Patch compliance

A Solaris Patch compliance scan compares the Solaris patches that are installed on a managed server with the patches listed in the Solaris patch policies that are attached to the server and reports the results. If the actual server configuration does not match the Solaris patch policies attached to the server, then the server is out of compliance with the Solaris patch policies.

Patches that are not applicable to a particular Solaris server will not impact the compliance status of the server. For example:

  • If a policy contains a patch for the package “SUNWpkga”, but “SUNWpkga” is not installed on a particular server, the patch is not applicable to that server and that patch will not impact the results of the compliance scan for that server. The Compliance Summary does not include non-applicable patches. For example, if a policy contained 5 patches but only 3 were applicable to a given server and those 3 were installed on that server, the Compliance Summary would report “3 of 3 Rules In Compliance”, ignoring the 2 non-applicable patches.
  • If a particular patch in the patch policy has been superseded by a newer patch and the newer patch is installed on a server, that server will be marked as compliant. (In essence, the patch policy is out of date. You can update the policy as described in Resolve patch dependencies.)
  • Manual patches are always shown as out of compliance because SA cannot determine if manual patches are installed on Solaris servers. For more information, see Install manual patches—patchadd.

In the SA Client, when you perform a patch compliance scan, the results indicate the server’s overall compliance with all the Solaris patch policies attached to the server. Even if only one Solaris patch policy attached to the server is not compliant, the server is considered non-compliant. You can then view the non-compliant server and remediate the server against the applicable patch policy.

The following figure shows the compliance view for a Solaris server. Notice that the server is out of compliance because some patches are not installed on the server:

  • Patch policy “Test for 121430-37” contains 4 applicable patches, but only 2 are installed on the server.
  • Patch policy “mwps_policy1” contains 384 applicable patches and all are installed on the server.

Compliance results for a Solaris server

The values for the Status column are described in the table below.

Compliance status for a managed server

Compliance Icon

Compliance Status

Description

Compliant

All the patch policies attached to a server are compliant. That is, all the patches specified in all the patch policies are installed on the server.

Non-compliant

At least one of the patch policies attached to the server is not compliant, which means at least one patch in the policy is not installed on the server.

Scan Started

The patch compliance information is currently being gathered.

Scan Failed

The patch compliance scan was unable to run.

Scan Needed

The patch compliance information needs to be gathered or the compliance information may be inaccurate.

Not Applicable

The patch compliance information does not apply.

In the SA Client, you can check for patch compliance on an individual server or view overall compliance levels for all servers and groups of servers in your facility.

See the SA 10.51 Use section for information about compliance scans for all the servers in your data center.