Policy management

In Ubuntu patch management, patch policies and patch policy exceptions enable you to customize patch distribution in your environment. Policies and exceptions define the Ubuntu packages that should be installed or not installed on your managed servers.

You can choose to have patching in your server environment comply to the model that these policies and exceptions define, or you can choose to deviate from this model. If you choose to deviate from the patch policies and exceptions and perform ad hoc patch installs, then you need to remediate. The remediation process ensures that the applicable packages get installed on servers.

Patch policy

A patch policy is a group of packages that you want to install on SA managed servers. All packages in a patch policy must apply to the same Ubuntu operating system.

A patch policy provides broad flexibility for distributing packages. For example, you can create a patch policy that contains security packages that you want to distribute only to servers used by your sales force. You can also create a patch policy that contains security packages that are applicable to specific software that is already installed on a server, such as Exchange Server, Internet Information Services (IIS), SQL Server, and so on. Or, you can create a patch policy that includes all packages ranked as critical by Ubuntu and then installs them on all servers that are used by everyone in your organization.

If you do not want to create a patch policy, you can use the vendor-recommended set of packages (by operating system) as a default patch policy.

You can attach as many patch policies as you want to servers or groups of servers. If several policies are attached to one server, the installation logic is cumulative—all packages listed in all attached policies will be installed on the server. The Remediate window allows you to select an individual patch policy to remediate. You do not have to remediate all policies attached to a server. You cannot nest patch policies.

If a description of the patch policy is defined, it is recorded in the server’s patched state in the Model Repository. This information enables Patch Management to report on patch policies for patch compliance purposes. The patch compliance process compares patch policies with corresponding patch policy exceptions.

Ubuntu Patch Management supports the following types of patch policies:

  • User-defined patch policy: This type of patch policy allows you to specify the packages you want in the policy. A user-defined patch policy can be edited or deleted by a user who has the required permissions.

    This type of patch policy allows a policy setter to opt out of packages. The policy setter can create a user-defined patch policy that is a subset of all available packages that are in a vendor-recommended patch policy. This enables the policy setter to apply only those patches that their environment needs.

  • Dynamic patch policy: Membership of packages is defined by Individual Ubuntu Managed Server Scan Results, based on Ubuntu package metadata. Dynamic Patch Policies are system defined and cannot be edited or deleted by a user.

You can only export user-defined patch policies. You cannot export vendor-recommended patch policies.

Patch policies have the following characteristics:

  • A patch policy has a name and can (optionally) include a description that explains its purpose.
  • A patch policy can be either user-defined or vendor-defined.
  • A patch policy does not have sub-policies. There is no inheritance.
  • A patch policy is Customer Independent, which means that patches in the policy can be installed on any managed server, no matter what customer is associated with it. See the SA 10.51 Use section.
  • A patch policy is always public.
  • A patch policy can be attached to zero or more servers or public device groups.
  • More than one patch policy can be attached to a server or public device group.
  • Only user-defined patch policies can be created, edited, and deleted by a user who has permissions.

Precedence rules for applying policies

By creating multiple patch policies and patch policy exceptions that are either directly attached to a server or attached to a group of servers, you control the patches that should be installed or not installed on a server. A precedence hierarchy in Patch Management delineates how a patch policy or a patch policy exception is applied to a patch installation. This hierarchy is based on whether the patch policy or patch policy exception is attached at the server or device group level.

The following precedence rules apply to policies and exceptions:

  • Patch policy exceptions that are directly attached to a server always take precedence over patch policies that are directly attached to a server.
  • Patch policies that are directly attached to a server take precedence over patch policies and patch policy exceptions that are attached to a public device group.
  • Patch policy exceptions that are attached to a public device group take precedence over patch policies that are attached to a public device group.
  • If a server is in multiple public device groups, a Never Installed patch policy exception type always take precedence over an Always Installed patch policy exception type for the same patch.

Remediation process

See "Remediating and Installing Software" in the SA 10.51 Use section for information about the fundamentals of SA remediation.

To ensure patch compliance, Ubuntu Patch Management identifies vulnerable managed servers and simultaneously deploys packages to many servers when a remediation process is performed. The remediation process examines and applies an entire patch policy, including multiple policies, to the managed servers to which it is attached. A policy must be attached to a server or a group of servers before you can remediate the policy with that server or group.

Best Practice: Each time you review the latest Ubuntu package releases and subsequently update a patch policy by adding new packages to a policy, you should perform remediation. In these situations, a remediation process provides demand forecasting information. This allows you to determine how patch policy changes will impact servers to which this policy is attached.

If the remediation process discovers any applicable missing packages, these packages will be installed on the servers.

To help you manage remediation conditions, SA allows you to specify remediate options and pre and post actions, and set up ticket IDs and email notifications that alert you about the status of the remediate process. The Remediate wizard guides you through setting up these conditions.

Remediate Wizard