One word of caution with apt is if you use stable it will get major
version updates when they move to a new stable project. With later
installs of etch they have changed the default source.list to use etch
instead of stable. This prevents any issues when project moves happen.
I am sure Ubuntu will have something similar.
Hope that is helpful.
John Kunkel
On Jun 19, 2008, at 2:53 PM, <jacob (at) aers (dot) ca [email concealed]> wrote:
> Security plugin for YUM (which might also handle Redhat)
>
> http://wiki.linux.duke.edu/YumUtils/Plugins/Security?highlight=(Category
> Yum)
>
> I haven't tried it but we are just in the process of evaluating/moving
> to centos and it's on the todo list.
>
> With Debian I usually just used the "stable" tree for apt which only
> updates packages for security. It was never supposed to update the
> major
> version number of a package (i.e. php-4 to php-5). There should be a
> way
> to make Ubuntu do the same thing but I haven't used Ubuntu as a server
> platform yet.
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]
> ]
> On Behalf Of druid (at) stonedcoder (dot) org [email concealed]
> Sent: Thursday, June 19, 2008 1:09 PM
> To: Rainer Duffner
> Cc: focus-linux (at) securityfocus (dot) com [email concealed];
> focus-linux-return-3196 (at) securityfocus (dot) com [email concealed]
> Subject: Re: Vulnerability and Patch-Management in Linux (and other
> Unix)
>
> So, if you have the money you can use Opsware Server Automation System
> (SAS) which will patch and manage all of those OSes and more. Opsware
> was
> bought by HP so the product is now called HP Server Automation (HPSA).
>
> To be honest, this is a GREAT solution, but costs a lot. for medium to
> large enterprises totally worth it and actually kind of necassary, for
> small business, welcome to the wonderful world of scripting :P.
>
> http://en.wikipedia.org/wiki/Opsware
> https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto
> &cp=1-11-271-273^14711_4000_100__
>
> I know this will probably be out of your price range, but it is
> sometimes
> enlightening to see how large corporations handle this sort of thing.
>
> On Thu, 19 Jun 2008, Rainer Duffner wrote:
>
>> Hi,
>>
>> we've amassed a veritable "zoo" of Unix-versions: RHEL4+5, CentOS5,
> FreeBSD,
>> Ubuntu and lately Solaris.
>> We use these for a variety of reasons and each system does its job
> quite
>> well.
>>
>> However, patch-management seems to be a weak spot in most cases.
>> RedHat offers "RedHat Network", but it costs a lot of money (and they
> charge
>> more if you want to put your servers in groups in the RHN - WTF?)
>> FreeBSD offers the portaudit database - we should be able to hack
> together
>> something with that.
>> But what about CentOS? If you have an array of CentOS servers - how
>> do
> you
>> track which vulnerabilities each one has?
>> Running yum update every night is no option.
>>
>> Does CentOS also maintain a vulnerability database along the lines of
>> FreeBSD?
>> How about Solaris?
>> Ubuntu?
>>
>> How do you track vulnerabilities across your datacenter?
>>
>>
>> Regards,
>>
>> Rainer
>>
>>
>>
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 8.0.100 / Virus Database: 270.4.0/1509 - Release Date:
> 6/19/2008 8:00 AM
version updates when they move to a new stable project. With later
installs of etch they have changed the default source.list to use etch
instead of stable. This prevents any issues when project moves happen.
I am sure Ubuntu will have something similar.
Hope that is helpful.
John Kunkel
On Jun 19, 2008, at 2:53 PM, <jacob (at) aers (dot) ca [email concealed]> wrote:
> Security plugin for YUM (which might also handle Redhat)
>
> http://wiki.linux.duke.edu/YumUtils/Plugins/Security?highlight=(Category
> Yum)
>
> I haven't tried it but we are just in the process of evaluating/moving
> to centos and it's on the todo list.
>
> With Debian I usually just used the "stable" tree for apt which only
> updates packages for security. It was never supposed to update the
> major
> version number of a package (i.e. php-4 to php-5). There should be a
> way
> to make Ubuntu do the same thing but I haven't used Ubuntu as a server
> platform yet.
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]
> ]
> On Behalf Of druid (at) stonedcoder (dot) org [email concealed]
> Sent: Thursday, June 19, 2008 1:09 PM
> To: Rainer Duffner
> Cc: focus-linux (at) securityfocus (dot) com [email concealed];
> focus-linux-return-3196 (at) securityfocus (dot) com [email concealed]
> Subject: Re: Vulnerability and Patch-Management in Linux (and other
> Unix)
>
> So, if you have the money you can use Opsware Server Automation System
> (SAS) which will patch and manage all of those OSes and more. Opsware
> was
> bought by HP so the product is now called HP Server Automation (HPSA).
>
> To be honest, this is a GREAT solution, but costs a lot. for medium to
> large enterprises totally worth it and actually kind of necassary, for
> small business, welcome to the wonderful world of scripting :P.
>
> http://en.wikipedia.org/wiki/Opsware
> https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto
> &cp=1-11-271-273^14711_4000_100__
>
> I know this will probably be out of your price range, but it is
> sometimes
> enlightening to see how large corporations handle this sort of thing.
>
> On Thu, 19 Jun 2008, Rainer Duffner wrote:
>
>> Hi,
>>
>> we've amassed a veritable "zoo" of Unix-versions: RHEL4+5, CentOS5,
> FreeBSD,
>> Ubuntu and lately Solaris.
>> We use these for a variety of reasons and each system does its job
> quite
>> well.
>>
>> However, patch-management seems to be a weak spot in most cases.
>> RedHat offers "RedHat Network", but it costs a lot of money (and they
> charge
>> more if you want to put your servers in groups in the RHN - WTF?)
>> FreeBSD offers the portaudit database - we should be able to hack
> together
>> something with that.
>> But what about CentOS? If you have an array of CentOS servers - how
>> do
> you
>> track which vulnerabilities each one has?
>> Running yum update every night is no option.
>>
>> Does CentOS also maintain a vulnerability database along the lines of
>> FreeBSD?
>> How about Solaris?
>> Ubuntu?
>>
>> How do you track vulnerabilities across your datacenter?
>>
>>
>> Regards,
>>
>> Rainer
>>
>>
>>
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 8.0.100 / Virus Database: 270.4.0/1509 - Release Date:
> 6/19/2008 8:00 AM
[ reply ]