> ..., patch-management seems to be a weak spot in most cases.
> RedHat offers "RedHat Network", but it costs a lot of money (and they
> charge more if you want to put your servers in groups in the RHN -
> WTF?)
> FreeBSD offers the portaudit database - we should be able to hack
> together something with that.
> But what about CentOS? If you have an array of CentOS servers - how do
> you track which vulnerabilities each one has? Running yum update
> every night is no option.
One might argue that the process of selecting the OS distribution should
certainly involve consideration of patch management, release schedules,
and cost of subscription services from the vendor.
> Does CentOS also maintain a vulnerability database along the lines of
> FreeBSD?
> How about Solaris?
> Ubuntu?
Again, I think these are considerations that should be examined prior
to selecting the OS distribution.
It seems to me at the moment as though the model that is most suitable
to your situation is likely FreeBSD's, so you might want to be looking
at phasing out systems with other OS distributions. In the (hopefully
small) number of cases where you must use a particular (non-FreeBSD)
OS distribution because of application software support requirements
(for example), you'll likely need to simply adapt the mechanisms that
you find work best. These would be your "oddball" systems, but your
general environment should ultimately be easier to manage.
> How do you track vulnerabilities across your datacenter?
(for software installed as part of the OS distribution)
Primarily: http://www.therockgarden.ca/software/slackware/UPGRADE.sh
run daily from cron as an unprivileged user, and manually as root when
appropriate (see the script for details of how its behaviour differs
based on privilege).
In truth, the above script runs (unprivileged) on one system (my
workstation), and update packages are copied to each production system,
where the script is manually run as root, only when there's a package
that requires upgrading. Ideally, I could simply NFS-export (read-only)
the directory where the script stores downloaded update packages, but
I haven't (yet?) done anything like that. The process could certainly
be improved upon.
We have some oddball (mostly RHEL now, having phased out others) systems
that are handled by their own mechanisms.
I know this doesn't give you much help with your specific systems, but
I hope that it at least gives you food for thought, both during your
next phase of OS distribution selection, and to help resolve the problem
at hand.
Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
On Thu, 19 Jun 2008, Rainer Duffner wrote:
> ..., patch-management seems to be a weak spot in most cases.
> RedHat offers "RedHat Network", but it costs a lot of money (and they
> charge more if you want to put your servers in groups in the RHN -
> WTF?)
> FreeBSD offers the portaudit database - we should be able to hack
> together something with that.
> But what about CentOS? If you have an array of CentOS servers - how do
> you track which vulnerabilities each one has? Running yum update
> every night is no option.
One might argue that the process of selecting the OS distribution should
certainly involve consideration of patch management, release schedules,
and cost of subscription services from the vendor.
> Does CentOS also maintain a vulnerability database along the lines of
> FreeBSD?
> How about Solaris?
> Ubuntu?
Again, I think these are considerations that should be examined prior
to selecting the OS distribution.
It seems to me at the moment as though the model that is most suitable
to your situation is likely FreeBSD's, so you might want to be looking
at phasing out systems with other OS distributions. In the (hopefully
small) number of cases where you must use a particular (non-FreeBSD)
OS distribution because of application software support requirements
(for example), you'll likely need to simply adapt the mechanisms that
you find work best. These would be your "oddball" systems, but your
general environment should ultimately be easier to manage.
> How do you track vulnerabilities across your datacenter?
(for software installed as part of the OS distribution)
Primarily: http://www.therockgarden.ca/software/slackware/UPGRADE.sh
run daily from cron as an unprivileged user, and manually as root when
appropriate (see the script for details of how its behaviour differs
based on privilege).
In truth, the above script runs (unprivileged) on one system (my
workstation), and update packages are copied to each production system,
where the script is manually run as root, only when there's a package
that requires upgrading. Ideally, I could simply NFS-export (read-only)
the directory where the script stores downloaded update packages, but
I haven't (yet?) done anything like that. The process could certainly
be improved upon.
We have some oddball (mostly RHEL now, having phased out others) systems
that are handled by their own mechanisms.
I know this doesn't give you much help with your specific systems, but
I hope that it at least gives you food for thought, both during your
next phase of OS distribution selection, and to help resolve the problem
at hand.
--
----------------------------------------------------------------------
Sylvain Robitaille syl (at) alcor.concordia (dot) ca [email concealed]
Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
[ reply ]