"Excluding a Patch"

(imported topic written by rmarrero1fl)

An inquiry was made of me to see if a patch could be “excluded” from being applied to a server. Basically they want to somehow identify the patch as not being abled to be installed on a particular server because it will “break” an application. Does TEM provide a feature where a fixlet can be turned off or disabled for a given server while still enabled and applicable to others?

(imported comment written by cstoneba)

The quick answer is no (at least not that I know of). I’ve been wanting a way to exclude fixlets for years. While IEM runs well as an enterprise solution for applying patches, there is a big gap missing with excluding patches.

The challenge is that you can’t go and modify the relevance of the fixlet you want to exclude because then the fixlet is not applicable, and that is not true. What needs to happen is if you try and push that fixlet, a new line within all IBM provided fixlets would cause the action script to stop running, but not be considered a failure, but instead return as an exit code of “excluded” or something. There would be a wizard in place that you could enter the fixlet name/ID and which servers should get the exclusion rule, and then the wizard would apply a client setting that contains the fixlet name on the target servers. That would give the ability to exclude patches and report on the fixlets that are excluded.

(imported comment written by dhtorsdc)

A more general way to address the issue would be to implement the idea of “policy/entitlement” in addition to and separate from “relevance” (applicability). One of the (several) issues with the solution you suggest is that by excluding a machine using relevance, you’re basically causing the system to report that the vulnerability isn’t there and the patch isn’t needed - when it is. You’ve just chosen to manipulate the applicability so that it appears that the patch isn’t needed, thus preserving the vulnerability on that endpoint for all time. With a separate “entitlement”, you keep separate the technical applicability of a patch from a decision to not apply it.

(imported comment written by cstoneba)

hi
dhtorsdc
, as I stated above, '
The challenge is that you can’t go and modify the relevance of the fixlet you want to exclude because then the fixlet is not applicable, and that is not true". We both agree that modifying the source relevance is the wrong way to go. What there needs to be is some external way to blacklist fixlets at a per server level.

Do you get a solution for this request?

Yeah, if you want to modify a Fixlet, duplicate it into a custom site.

1 Like

We are a large MSP and have many customers with each of them having unique needs. We patch with baselines, not individual patches. We build relevance into the baselines to exclude systems that the patch or patches should not be deployed to.

This is controlled by a custom property. If that custom property “contains” a certain value, it will not be applicable to the baseline.

This also means we have a dozen EP (Exception patch) baselines that contain the patch that is being excluded from certain machines.

It is a slightly complicated process but it works extremely well. We also built in a failsafe, if someone uses the removal tool to uninstall BigFix, when it is reinstalled, it will no longer have that property set. So we set a backup key with the same value. If the agent is reinstalled, it will not match the value of the backup key so the system is automatedly placed in a computer group and locked. This keeps it from deploying the exception patch if someone uses the removal tool and then reinstalls the agent.

I have a PowerPoint presentation on this process. Unfortunately, I can’t share it because it contains proprietary information. If you want more information, let me know and I will see if I can put something together to explain it better.

1 Like