By Mike Mullins
The number of Linux versions is overwhelming. Currently, Linux.org lists more than 200 different Linux versions, and those are just the maintained ones. Most of these versions are free or low-cost, and you can download them directly from the Internet.
To add to the confusion, each Linux version uses diverse installation and administration tools. This leads to the bigger problem of how companies can effectively maintain an implementation and keep it from becoming a security risk.
Free Linux versions are still widely supported by a strong customer base that's very aggressive when it comes to security updates. However, there's a general lack of enterprise update management solutions when it comes to free implementations. That's why they're free.
Let's look at several Linux versions and discuss how you can best practice effective patch management.
The Fedora Project
The Fedora Project is an open source distribution sponsored by Red Hat. To maintain this Linux version, start by adding the Fedora Updates Web site to your favorites list and check it on a regular basis.
In addition, you can use the Red Hat Update Agent (up2date), which you must configure with the Red Hat Update Agent Configuration Tool. From the GNOME desktop, go to Main Menu | Programs | RHN Configuration (for older configurations, Update Agent Configuration). This allows you to set the Web proxy if necessary and specify retrieval and installation options and package exceptions.
Yum (which stands for Yellow dog Updater, Modified) checks the RPM header on the update server it points toward. It compares those headers with the local RPM headers to determine what to install or update.
Keep in mind that there's no guaranteed update support for this product. It's also possible that Red Hat could terminate or commercialize support for The Fedora Project.
Red Hat's Workstation, Enterprise Server, and Advanced Server products are paid distributions that use the Red Hat Network Update Module Service to download and install updates. Updates are free for the first year.
These updates are a manual process. After registering the product, the organization will receive e-mails about updates.
The update process requires root privileges. If you want to automate or schedule your updates across several Red Hat machines, you must purchase the Red Hat Network Management Module Service from Red Hat.
Note: Support for the open source Red Hat Linux ends this month, and Red Hat encourages users to upgrade installations to a paid supported version.
SUSE has been developing and expanding YaST (which stands for Yet Another Setup Tool). The graphical system assistant YaST2 has become the most powerful installation and system management tool in the Linux world.
YaST2 connects to the YaST Online Update server and compares RPM headers and tags files for updating. YaST2 is configurable to run as a cron job without user interaction.
Access to the update service for the professional versions requires registration and an annual support contract.
Mandrake Linux Update is accessible using the Mandrake Control Center. From the control center, you can configure the Software Source Manager and other update options. Full update service is inclusive with installation, and support for each version is included for 18 to 24 months at no additional cost.
You can automate the update service. However, there isn't a centralized update management solution for enterprise implementations.
Software and security updates are no longer optional in today's environment. If your organization wants a more robust corporate software update management process, it needs to purchase a commercial solution.
For a company platform, I don't recommend using a free implementation. Instead, I suggest a professional Red Hat implementation. I've had nothing but success using its Network Management service to manage several enterprise servers and workstations.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.