Focus on Linux
Vulnerability and Patch-Management in Linux (and other Unix) Jun 19 2008 12:58PM
Rainer Duffner (rainer ultra-secure de) (6 replies)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 02:26PM
Sylvain Robitaille (syl alcor concordia ca) (1 replies)

On Thu, 19 Jun 2008, Rainer Duffner wrote:

> ..., patch-management seems to be a weak spot in most cases.
> RedHat offers "RedHat Network", but it costs a lot of money (and they
> charge more if you want to put your servers in groups in the RHN -
> WTF?)
> FreeBSD offers the portaudit database - we should be able to hack
> together something with that.
> But what about CentOS? If you have an array of CentOS servers - how do
> you track which vulnerabilities each one has? Running yum update
> every night is no option.

One might argue that the process of selecting the OS distribution should
certainly involve consideration of patch management, release schedules,
and cost of subscription services from the vendor.

> Does CentOS also maintain a vulnerability database along the lines of
> FreeBSD?
> How about Solaris?
> Ubuntu?

Again, I think these are considerations that should be examined prior
to selecting the OS distribution.

It seems to me at the moment as though the model that is most suitable
to your situation is likely FreeBSD's, so you might want to be looking
at phasing out systems with other OS distributions. In the (hopefully
small) number of cases where you must use a particular (non-FreeBSD)
OS distribution because of application software support requirements
(for example), you'll likely need to simply adapt the mechanisms that
you find work best. These would be your "oddball" systems, but your
general environment should ultimately be easier to manage.

> How do you track vulnerabilities across your datacenter?

(for software installed as part of the OS distribution)
Primarily: http://www.therockgarden.ca/software/slackware/UPGRADE.sh
run daily from cron as an unprivileged user, and manually as root when
appropriate (see the script for details of how its behaviour differs
based on privilege).

In truth, the above script runs (unprivileged) on one system (my
workstation), and update packages are copied to each production system,
where the script is manually run as root, only when there's a package
that requires upgrading. Ideally, I could simply NFS-export (read-only)
the directory where the script stores downloaded update packages, but
I haven't (yet?) done anything like that. The process could certainly
be improved upon.

We have some oddball (mostly RHEL now, having phased out others) systems
that are handled by their own mechanisms.

I know this doesn't give you much help with your specific systems, but
I hope that it at least gives you food for thought, both during your
next phase of OS distribution selection, and to help resolve the problem
at hand.

--
----------------------------------------------------------------------
Sylvain Robitaille syl (at) alcor.concordia (dot) ca [email concealed]

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

[ reply ]
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 06:45PM
Lee Fisher (blibbet gmail com)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 11:14AM
Josep L. Guallar-Esteve (guallar easternrad com)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 10:35AM
Eygene Ryabinkin (rea-sec codelabs ru)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 09:02AM
Hari Sekhon (hpsekhon googlemail com)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 19 2008 08:08PM
druid stonedcoder org (1 replies)
RE: Vulnerability and Patch-Management in Linux (and other Unix) Jun 19 2008 08:53PM
jacob aers ca (2 replies)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 04:43PM
John Kunkel (jkunkel verite com) (1 replies)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 23 2008 07:50PM
Jason Spears (shadestalker gmail com)
Re: Vulnerability and Patch-Management in Linux (and other Unix) Jun 20 2008 04:09PM
Ram Prasad (unixengineer gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus