Introduction
A security flaw in your organization can cause huge financial loss, credibility and litigation issues. Enabling patch management in your organization can help you fix and avoid the chance of any vulnerabilities in the future. The OpsRamp patch management can provide a 24x7 availability of your infrastructure. OpsRamp supports patch management for two types of environments: Windows and Linux.
OpsRamp is a SaaS platform that discovers and monitors your resources. The alerts browser displays all the alerts raised after monitoring. The patch management feature helps you keep your Windows and Linux devices updated with the latest patches available in the Windows and Linux sources.
After performing the patch management, you can:
- View the missing patches available for Windows and Linux devices.
- Apply the patches and validate them.
- Setup user notification of patch management.
Advantages
- Visibility: OpsRamp provides Partner and Customer level visibility across the customer Infrastructure making it easy and simple to supervise all patch management activities. Patch scan, Patch configuration, the configuration of whitelisted patches for partner’s infrastructure along with scheduling enables global and site level visibility.
- Manageability: OpsRamp empowers you to manage the infrastructure from a single central location providing easy enablement, approval for patching, monitoring, access, and more. Custom Jobs can be scheduled for running various automation scripts for 3rd party patches along with standard patches running for Windows and Linux proactively.
- Customization: OpsRamp provides you the ability to create custom configurations minimizing manual intervention. You can run customized scripts using Run Book Automation (RBA) feature for Windows and Linux and make RBA scripts available at Global or Customer level providing optimization and control.
- Reports: OpsRamp provides detailed reports outlining the patch metrics along with the ability to schedule the report in the preferred format for the recurring/specific time period
Important
When you navigate to Automation > Patch Management from Dashboards or to the Infrastructure screen without selecting a specific client, OpsRamp displays a Select Client window. You must select the desired client to proceed further.Best practices
Assign devices using assign Job policies in the Device Management policy, while creating a patch scan or installing the patch configuration.
Limitations
- You can do patching only using agents.
- No support for patching when using any third-Party applications.
- No support for patching from any third-party integration.
Patch process flow
Patch management allows you to scan, approve, configure, and sign-off each software patch before deployment.
Patch management is a five-step process that includes:
- Patch scan
- Patch approval
- Patch configuration
- Patch on-demand
- Patch notifications
Patch Management Architecture
Patch scan
Scanning for missing patches can help you get the latest updates for the different versions of Windows and Linux packages. You can create jobs in OpsRamp to scan and view the missing patches for a version. An internal job starts automatically after you install the agent in the devices and provides you a list of missing patches for that device. You can look into the steps from 1 to 3 in the preceding diagram, to understand the Patch Scan process.
Patch approval
After getting the missing patches, you can approve the relevant ones for installation. All security and critical whitelisted patches are approved automatically after you enable Auto-Approve. You can either manually approve a patch or rate patches. With a whitelist, you can approve patches globally by selecting several devices at a time. OpsRamp captures all patch approvals for audit trails. OpsRamp also sends notifications after approving the patches. You can look into step 4 in the preceding diagram, to understand the Patch Approval process. The approved ID list is sent to the agent for installation. The patch install schedule can help configure the installation time and the source for the patches to be installed.
Patch configuration
OpsRamp lets you configure patches in your devices depending on the Approval Type, Reboot Options, and Patching Schedule. Once configured, click the Run Now option to install the patches.
Patch on-demand
You can click the Run Now option in the Patch Configuration to install the patching.
Patch notifications
You can notify users in the event of Patch configurations or Patch Approvals. OpsRamp also lets you select users to receive notifications after performing an action in Patch Management.
Patch features
Patch feed
A patch feed is a source of published information. Patch feed refers to a source of patch information with all the available attributes of the patch. You can obtain a patch feed from an OS vendor, a software package provider or from a partner who provides more qualifications or insights into the published packages and manages it.
A typical patch feed provides the following information:
- The patch details such as patch name, patch ID, severity, OS Version, and release date
- Patch rating, if the feed provider rates the patch.
- CVE ID, if the feed provider enters the ID.
Patch baseline
A Patch baseline can help you elucidate the approved patches for your resources.
Patch compliance
You can configure patch compliance check jobs to track the compliance of selected devices or device groups against the configured baselines. Patch compliance check job is automatically computed after every run of the patch scan on the device.
Patch rating
Patch ratings can help you prioritize the patch update process.
Patch management widgets
OpsRamp offers the following widgets in the Dashboard that can provide you a snapshot of the current status of the patches in your Windows and Linux devices.
- Patch Compliance – Lets you view the compliance status of a set of devices for a specific baseline.
- Patch Pending Approvals – Lets you view the number of patches that are pending for approval from your end.
- Patch Status – Devices count categorized by patch installed, pending for installation of approved critical and security patches. The widget displays data as per the most recent patch scan conducted within the last 30 days.
Scenarios
Installing the latest critical patches
After you identify the latest patches, you can whitelist the patches either using the UI or the OpsRamp Patch Feed API. Once the Patch Configuration execution starts, OpsRamp installs the whitelisted patches.
Addressing a specific vulnerability
Administrators are facing specific vulnerability issues such as Wanna Cry (wcry) ransomware. You can run a patch scan to check the need for any more patches.