Advanced Patching Options

• 1 min to read •

In this section, you can find a list of your custom patches, all the patches for Windows, Linux, and macOS, as well as a list of available third-party patches grouped by Vendors (Syxsense has an industry-leading library of third-party patches).

Unix Patch Content

In addition to patching windows devices, Syxsense can also patch content for MacOS and Linux. The type of content which Syxsense can manage for both MacOS, and Linux is distinctly different from each other, and different from windows. Furthermore, the method of collecting and maintaining patch content for both operating systems is distinct.

MacOS Patch Content

Currently, MacOS patch content is limited to just content provided within the Apple Update service. This includes most patches for software provided by Apple on the computer, as well as Operating System patches. These patches are not stored with Syxsense but are instead found by running a Patch Scan on a MacOS system. When a patch scan is ran in MacOS, it checks the Apple Update Service to see if any new patches are available. If there are new patches found, the Syxsense patch scan will upload the metadata from the found patches to the Syxsense database. The metadata will then be reviewed to see if it matches an already known data set. If it does, the already created patch identity will be added to your Syxsense console as a new patch for MacOS. Later, when you push out a patch deploy task to MacOS, it will deploy a task through Apple Update Service to install the patches found previously by the patch scanning process.

Currently, this update process only works for patches provided by the Apple Update Service. We are not able to deploy patches to software outside this context.

Linux Patch Content

Patching Linux using Syxsense is like MacOS in that we don’t store the content on our servers. Instead, we evaluate the content found in the active repositories enabled on the device. Running a patch scan on a Linux endpoint triggers the package management tool for the distribution to evaluate any new patches within the enabled repositories. Any newly available patches are then communicated back to the Syxsense content database, wherein we review the patch content to see if it matches an already known patch. If it does, we will automatically sync the patch content metadata down to your Syxsense console. If the patch does not already exist in our library, we will use a scripted process to collect vendor information on the patch, and then sync the content to your console.

Then, when you deploy a patch to a Linux endpoint, it will simply deploy the patches listed in the Syxsense console (or a subset of your choosing), along with any patch dependances tied to the selected patches. This model of tying into but not replacing any existing repositories allows you to be extremely flexible with the way you deploy content for Linux, without needing to build any additional on-premise repository mirrors (unless you want to).

Prerequisites 

An account with the 'Patch Manager' permissions

Discovery: OS Patching Options OverviewDiscovery: OS Patching Options Overview

Patches that are ready for installation

Patches that should never be scanned and deployed. This will blacklist the patch and remove it from your organizations patch inventory.

 If you need to conditionally blacklist content from a set of assets but wish to continue reviewing the item on other assets, we recommend filtering out the content by using a content query or group based task deployment. See Patch Queries and Default Queries for more information.

 To locate previously blacklisted content, navigate to the Advanced section within the Vulnerabilities sidebar > Select the operating system dropdown for the content type you need to whitelist > Select the Never Check or Install dropdown item to open the list of blacklisted patch and configuration contents.

To schedule a scan task either now or later. If you need to reinstate a previously blacklisted patch, highlight the blacklisted patch, and then select this button.
The list of newly released patches

Patches that aren't needed to be installed on any device of the

network

Discovery: Third-Party Patches Options OverviewDiscovery: Third-Party Patches Options Overview

 

To view patches' details

 

To scan a patch

 

To deploy a patch

 

To schedule a scan task either now or later. 

 

Never check or install selected patches. This option will blacklist the patch and remove it from your organizations patch inventory. If you would like to remove the ability for a patch or configuration item to be scanned within the Syxsense console, select the row of data corresponding to the item you wish to remove, and then select this button from the top toolbar.

This will check the Syxsense Database, which exists external to your Syxsense console for any changes since the previous automatic sync, which happens daily by default.  

To check if the patch has any new elements (like a change to its CVSS score, or a new CVE or more complete description), simply select an individual patch (or group of patches) from the rows of available data and select this button from the top toolbar.

Create a static group of third-party patches

Export the patch list to the XML file. Export individual patches, or a subset of the patches displayed by control clicking or shift clicking rows of data within the console, and then selecting the Export button located.

Last Update: July, 2024

Copyright ©2024 by Syxsense, Inc. All Rights Reserved