Help Center/ Cloud Operations Center/ FAQs/ Patch Management FAQs/ What Are the Differences Between the Installation Rule Baselines and Custom Baselines?

Updated on 2025-09-11 GMT+08:00

View PDF

What Are the Differences Between the Installation Rule Baselines and Custom Baselines?

Installation rule baselines and custom baselines are two core types of patch baselines in the enterprise patch management system. They are different in patch filtering logics and repair target versions in various patch management requirements. The main differences are as follows:

Core Positioning and Design Objectives

Installation rule baselines are positioned as standard and automatic general patch management solutions. They are designed to help users quickly filter patches that meet general security or function requirements. Users do not need to enter patch names and version details. Installation rule baselines are mainly used for efficient and unified patch upgrade scenarios.
Custom baselines are positioned as refined, dedicated, and scenario-specific patch management solutions. They are designed to help users precisely manage specific patch versions. Users can customize the patch scope and target versions. Custom baselines are mainly used for strictly-controlled version compatibility scenarios.

Patch Filtering Capabilities

Installation rule baselines help users filter batch patches based on basic patch information. Users do not need to specify patches manually. Instead, they specify the patch scope based on preset rules. Users can filter bath patches by the patch type (such as security, function, and bug fixing patches), patch level (such as high, medium, and low risks), release time (such as patches released in the last 30 days), and applicable OS version (such as CentOS 7 and Ubuntu 20.04). For example, users can filter high-risk Linux security patches released in the last 15 days. The system automatically matches all patches that meet the rule.
Custom baselines help users filter specific patches based on patch names and versions. Users need to specify patch IDs and versions. Users can filter specific patches by entering the patch package names (such as, kernel-devel and openssl) and versions (such as, kernel-devel-3.10.0-1160.el7.x86_64 and openssl-1.0.2k-25.el7_9.x86_64). For example, users can only filter the patch openssl with the version 1.0.2k-25.el7_9.

Patch Repair Logic

Installation rule baselines repair the patches with latest versions first, aiming to update the system patches to the latest available compliant versions. When a non-compliant patch is detected on a host (that is, the patch that meets the filtering rule is not installed or the installed patch version is earlier than the latest version), the system automatically obtains the latest patch version from the patch library and upgrades the non-compliant patch to the latest version. For example, if the rule is to filter high-risk security patches and the current version of openssl on a host is 1.0.2k-20.el7, and the latest high-risk patch version is 1.0.2k-25.el7_9, the system automatically upgrades the patch to 1.0.2k-25.el7_9.
Custom baselines repair the patches with the specified version first and upgrade the patches based on the user-defined version. When a non-compliant patch is detected on a host (that is, the patch of the specified version is not installed or the installed version is different from the specified version), the system does not automatically select the latest version. Instead, the system accurately matches the target version specified in the custom baseline and upgrades or downgrades the non-compliant patch to the specified version. For example, if a user sets the version of openssl to 1.0.2k-20.el7 in the custom baseline, the system only repairs the openssl patch of the host to 1.0.2k-20.el7 even if there is the latest version 1.0.2k-25.el7_9 in the patch library. This ensures that user requirements are met.