Re: Vulnerability and Patch-Management in Linux (and other Unix)

Rainer Duffner wrote:
Hi,

we've amassed a veritable "zoo" of Unix-versions: RHEL4+5, CentOS5, FreeBSD, Ubuntu and lately Solaris.
We use these for a variety of reasons and each system does its job quite well.

However, patch-management seems to be a weak spot in most cases.
RedHat offers "RedHat Network", but it costs a lot of money (and they charge more if you want to put your servers in groups in the RHN - WTF?)
FreeBSD offers the portaudit database - we should be able to hack together something with that.
But what about CentOS? If you have an array of CentOS servers - how do you track which vulnerabilities each one has?
Running yum update every night is no option.

Does CentOS also maintain a vulnerability database along the lines of FreeBSD?
How about Solaris?
Ubuntu?

How do you track vulnerabilities across your datacenter?


Regards,

Rainer

For CentOS: Nagios + check_yum (a plugin I wrote for Nagios to test for updates on RedHat/CentOS servers). You will find it here

http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F2577.html;d=1

You may need to copy and paste that link as the funny links used on nagiosexchange don't always come out well in mail clients.


For Ubuntu: Nagios + check_apt (from the standard Nagios plugins).

I have checks running every hour to watch for patches on my servers on these distros.


If you ever rise to Gentoo, I wrote one for that too, you can find that here in case you need it:

http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F1539.html;d=1


So much for expensive proprietary solutions. Nagios is truly excellent open source.

-h

--
Hari Sekhon

Relevant Pages

  • Re: Vulnerability and Patch-Management in Linux (and other Unix)
    ... FreeBSD, Ubuntu and lately Solaris. ... charge more if you want to put your servers in groups in the RHN - WTF?) ... The transmission or any documents accompanying the ...
    (Focus-Linux)
  • Bind: FreeBSD-SA-01:10 and CERT Advisory CA-2001-02
    ... All versions of FreeBSD 3.x prior to the correction date including ... affected since it contains versions of BIND 8.2.3. ... CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND ... Domain Name System Servers running various versions of ISC BIND ...
    (FreeBSD-Security)
  • Vulnerability and Patch-Management in Linux (and other Unix)
    ... we've amassed a veritable "zoo" of Unix-versions: RHEL4+5, CentOS5, FreeBSD, Ubuntu and lately Solaris. ... FreeBSD offers the portaudit database - we should be able to hack together something with that. ... If you have an array of CentOS servers - how do you track which vulnerabilities each one has? ...
    (Focus-Linux)
  • Servers Crash every few days
    ... I have six servers running FreeBSD 6.2 and all of them have the same config. ... Memory for the servers are ... 1000 connection and sometimes when the connections is more 10000. ...
    (freebsd-questions)
  • Re: Windows client - internet connection sharing
    ... >> ADSL line to provide internet access via LAN to a ... > This is all about how you interface your FreeBSD ... > servers and so forth. ... This enables you to set up a 'DMZ' network, ...
    (freebsd-questions)