Re: Vulnerability and Patch-Management in Linux (and other Unix)



So, if you have the money you can use Opsware Server Automation System (SAS) which will patch and manage all of those OSes and more. Opsware was bought by HP so the product is now called HP Server Automation (HPSA).

To be honest, this is a GREAT solution, but costs a lot. for medium to large enterprises totally worth it and actually kind of necassary, for small business, welcome to the wonderful world of scripting :P.

http://en.wikipedia.org/wiki/Opsware
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-271-273^14711_4000_100__

I know this will probably be out of your price range, but it is sometimes enlightening to see how large corporations handle this sort of thing.

On Thu, 19 Jun 2008, Rainer Duffner wrote:

Hi,

we've amassed a veritable "zoo" of Unix-versions: RHEL4+5, CentOS5, FreeBSD, Ubuntu and lately Solaris.
We use these for a variety of reasons and each system does its job quite well.

However, patch-management seems to be a weak spot in most cases.
RedHat offers "RedHat Network", but it costs a lot of money (and they charge more if you want to put your servers in groups in the RHN - WTF?)
FreeBSD offers the portaudit database - we should be able to hack together something with that.
But what about CentOS? If you have an array of CentOS servers - how do you track which vulnerabilities each one has?
Running yum update every night is no option.

Does CentOS also maintain a vulnerability database along the lines of FreeBSD?
How about Solaris?
Ubuntu?

How do you track vulnerabilities across your datacenter?


Regards,

Rainer