups that contain the patches that you want to include in a deployment. This is a good way to make sure that only approved patches are deployed. Missing patches not contained in selected patch groups will not be deployed unless they meet the requirement specified in the Deploy by Severity option.

Security Controls follows the convention in patching Linux devices by always updating to the latest package available in the repository, even if an earlier version is selected. Note that for some distributions this is actually the only option available, as earlier versions of a package are not available from the repository.

Enables you to specify whether or not to allow post-deployment reboots.

You specify settings for reboot countdowns and so on in the Server/Linux patch section of the Agent Reboot Options tab on the Agent Policy Editor dialog (see Agent Reboot Options).

If you select Deploy selected patches, packages that are dependencies for the specified advisories are installed in addition to the packages associated with the advisories in the patch groups. If you then set Post-deployment reboot options to Reboot when needed, these dependencies may additionally cause a reboot.

Remember that some updates require a reboot and that in these instances a machine is vulnerable until it reboots, so we recommend Never reboot only for servers with scheduled maintenance windows.

The name that you wish to assign to this configuration.

This box is used to specify the folder path that this configuration will reside in within the Linux Patch Deployment Configurations list in navigation pane. If you do not specify a path, the configuration will reside at the root level of the My Linux Patch Deployment Configurations list. For more details, see Organizing Linux Patch Groups and Configurations.

A description of the configuration.

If enabled, specifies that Security Controls will review the patches being deployed and determine whether or not a reboot is required.

If you do not enable this option, a reboot will not be performed after deployment.

You specify settings for reboot countdowns and so on in the Server/Linux patch section of the Agent Reboot Options tab on the Agent Policy Editor dialog (see Agent Reboot Options).

If enabled, all patches that were identified as missing by a patch scan will be deployed.

If enabled, only those patches that were identified as missing by a patch scan and that are contained within the specified Linux patch groups will be deployed.

If enabled, only the explicit version of the patch that was detected as missing will be deployed. If a newer version of the patch is available it will not be deployed.