Patch Management Overview

Provides information about patch management.

Leave Feedback

Introduction

A security flaw in your organization can cause huge financial loss, credibility and litigation issues. Enabling patch management in your organization can help you fix and avoid the chance of any vulnerabilities in the future. The OpsRamp Patch Management can provide a 24x7 availability of your infrastructure. OpsRamp supports Patch Management for two types of environments: Windows and Linux.

OpsRamp is a SaaS platform that discovers and monitors your resources. The Alerts browser displays all the alerts raised after monitoring. The Patch Management feature helps you keep your Windows and Linux devices updated with the latest patches available in the Windows and Linux sources.

After performing the Patch Management, you can:

  • View the missing patches available for Windows and Linux devices.
  • Apply the patches and validate them.
  • Setup user notification of patch management. 

Advantages

  • Visibility: OpsRamp provides Partner and Customer level visibility across the customer Infrastructure making it easy and simple to supervise all patch management activities. Patch scan, Patch configuration, the configuration of whitelisted patches for partner’s infrastructure along with scheduling enables global and site level visibility.
  • Manageability: OpsRamp empowers you to manage the infrastructure from a single central location providing easy enablement, approval for patching, monitoring, access, and so on. Custom Jobs can be scheduled for running various automation scripts for 3rd party patches along with standard patches running for Windows and Linux proactively.
  • Customization: OpsRamp provides you the ability to create custom configurations minimizing manual intervention. You can run customized scripts using Run Book Automation (RBA) feature for Windows and Linux and make RBA scripts available at Global or Customer level providing optimization and control.
  • Reports: OpsRamp provides detailed reports outlining the patch metrics along with the ability to schedule the report in the preferred format for the recurring/specific time period

Best practices

Assign devices using assign Job policies in the Device Management policy, while creating a patch scan or installing the patch configuration.

Limitations

  • You can perform patching only using agents.
  • No support for patching when using any third-Party applications.
  • No support for patching from any third-party integration.

Patch process flow

Patch management allows you to scan, approve, configure, and sign-off each software patch before deployment.

Patch management is a five-step process that includes:

  1. Patch scan
  2. Patch approval
  3. Patch configuration
  4. Patch on-demand
  5. Patch notifications
Patch Management Architecture

Patch Management Architecture

Patch scan

Scanning for missing patches can help you get the latest updates for the different versions of Windows and Linux packages. You can create jobs in OpsRamp to scan and view the missing patches
for a version. An internal job starts automatically after you install the agent in the devices and provides you a list of missing patches for that device. You can look into the steps from 1 to 3 in the preceding diagram, to understand the Patch Scan process.

Patch approval

After you get the missing patches, you can approve the relevant ones for installation. All security and critical whitelisted patches are approved automatically after you enable Auto-Approve. You can manually approve a patch or rate patches With a whitelist, you can approve patches globally by selecting several devices at a time. OpsRamp captures all patch approvals for audit trails. OpsRamp also sends notifications after approving the patches. You can look into step 4 in the preceding diagram, to understand the Patch Approval process. The approved ID list is sent to the agent for installation. The patch install schedule can help configure the installation time and the source for the patches to be installed. 

Patch configuration

OpsRamp lets you configure patches in your devices depending on the Approval Type, Reboot Options, and Patching Schedule. Once configured, you can click the Run Now option to install the patches.

Patch on-demand

You can click the Run Now option in the Patch Configuration to install the patching.

Patch notifications

You can notify your users in the event of any Patch configuration or Patch Approval. OpsRamp also lets you select users to receive notifications after performing an action in Patch Management.

Patch features

Patch feed

A patch feed is a source of published information. Patch feed refers to a source of patch information with all the available attributes of the patch. You can obtain a patch feed from an OS vendor, a software package provider or from a partner who provides additional qualifications or insights into the published packages and manages it.

A typical patch feed provides the following information:

  • The patch details such as patch name, patch ID, severity, OS Version, and release date
  • Patch rating, if the feed provider rates the patch.
  • CVE ID, if the feed provider enters the ID.

Patch baseline

A Patch Baseline can help you elucidate the approved patches for your resources.

Patch compliance

You can configure patch compliance check jobs to track the compliance of selected devices or device groups against the configured baselines. Patch compliance check job is automatically computed after every run of the patch scan on the device.

Patch rating

Patch ratings can help you prioritize the patch update process.

Patch management widgets

OpsRamp offers the following widgets in the Dashboard that can provide you a snapshot of the current status of the patches in your Windows and Linux devices.

  • Patch Compliance – Lets you view the compliance status of a set of devices for a specific baseline.
  • Patch Pending Approvals – Lets you view the number of patches that are pending for approval from your end.
  • Patch Status – Devices count categorized by patch installed, pending for installation of approved critical and security patches. The widget displays data as per the most recent patch scan conducted within the last 30 days.

Scenarios

Installing the latest critical patches

After you identify the latest patches, you can whitelist the patches either using the UI or the OpsRamp Patch Feed API. Once the Patch Configuration execution starts, OpsRamp installs the whitelisted patches.

Addressing a specific vulnerability

Administrators are facing specific vulnerability issues such as Wanna Cry (wcry) ransomware. You can run a patch scan to check the need for any additional patches.

What to do next