Deploying patches and fixes, Important information about patches and fixes – HP Insight Vulnerability and Patch Manager Software User Manual
Page 60
Deploying patches and fixes 60
Deploying patches and fixes
This section provides an overview of using Vulnerability and Patch Management Pack to deploy
patches and configuration fixes.
Patches and configuration fixes can be deployed immediately or scheduled for deployment at a later
time. Patches and fixes can be selected individually from the database for deployment to all systems
or any combination of specified systems without performing a scan. Patches and fixes can also be
deployed for all vulnerabilities identified in a particular scan.
Patches come from the software vendor and can be updated to existing software, registry, or
configuration settings or files. Configuration fixes resolve incorrect system settings that can leave the
system open to security threats, such as open ports or services running that are not required.
NOTE:
Not all vulnerability issues found can be programmatically fixed or patched. Scan results
often provide a suggested fix that must be manually performed.
Important information about patches and fixes
•
Target systems are rebooted if required by the installed or removed patch, based on the reboot
information obtained from the original patch source. Reboot information might occasionally
inaccurately indicate whether a patch installation requires a reboot.
•
If multiple patches requiring reboots are applied, target systems are only rebooted once after all
patches are applied. Required reboots can be deferred and performed later. HP recommends
performing required reboots as soon as possible because the status of patched systems might be
unstable when a required reboot is deferred.
•
To determine patch applicability, Vulnerability and Patch Management Pack might enhance
patch detection criteria to be more precise than vendor information. These patches appear with
an asterisk in the Patch Source column. HP does not modify the patch itself.
•
Risk and Vulnerability ID information might not appear because this information was not
available at the time the patch was acquired. The information appears when the vulnerability
database is updated to include this information.
•
By default, patches are sorted by the latest release date. Select a column heading to
re-sort patches.
•
Target systems that are down at the time of a scheduled patch application are patched when the
system is brought online.
Deploying patches and fixes based on a
vulnerability scan
After a vulnerability scan has been performed and it is determined that security vulnerabilities or
configuration errors exist, perform the steps in the following sections to deploy patches, configuration
fixes, or both.
Vulnerabilities that require manual fixes or vulnerabilities for which the patch has not been acquired
are listed but not available for selection.