Home » RedHat Linux Patch Management
Applicable For Endpoint Central MSP 
 
 

Red Hat Linux Patch Management

Table of contents

Overview of Red Hat Patching

Patch Management for Red Hat Enterprise Linux enables administrators to effectively manage all security and non-security patches released by the Red Hat Security Advisory (RHSA). This process is crucial for maintaining a high level of security across Linux endpoints by allowing the identification, installation, and auditing of Red Hat package updates on subscribed machines and servers.

Pre-Requisites

Note: It is recommended that all managed endpoints possess Standard subscriptions for Red Hat Enterprise Linux.

Agent

  1. If you are a beginner to Red Hat Enterprise patching, start by purchasing a Red Hat subscription.

    A Red Hat subscription gives you access to enterprise-ready software, updates, and information and support services that span your entire application infrastructure, life cycle, and architecture.

  2. To receive updates from the Red Hat portal, you need to have an active subscription. Ensure the Red Hat account provided has a subscription that is currently active to receive updates.
  3. Verify if the purchased subscription has recently expired. If yes, renew your subscription. Refer here for the renewal steps.
  4. Check the subscription status of the system by running the code: "sudo subscription-manager status" in the Linux terminal.
    • If the Red Hat Subscription status is 'Unknown', then it could be because your machine was registered when it was offline. If that's the case, refer to the steps here.
    • If the Red Hat Subscription Status is 'Insufficient', then it could be because you have subscribed a VM machine which was migrated. In that case, refer to the steps here.
    • If you still face a problem or the subscription status was neither of the above 2 cases, then try to detach/remove the subscription from the system. Then, again attach the subscription to the system. Refer to the steps here.
  5. Ensure that a valid redhat.repo file is present on at least one of the managed systems.
  6. Systems registered with Red Hat Update Infrastructure (RHUI) in the cloud, an active connection is necessary to access the RHUI-subscribed mirrors.
  7. Systems registered with Redhat Satellite Server, agent must be installed in the Satellite server installed system.

Server

Ensure whether cdn.redhat.com is accessible or not from the central server.

The following domains need to be whitelisted for the Red Hat packages to be downloaded:

  1. https://cdn.redhat.com

Configuring Red Hat Linux Settings For Patching

Automatic Upload of Red Hat Entitlement Certificate to Server

When an agent is installed and the system meets the prerequisites, then Redhat Entitlement Certificate will automatically upload from the system. For systems upgraded from below version 11.3.2440.1, the previously configured nominated system will be considered by default. If the certificate is not uploaded after a few refresh cycles, any other agent with a valid subscription will upload the certificate.

Manual Upload of Red Hat Entitlement Certificate to Server

Instead of automatic upload, you can manually select the system to upload the certificate.

Steps to Configure:

  • Navigate to Patch Management -> Redhat Linux Settings Page -> Choose Alternate System
  • Select the system to upload the certificate.

Note: If an uploaded Redhat Entitlement Certificate has expired, the agent will not automatically fetch the latest certificate from available systems. Certificate re-upload will only occur on manually configured systems; hence, always maintain an active subscription on these systems.

Disable Edition

If you do not wish to manage a particular edition, you can delete it from the Red Hat Linux settings page. Removing an edition will impede patching operations such as scans and deployments.

Steps to Configure:

  • Navigate to Patch Management -> Redhat Linux Settings Page -> Disable Edition.

Note: If any edition is disabled, then patch scan and deployment cannot be performed.

RHUI Subscribed Systems

  1. All systems are registered with Red Hat Update Infrastructure (RHUI) in the cloud, with none directed to cdn.redhat.com.
    • Agent will directly download the required meta files and patches directly from the RHUI configured repositories.
  2. A hybrid environment where some systems are subscribed through RHUI in the cloud, while others are directly registered with Red Hat.
    • Systems registered directly with Red Hat, the agent will download the necessary metadata files and patches directly from the Endpoint Central Server.
    • Systems registered with RHUI in the cloud, the agent will directly retrieve the necessary meta files and patches from the configured RHUI repositories.
    • If you wish to change this behavior, to download the meta files and patches from the Endpoint Central Server, an internal setting has to be enabled.

RedHat Entitlement Certificates

Red Hat entitlement certificates are essential for managing and verifying a RHEL system's subscription. These certificates ensure secure and authenticated access to Red Hat repositories, allowing the system to receive updates and patches according to its subscribed entitlements.

  • Entitlement Certificates (*.pem): These certificates represent the entitlements granted to the system based on the attached subscriptions. Each entitlement certificate is typically named with a unique identifier and has a .pem extension. They contain details about the products and services the system is entitled to, including the start and end dates of the subscription.
  • Entitlement Key Files (*-key.pem): For each entitlement certificate, there is a corresponding private key file with a *-key.pem extension. These key files are used in conjunction with the entitlement certificates for SSL/TLS authentication when accessing Red Hat content delivery networks (CDN) or repositories.

Purpose of Certificates

The Endpoint Central server will use these certificates to securely download metadata files and patches from cdn.redhat.com.

Note: Once the certificate is successfully uploaded to the server, it will initiate the offline metadata download. Allow for a minimum of one refresh cycle for the server to download all required offline meta files before initiating the patch scan or deployment process.