I have asked this question to Tech Support and will let everyone know what they have stated once I get a response from them. BUT I wanted to find out if others have run into this issue and how they got around it "An Easy Way" instead of having to review every fixlet pertaining to RHEL.
We run RHEL v8 and v9. v9 of RHEL is locked down to the minor release of 9.6 at the os level by running the command subscription-manager release --set=9.6. When we patch the server manually we will only get v9.6 patches including the kernel. The reason we need to lock it down is because we use CarbonBlack App Control and they currently are only supporting v9.6 of the RHEL kernel.
BigFix pays no attention to this lock down version as we can update the kernel to v9.7 for instance. So in order for me to stop that I have to globally hide kernel 9.7 in the console so it is not accidently pushed and also so the Patch Policies do not push it also.
Now my question is probably not going to be a simple response. In BigFix it will display updates to a server that are locked down to version 9.6 but the application updates for instance" RHSA-2025:21110 - Bind Security Update - Red Hat Enterprise Linux 9 (x86_64) which is actually intended for 9.7. I can review what files this patch includes by looking at the "Description" tab. The following is displayed.
- bind-9.16.23-34.el9_7.1.x86_64.rpm
- bind-chroot-9.16.23-34.el9_7.1.x86_64.rpm
- bind-dnssec-doc-9.16.23-34.el9_7.1.noarch.rpm
- bind-dnssec-utils-9.16.23-34.el9_7.1.x86_64.rpm
- bind-libs-9.16.23-34.el9_7.1.x86_64.rpm
- bind-license-9.16.23-34.el9_7.1.noarch.rpm
- bind-utils-9.16.23-34.el9_7.1.x86_64.rpm
- python3-bind-9.16.23-34.el9_7.1.noarch.rpm
My question is: Is there a way that I can exclude all of these 9.7 releases from being seen in the console so they do not get pushed either manually or with the patch policy?
