[Dshield] Heterogenous patch management

Kenneth Porter shiva at sewingwitch.com
Thu Sep 25 18:32:29 GMT 2003


--On Thursday, September 25, 2003 10:00 AM -0600 Kenton Smith
<ksmith at chartwelltechnology.com> wrote:

> If a vulnerability is released for IIS, I used to run
> my patch management software and get them all patched. This was one easy
> step and I could schedule it for any time of the day or night. I still
> do for IIS, but what do I do now that I have the same web server
> (Apache) running on 3 different platforms? How quick am I going to be to
> patch these systems when a new Apache vulnerability comes out? There
> isn't patch management software that'll do this, as far as I know. So I
> have to visit the distribution's site, and download the patch then
> upload it to each box and run whatever is necessary on each box. Plus I
> have to do it manually and therefore need the time to not only get the
> patch, but also apply it to each machine.

At least for Red Hat, there's Red Hat Network. You subscribe, get email
notifications of patched packages, and run the update agent to apply it. How
is this different from what you'd do with MS stuff? (There's also Ximian Red
Carpet, similar to RH's up2date and able to run an update daemon on the box to
be patched and a graphical management client somewhere else.)

Do Solaris or BSD offer similar automatic update systems?

Admittedly this adds cost, but so does any security measure. For instance, I
have a Red Hat box with sendmail in front of my Exchange box to provide
defense in depth for corporate email.




More information about the list mailing list