There are many areas of system
administration which pose a much bigger challenge to Linux sys admins
than to our Windows counterparts. One of the biggest areas of
difficulty I have personally come across is that of patch management.
Every day new vulnerabilities
are reported in all kinds of softwarebe it for Windows, Linux, BSD,
or proprietary systems; all software suffers from one bug or another
in its lifecycle, which can prove to be an Achilles heel, opening
up the opportunity for exploitation. To you and me that spells
trouble; the last thing we want is a breach of our networks due
to an old, known, and perfectly preventable security hole!
The first question is how to
keep up with the latest news and alerts regarding newly discovered vulnerabilities,
bugs, and potential issues? There are many sources of information
on vulnerabilities that we can use to keep on top of these things, but
no single source is definitive, so we need to use them together in order
RSS feeds are also available from some sources: sans.org offer their @RISK feed which seems
to be updated weekly, SecurityFocus provide
an RSS feed, as
do SecuriTeam. Providers of your distribution
(Debian, RedHat, Suse, etc.) may offer advisory services. RedHat offers this via mailing lists and
RSS feeds; Suse/Novell e-mails its registered enterprise customers each
time a critical patch is released; and Debian offers advisories on their website
as do OpenBSD.
You will of course need an
RSS client to take advantage of the RSS/live feed services. I
personally use Mozilla Thunderbird as my e-mail clientthis has built
in RSS support which is great as it means I dont need to have yet
another program running and slowing down my PC. If you dont
use Thunderbird then you may want to try a desktop
ticker like RDFTicker.
Moving away from the issue
of vulnerabilities to the wider area of patches and non-critical software
updates, what are our options? So many programs' libraries and
packages which go towards making up our Linux system are scattered all
over the internet in many different projectsthese are developed,
improved and fixed by various different development groups and are usually
updated as and when rather than on a predefined roadmap/schedule.
It would be impossible for an administrator to track each individual
package, take note of every update made to each of those packages and
then download/compile the update on each system. Luckily, pretty
much all major distributions provide a way of keeping systems up to
date with minimal effort (bar OpenBSD, which only updates a package
when a security flaw appears or as part of a new release); next week
well take a look and see what solutions the major players have onoffer.