Managing Patch Jobs for Linux Assets

Patch Management allows you to deploy patch jobs on Linux assets. You can use a single job to deploy a single patch on multiple assets, multiple patches on a single asset, and multiple patches on multiple assets. You cannot target Windows and Linux assets in a single job. For security purposes, the Linux patches are downloaded manually and stored in a shared folder that must be accessible through a mounted directory on each server. This shared directory helps reduce the traffic, ensure that the file integrity and is only exposed to selective servers. The patches are transferred to the repository only after successful assessment on the staging server. We recommend fetching the patch installation files directly from the vendor to assure authenticity and integrity.

Note: For Linux jobs, Patch Management does not fetch patches at run time. You must make the patches available in a Yum repository before triggering a patch job. We recommend creating a shared directory to hold all approved patch files that you must mount on all Yum-based Linux assets. This enables you to scale without caching, proxying and is a more secure approach. It works without exposing your server assets beyond firewalls or tunnels, and it also ensures approved patch rollouts only when you put the patch files in the repository.

Supported Versions

- RHEL 6, 7, and 8

- CentOS 6 and 7

- Oracle Linux 6, 7, and 8

- Amazon Linux and Amazon Linux 2

Consider this!

 - Four out-of-the-box widgets are available exclusively for Linux patches. You can customize and add widgets based on your preferences.  

 - On the Assets tab for Linux, you cannot view the agent scan status based on the vulnerability scan. Agent scan date would be the date of latest vulnerability scan on an asset.

 - Superseded patches are not applicable for Linux.

 - You cannot enable the opportunistic patch download to allow the Cloud Agent for Linux to download the required patches before a scheduled job run begins. The patches must be stored in a repository at a predefined location which is accessible to each asset.

 - You can only create deployment jobs for Linux assets. Rollback jobs are not applicable for Linux assets.

 - While creating a Linux deployment job, if you select an asset tag that includes Windows and Linux assets, only Linux assets will be added for the job.

 - Job title for each job must be unique. You cannot have the same job title as a Windows job. For example, if a Windows job titled Security Patches is created, you cannot have a Linux job titled as Security Patches.

 - If a deployment job contains multiple OS patches, then only the job assets with specific OS will have applicable patches installed. For example,

- A job that has a mixed set of patches i.e. both RHEL 6 and RHEL 7, but only RHEL6 assets, in this case, the status for RHEL 7 patches will be displayed as Skipped.

- A job that has RHEL 6 patches and also has RHEL 7 assets, in this case, no manifest will be sent and status for asset will be shown as Not Applicable.


- You must install the Cloud Agent for Linux on each of your Linux assets before you can deploy patch jobs.

- Ensure that the patches that you want to install are available in the agent-side repository for respective OS on the asset during the job execution. This configuration must be setup at the OS specific setting and not specific for Patch Management.

Creating Patch Job for Linux Assets

1. Navigate to Jobs  > Linux and then click  Create Jobs.

2. On the Basic Information page, enter a job title and description and then click Next.

Basic Information

3. (Optional) Select Add Exclusion Assets check box to exclude specific assets from the deployment job.
Note: You can include and exclude maximum 50 assets from a job.

Add exclusion assets for linux

Note: Based on the selected options, the final list of assets is calculated taking into consideration included and excluded assets tags and included and excluded assets.

4. Select assets or asset tags on which you want to apply patches and click Next.
Note: You can include and exclude maximum 50 asset tags from a job.

Select Assets

5. (Optional) If you want to exclude the assets with All and Any tags from the deployment job, select the Add Exclusion Asset Tags check box and then select one of the following options and click Next.

- Any – to include assets that have any of the selected tags
- All – to include only those assets that have all the selected tags 
The patches are deployed on the selected tags only for assets that are contained in the user's scope.

Note: To understand how final assets are determined for a job, see Which Assets are Included for a Job.

6. On the Select Patches page, click Take me to patch selector.

7. Select one or more patches, click Add to Job and then click Close.
Note: You can only add 2000 patches to a single job.

8. On the Select Patches page, click Next.
Note: Ensure that the selected patches are available in the agent-side repository during the job schedule.

Select Patches

9. On the Schedule Deployment page, select one of the following options and click Next:

 - On Demand – to install the patches immediately once the job is created and enabled.
- Schedule – to install the patches at a specified time, set the start date and start time. You can schedule a job to recur daily, weekly, or monthly. For more information, see Scheduling Jobs.

Monthly jobs which are scheduled to run on the 31st of the month will be scheduled every two months (where 31st date is available). You can schedule the job to run on the last day of the month which ensures that the job runs on the last day irrespective of whether the month has 28, 30, or 31 days.

Schedule Deployment

10. Set your Reboot Communication options and click Next.

The Continue patching even after a package fails to install for a patch option ensures that if one of the packages for the patch fails to install, an attempt to install other packages is made.

Reboot Options

11. On the Job Access page add the co-author who can edit the job and click Next.

Job Access

12. On the Confirmation page, review the settings and click Save to create the job or click Save and Enable to deploy the job immediately.

Confirmation Screen

Scheduling Jobs

Enabling or Disabling Jobs