Patch management automation tool for UNIX, APARXML

摘要

The present invention provides a common framework to determine if machines are patched and automatically applies patches as required. It provides an automated tool to assess patch levels and apply patches on several different UNIX machine types. Further, it provides a centralized, consistent method of providing patches to multiple roles within an organization while automatically managing large quantities of machines. It can manage multiple security standards, machine classifications, and patch security levels and be customized to interface with existing asset management tools. It evaluates the most suitable patch to satisfy the minimal patch requirements and is an early warning system that will tell a user when the user's machine will go out of compliance. The tool is composed of two parts: a server component and client component. The server collects data reported by client machines and stores it in a database; collects patch, machine and owner data from other databases, including internal databases and vendor web sites; downloads vendor patches to a depot area; and evaluates compliance and generates a list of patches that are missing, applied late, and patches that are satisfied. An overall compliance verdict is calculated for each machine. The server sends the client a list of patches to be installed as needed. The server receives installation status from the client, reports it onto the web, and sends the user email. The client gathers machine data and sends it to server; queries the server to see if patches are needed, and receives a patch list. The client downloads patches from APAR depot; and installs patches and reports status back to the server.

主权项

1. A tool for use in a system having at least one processor, at least one server, at least one client, and databases including internal databases and vendor web sites, the databases having vendor patches, the tool for monitoring and managing patches on clients to determine if clients are patched and automatically applying patches in response to determining the patches are required, the tool comprising:
a server component located on the server; and a client component located on the client and separated from the server, the server component performing actions including:
collecting data reported by clients;collecting patch data from the databases, the patch data in the form of an XML data file;downloading vendor patches in response to determining that the vendor patches are not present at the server; evaluating compliance from the client;sending each client a list of patches to be automatically installed in response to receiving a query from each client for any automatically installed patches on a daily basis; andupdating at least one of the vendor websites to indicate the list of patches not yet installed on the client;wherein the evaluating of the compliance from the client includes comparing the patch data in the XML data file with machine data from the client; the client component performing actions including:
gathering the machine data and sending the machine data to the server component;receiving from the server component the list of patches to be automatically installed;downloading and installing the patches listed in the list of patches; andsending an installation status to the server,wherein the server component, in response to the client component sending the installation status, performs actions including:
receiving the installation status from the client component; reporting the installation status onto at least one of the vendor websites; andsending the client an email including the installation status, wherein the server component further includes:an evaluating component for, upon receiving a required patch from a vendor for the client, evaluating a most suitable patch to satisfy minimal patch requirements of the vendor, the evaluating component including:a component for gathering a list of all patches that have been released by the vendor that supersede the required patch and in what order they were released:a component for determining whether the required patch is active or obsolete;a component for, if the required patch is obsolete, examining a next patch in the list of all patches; anda component for examining a chain of patches from the required patch to a best patch by following information on the website from one patch to the next patch in the chain of patches.