Using the CVE and Patch Cleanup page, you can delete disabled patch content and data, as well as delay the disabling of superseded patches and patches that are no longer required by ZENworks.
To configure patch cleanup settings, click Configuration in the ZENworks navigation menu, and go to Configuration > Security > CVE and Patch Cleanup.
Refer to the descriptions below to understand and configure the cleanup settings according to your organization’s needs:
Item |
Description |
---|---|
CVE Cleanup |
The CVE Cleanup setting is applicable to both, the CVE data and the CVE trend data. Using this setting you can specify the number of years after which the CVE data (unmodified CVEs) and the historical trend data stored for the CVEs are deleted from ZENworks. By default, the value is configured as 5 years. Therefore, CVEs that have not been modified for 5 years, along with the historical CVE trend data of 5 years are deleted from ZENworks. The CVE Cleanup will be performed during the next subscription run. To delete the CVE data and the CVE trend data sooner or later than the default 5 years, you can specify the required value in the Delete CVEs after x years field. NOTE:The CVE trend data is stored for a maximum of 10 years and it is calculated from the time when Vertica was configured in the zone. Therefore, if you specify the CVE Cleanup as a value above 10, for example, 14 years, the unmodified CVEs will be deleted after 14 years, but the historical trend data will be deleted after 10 years. |
Disabled Patch Cleanup |
Specify the time period after which to delete data for a disabled patch. This setting deletes the patch listing for a patch that meets the following conditions:
Delete disabled patch data after: Specify when the disabled patch data should be deleted from ZENworks. The default value is 5 years. |
Superseded Patches Disablement |
By default, when a patch is superseded by a newer patch, it is disabled and can no longer be applied to devices. In general, this is the desired behavior because best practice dictates that you keep devices updated with the most recent patches in order to minimize security risks. However, you might have situations where you need a superseded patch to remain enabled. The following settings let you change when superseded patches become disabled:
|
Superseded Patches Disablement (Cont.) |
NOTE:
|
Patches Disablement |
These settings disable patch data in the system based on the criteria you select. Both options are selected by default.
|