How to Use Sun Connection and Baselines to Patch the Solaris OS
April, 2007
This article describes how to use Sun Connection and baselines to update your
Solaris hosts with patches. Go here for more information about using Sun Connection.
What's a Baseline?
A baseline is a dated collection of patches, patch metadata, and tools. Sun
releases baselines for the Solaris OS on a monthly basis. When you
install the patches of a baseline on a host, that host is considered
to be compliant with that baseline.
Note - Baselines are only available for the Solaris OS.
Using baselines enables you to easily know the patch level of your
hosts. For example, you install some test hosts with a particular baseline. Then, you
test these hosts for a period of time to see whether the
patches in this baseline are stable enough to be used on your production
hosts. When the testing reveals that this baseline is stable, you can
install the same baseline you tested on your production hosts.
You can modify a baseline to create a custom patch set by
the use of black lists and white lists. A black list is a list
of patch IDs that you never want to be applied to a host.
A white list is a list of patch IDs that you always want to
be applied to a host.
Solaris baselines appear as a category in the Components list. The Solaris Baselines
category contains a list of dated baselines. Each dated baseline contains these three
patch sets:
Full - Includes Recommended patches for the specific Solaris OS version and selected patches for other unbundled Sun products. Other products might include the Java 2 Platform, Standard Edition (J2SE platform), Sun Cluster software, and Solaris Volume Manager software.
Recommended - Includes the Solaris OS recommended patches for the specific OS version.
Security - Includes all security patches, including the OS-specific patches and patches for other Sun products, such as J2SE platform and Sun Cluster software. The Security baseline is not a subset of the Recommended baseline.
Note - The Full baseline often contains Solaris OS patches that are not included in
the Recommended baseline. The Full baseline includes additional patches based on feedback from various
customer support groups within Sun. These patches are not always included in the
Recommended baseline. All baselines include patches for a specific time frame.
To install the Recommended and Security baselines, you either need to deploy two
jobs, or have a job that includes multiple tasks. This might result in
multiple reboots, for example, if both tasks (baselines) include patches that have Single
User mode requirements.
Selecting a baseline patch set and choosing Details from the Components menu shows
you the list of the patches in the baseline.
An installed baseline appears in the Components list marked as (Installed). If
you install the baseline and use a policy as a black list, the
baseline is not marked as (Installed) even though it has been installed.
For information about working with Solaris baselines, see the following:
You can use the profile mechanism to create a white list that
contains a baseline. You can also include a white list with a list
of patches to install.
From the Hosts list, select the host or group for which you
want to create a baseline white list.
Select the baseline you want to install.
From the Components list, expand the Solaris Baselines category.
Find and expand the dated baseline you want to install.
Select one of the following patch sets:
Full
Recommended
Security
(Optional) To see the contents of the baseline, choose Details from the Components
menu.
Add the baseline to the Action list by choosing Required from the Components
menu.
Note - You can select only one baseline for installation on a host, hosts, group or groups. If you select another baseline for the same host, hosts, group, or groups and choose Required from the Components menu, an error message appears.
To replace the current baseline with the one you just selected, click OK.
To use the original baseline, click Cancel.
(Optional) Add one or more patches to the white list.
From the Components list, expand the Patches category.
Find and expand the patch ID range for the patch or patches
you want.
(Optional) To see a description of the patch, choose Details from the Components
menu.
The Component Information window opens. This window includes the following tabbed pages:
General tab - Shows the patch ID, the size of the patch, and the platform for which the patch was created.
Incident tab - Shows the patch ID, the patch type, and a URL to the patch README file.
Dependencies tab - Shows any patches that depend on the one you selected.
Installed tab - Shows you the list of hosts on which the patch has been installed.
Select a patch ID, and then choose Required from the Components menu.
The patches you mark as required are added to the Action list.
Repeat Substeps b through d for each patch you want to add
to the white list.
Choose Save As Profile from the Action menu.
Review the list of patches in the Action list.
Name the profile. Using identifiable names is helpful if you want to use
this profile again for other jobs.
Click OK. The profile is saved and appears in the Profiles window.
Click Close to dismiss the Profiles window.
To Create a Solaris Baseline Black List
You can use the policy mechanism to create a black list of
updates that are never to be installed.
From the Hosts list, select the host, hosts, group, or group for which
you want to create a black list.
Open the Policies window by choosing Policies from the Tools menu.
Click the New button to open the Policy Editor window.
Give the policy a name that you can easily remember. Using identifiable names
is helpful if you want to use this policy again for other
jobs.
Expand the Patches category.
Find and expand the patch ID range in which the patch or
patches you want to add to the black list.
Select a patch ID, and add the patch to the black list
by choosing No from the Apply Fix drop-down menu.
Repeat Steps 6 and 7 for each patch you want to add
to the black list.
Click OK to save the policy on the Policies window.
To Perform a Solaris Baseline Compliance Analysis
A Solaris baseline compliance analysis creates a list of the number of patches
to be installed to bring the host in to compliance with the
baseline, the white list, and the black list you specify.
Note - You must have a Solaris baseline white list and an optional black list
to complete a Solaris baseline analysis.
Open the New Job window by choosing New from the Jobs menu.
Select Simulate to run the job in simulation mode.
Open the Task Editor window by clicking the Add (New) Task button.
Choose your white list from the Profiles drop-down menu.
(Optional) Choose your black list from the Policy drop-down menu.
Open the Select Hosts window by clicking the Host Select button.
Select the host or group, click the Add button (right-facing arrow) to add
it to the list, and then click OK.
Click OK to save the task.
Repeat Step 3 for each baseline compliance analysis task you want to run
as part of this job.
(Optional) Click the Options tab to specify the task execution parameters.
If you plan to have more than one task in this job to
run analyses against more than one baseline, you can select Parallel to run
the tasks simultaneously. By default, tasks are run sequentially.
Click OK to submit the job.
(Optional) View the progress of the job running on the host by choosing
Host Progress from the Host list.
When you have defined a Solaris baseline white list and black list
(the black list is optional), you can deploy a Solaris baseline to selected
Solaris hosts.
Open the New Job window by choosing New from the Jobs menu.
Select Deploy to deploy the baseline to the selected hosts.
Open the Task Editor window by clicking the Add Task button.
Choose your white list from the Profiles drop-down menu.
(Optional) Choose your black list from the Policy drop-down menu.
Open the Select Hosts window by clicking the Host Select button.
Select the host or group, click the Add button (right-facing arrow) to add
it to the list, and then click OK.
Click OK to save the task.
Repeat Step 3 for each baseline deployment task you want to run as
part of this job.
Click OK to submit the job.
(Optional) View the progress of the job running on the host by choosing
Host Progress from the Host list.
(Optional) Perform a profile compliance check of the selected hosts.
Note - Perform this check only if you used a profile to install the baseline
and white list. If you also used a policy to specify a black
list, this check will show the host to be non-compliant.
To View a Summary of a Baseline Installation Job
You must have run a Solaris baseline deployment job or a Solaris
baseline compliance analysis job that has successfully completed.
Select the job for which you want to view a summary from
the Jobs list.
Open the Job Summary window by choosing Summary from the Jobs menu.
View the following summary information for each task:
Host - Shows the host name on which you ran the task.
Distribution - Shows the operating system and platform architecture of the host.
Task - Shows the task type.
Number of Changes - Shows the number of changes made or will be made to the host.
(Optional) View details about a task.
Select a task from the table, and click the View Changes button.
The Host Changes Report window opens.
Select a patch ID from the table, and click the Component Info button.
The Incident Information window opens.
View information about the patch by clicking one of the following tabs:
READ ME - Shows the URL to the patch README file.
General - Shows the patch ID, patch category, and release date.
CVE ID - Shows the CVE ID of the patch.
Package - Shows the packages modified by the patch.
Obsolete - Shows the patches that this patch renders obsolete.
Click Close to dismiss the Incident Information window.
Click Close to dismiss the Host Changes Report window.
Repeat Step 4 for each task for which you want to view
details.
Print-friendly Version
