[Dshield] Heterogenous patch management

Kenton Smith ksmith at chartwelltechnology.com
Thu Sep 25 18:56:05 GMT 2003


I realize that there are ways to patch without having to compile source
code. However, I can't use RHN on BSD, if there's one for Solaris it
won't patch my Red Hat systems. This is where the added complexity
arises. If I only had Red Hat systems, I could use RHN, but then I'd end
up with a homogenous system gain, which according to the paper, is a
security risk.

Kenton

On Thu, 2003-09-25 at 12:32, Kenneth Porter wrote:

> --On Thursday, September 25, 2003 10:00 AM -0600 Kenton Smith
> <ksmith at chartwelltechnology.com> wrote:
> 
> > If a vulnerability is released for IIS, I used to run
> > my patch management software and get them all patched. This was one easy
> > step and I could schedule it for any time of the day or night. I still
> > do for IIS, but what do I do now that I have the same web server
> > (Apache) running on 3 different platforms? How quick am I going to be to
> > patch these systems when a new Apache vulnerability comes out? There
> > isn't patch management software that'll do this, as far as I know. So I
> > have to visit the distribution's site, and download the patch then
> > upload it to each box and run whatever is necessary on each box. Plus I
> > have to do it manually and therefore need the time to not only get the
> > patch, but also apply it to each machine.
> 
> At least for Red Hat, there's Red Hat Network. You subscribe, get email
> notifications of patched packages, and run the update agent to apply it. How
> is this different from what you'd do with MS stuff? (There's also Ximian Red
> Carpet, similar to RH's up2date and able to run an update daemon on the box to
> be patched and a graphical management client somewhere else.)
> 
> Do Solaris or BSD offer similar automatic update systems?
> 
> Admittedly this adds cost, but so does any security measure. For instance, I
> have a Red Hat box with sendmail in front of my Exchange box to provide
> defense in depth for corporate email.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Kenton Smith, GSEC
Systems Administrator
Chartwell Technology Inc.
700, 407 2 St. S.W. 
Calgary, AB T2P 2Y3 
CANADA 
P 403 261-6619 
F 403 237-5816 
E ksmith at chartwelltechnology.com
W www.chartwelltechnology.com



More information about the list mailing list