4.8 Cleaning up Patch Content

Using the CVE and Patch Cleanup page, you can delete disabled patch content and data, as well as delay the disabling of superseded patches and patches that are no longer required by ZENworks.

To configure patch cleanup settings, click Configuration in the ZENworks navigation menu, and go to Configuration > Security > CVE and Patch Cleanup.

Refer to the descriptions below to understand and configure the cleanup settings according to your organization’s needs:

Item

Description

CVE Cleanup

The CVE Cleanup setting is applicable to both, the CVE data and the CVE trend data. Using this setting you can specify the number of years after which the CVE data (unmodified CVEs) and the historical trend data stored for the CVEs are deleted from ZENworks.

By default, the value is configured as 5 years. Therefore, CVEs that have not been modified for 5 years, along with the historical CVE trend data of 5 years are deleted from ZENworks. The CVE Cleanup will be performed during the next subscription run.

To delete the CVE data and the CVE trend data sooner or later than the default 5 years, you can specify the required value in the Delete CVEs after x years field.

NOTE:The CVE trend data is stored for a maximum of 10 years and it is calculated from the time when Vertica was configured in the zone. Therefore, if you specify the CVE Cleanup as a value above 10, for example, 14 years, the unmodified CVEs will be deleted after 14 years, but the historical trend data will be deleted after 10 years.

Disabled Patch Cleanup

Specify the time period after which to delete data for a disabled patch. This setting deletes the patch listing for a patch that meets the following conditions:

  • The patch is disabled.

  • The patch has been disabled longer than the time duration selected from the drop-down.

Delete disabled patch data after: Specify when the disabled patch data should be deleted from ZENworks. The default value is 5 years.

Superseded Patches Disablement

By default, when a patch is superseded by a newer patch, it is disabled and can no longer be applied to devices. In general, this is the desired behavior because best practice dictates that you keep devices updated with the most recent patches in order to minimize security risks. However, you might have situations where you need a superseded patch to remain enabled. The following settings let you change when superseded patches become disabled:

  • Delay disabling of superseded patches xx days: Use this setting to keep superseded patches enabled in your system for up to 90 days. This allows you to continue to deploy the patches to devices either through patch remediations or policies.

    NOTE:

    • You can configure a value other than 30, 60 or 90 days be configuring the PATCH_DELAY_SUPERSEDED_DISABLE system variable. For more information about this system variable, see PATCH_DELAY_SUPERSEDED_DISABLE

  • Do not disable superseded patches that are included in a policy: By default, a superseded patch is not removed from a policy and replaced by the superseding patch until the policy is rebuilt and republished. This behavior can result in a period of time where the policy does not apply the superseded patch (because it is disabled) or the new superseding patch (because it is not in the policy).

    You can use this setting to ensure that patches that are included in a policy are never disabled as long as they are in the policy. Patches that are included in the policy via a rule remain enabled until they are removed when the policy is rebuilt. Patches that are included via the Members list remain enabled until they are manually removed from the list and the policy is rebuilt.

    Also, if a user enables a superseded patch that is within a policy, but there are no applicable devices, then, on the next service update, the patch will get disabled, even though this option is selected.

Superseded Patches Disablement (Cont.)

NOTE:

  • Both settings apply only to patches that are superseded after the setting is enabled.

  • In the Advanced Patch Feed, the above settings cause superseded patches to remain enabled in the ZCC UI; this allows you to see the Patched/Not Patched status of devices. However, the superseded patches will not be installed on devices. For example, if you have enabled the Do not disable superseded patches that are included in a policy when a patch in the policy is superseded, it will remain enabled in the ZCC UI, but it will not be installed (if needed) on a device. Or, if you enable the Delay the disabling of superseded patches for option and then try to install a superseded patch via a Remediation Deployment, it will not install.

Patches Disablement

These settings disable patch data in the system based on the criteria you select. Both options are selected by default.

  • Detect only the current supported Service Packs

    This setting enhances the timeliness of deploying the latest service pack patches to managed devices, as opposed to scanning for non-applicable patches.

  • Disable older patches by age

    This setting enables you to delete patches based on when they were released by the OS Vendor or a Third-party Vendor.