Linux Patch Management

There are many areas of system

administration which pose a much bigger challenge to Linux sys admins

than to our Windows counterparts. One of the biggest areas of

difficulty I have personally come across is that of patch management.

Every day new vulnerabilities

are reported in all kinds of software—be it for Windows, Linux, BSD,

or proprietary systems; all software suffers from one bug or another

in its lifecycle, which can prove to be an Achilles’ heel, opening

up the opportunity for exploitation. To you and me that spells

‘trouble’; the last thing we want is a breach of our networks due

to an ‘old’, known, and perfectly preventable security hole!

The first question is how to

keep up with the latest news and alerts regarding newly discovered vulnerabilities,

bugs, and potential issues? There are many sources of information

on vulnerabilities that we can use to keep on top of these things, but

no single source is definitive, so we need to use them together in order

to keep up. Examples are the infamous SecurityFocus website (and BugTraq), SecurityTracker, CVE and ca (a bit slow compared to the aforementioned).

RSS feeds are also available from some sources: offer their @RISK feed which seems

to be updated weekly, SecurityFocus provide

an RSS feed, as

do SecuriTeam. Providers of your distribution

(Debian, RedHat, Suse, etc.) may offer advisory services. RedHat offers this via mailing lists and

RSS feeds; Suse/Novell e-mails its registered enterprise customers each

time a critical patch is released; and Debian offers advisories on their website

as do OpenBSD.

You will of course need an

RSS client to take advantage of the RSS/live feed services. I

personally use Mozilla Thunderbird as my e-mail client—this has built

in RSS support which is great as it means I don’t need to have yet

another program running and slowing down my PC. If you don’t

use Thunderbird then you may want to try a desktop

ticker like RDFTicker.

Moving away from the issue

of vulnerabilities to the wider area of patches and non-critical software

updates, what are our options? So many programs' libraries and

packages which go towards making up our Linux system are scattered all

over the internet in many different projects—these are developed,

improved and fixed by various different development groups and are usually

updated ‘as and when’ rather than on a predefined roadmap/schedule.

It would be impossible for an administrator to track each individual

package, take note of every update made to each of those packages and

then download/compile the update on each system. Luckily, pretty

much all major distributions provide a way of keeping systems up to

date with minimal effort (bar OpenBSD, which only updates a package

when a security flaw appears or as part of a new release); next week

we’ll take a look and see what solutions the major players have on