Novell® ZENworks® Patch Management Best Practices
Allen McCurdyTechnology Specialist Novell, Inc/[email protected]
Scott GuscarTechnology Sales SpecialistNovell, Inc/[email protected]
© Novell, Inc. All rights reserved.2
Agenda
Configuring Patch Management Services
Patch Deployment
Patch Baseline
Reporting
Demo
© Novell, Inc. All rights reserved.4
Important Initial Configuration Issues:
• Patch Management OFF by default– Select your ZENworks® Configuration Manager server
– Start the service!
• Ensure the server has– 4GB RAM w/ 40GB Free Disk
– 2Ghz Dual Core Processor, or better…
• Choose your Replication Time– Midnight by default
• Select Language(s) for Patch Subscription– US English by default
© Novell, Inc. All rights reserved.5
Steps Needed to get Patch Services Operational1.Activate Product
2.Configure Subscription Download
3.Configure Http Proxy
4.Configure Mandatory Baseline Settings
5.Configure Subscription Service Information
© Novell, Inc. All rights reserved.7
Patch Serial Number
• NO SERIAL NUMBER REQUIRED– For first 60 days of Novell® ZENworks® Configuration
Management evaluation !!!
• When required …enter a valid Novell® s/n– Only enforces expiration
– Requires SSL outbound (443)
– Node count displayed for information only!
• Does it work with ZENworks® Patch Management serial number? - Yes
Tip: When you buy ZENworks Configuration Management, the trial period ends!
© Novell, Inc. All rights reserved.8
Configure Subscription Download
Other languages supported: Italian, Simplified Chinese, Finnish, Russian, German,Hong Kong Chinese and Czech
© Novell, Inc. All rights reserved.9
Configure Http Proxy
**If your proxy cache's content, patch services may not work properly
© Novell, Inc. All rights reserved.11
Configure Subscription Service Information
Please note that if the “Reset Patch Management Settings” button is selected all patch content will be lost.
Tip:
© Novell, Inc. All rights reserved.12
“ZENworks® Patch Management” Sub-folder
• Auto-created by Novell® ZENworks® Patch Management– Content is refreshed daily from http://novell.patchlink.com
• Three types of Bundle– Remediation Bundle (Single Bundle, no reboot)– Discover Applicable Updates (Single Bundle)– ZENworks Patch Management Assignment
(Directive Bundle = collection of bundles)> Name includes date and time of assignment> Reboot handling options
• Useful for Tech Support– What was assigned where and when…
Tip: Dont' mess with ZENworks Patch Management System folder!
© Novell, Inc. All rights reserved.13
Subscription Replication
• Definitely NOT a spectator sport!– Files download to /zenworks/zpm/dist
– Download takes 20 mins or more
– Bundling can take 30 - 40 mins (high CPU)
– DAU creation takes 5 mins
– Assignment Updates 1+mins
• Let it run overnight– Or prepare ahead of time!
© Novell, Inc. All rights reserved.16
Discovering Vulnerabilities
• Single File Bundle
• One DAU task per:– Platform
– Architecture
– Language
– Service Pack
Runs: ANALYZE.EXE
© Novell, Inc. All rights reserved.17
Patch Status
Patch is Cached
Patch needs to be Cached (downloaded)
Patch is in download process
Patch is Disabled
Patch is apart of a Baseline
Patch could not be Cached (error)
© Novell, Inc. All rights reserved.18
Deploying Patches
1.Select Patch / Patches to be deployed2.Accept any license agreements3.Specify when the patch is to be deployed (Run Now,
Scheduled or Event)4.Adjust or accept the deployment order (multiple
patches)5.Select reboot options6.Deployment Summary (accept or adjust)
© Novell, Inc. All rights reserved.19
ZENworks® Patch Management Assignment Bundle
• Directive Bundle = “Bundle of Bundles”• Ordered list of Remediation Bundles
– Ordered as the administrator wanted to install them
+ Reboot Action– User prompt message– User can cancel
+ Re-Scan Action– Runs a DAU at the end of patch install
Runs: REMEDIATE.EXE
© Novell, Inc. All rights reserved.21
Mandatory Baselines
Mandatory baseline is a user-defined compliance level for a group of devices.• Can be applied to Groups or Dynamic Groups• Every few hours, depending on the results of the DAU task, the
ZENworks® Server determines the devices that are applicable and out of compliance (based upon the patches added to the baseline).
• Necessary bundles, as defined in the baseline, are then deployed as soon as possible for each device.
• After patches have been deployed, it might be necessary to reboot those devices for them to be detected as patched.
© Novell, Inc. All rights reserved.22
Creating or Modifying Baselines
• From a group object, select the patches tab• Select patches needed for the baseline• Click on action / assign to baseline
© Novell, Inc. All rights reserved.24
Reporting
• Requires ZENworks® Reporting Services
• Customizable
• Canned Reports
© Novell, Inc. All rights reserved.25
Reporting Universe
• Novell® ZENworks® Patch Management tables integrated into Universe
• Patch Management Service reports– Vulnerability Summary– Vulnerability Detail– Baseline Compliance
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.