A Database of Patched Software? 37
Midnight Warrior asks: "I am one system administrator for what is an organization of dozens of LANs. Together, we all must keep our machines patched. Now we can all watch CVE, frequent securityfocus.com, or let LWN [Updated vulnerabilities section] bring things together. LWN does a fabulous job, but I'm looking for something bigger and more personalized that doesn't require the system be on the internet.
Freshmeat, SourceForge, and Google are all NULL on this question: is there a database, and scraping agents in existence that will let one person oversee dozens of OS installations, a mish-mash of software packages, and an even worse level of up-to-date patching exist so that when a new vulnerability against, say, OpenSSH comes out, I can look up which systems need to be tested and patched? My work should be limited to maintaining OS (not just Linux distros), software versions, and current patch lists. This is a classic database problem, but has someone already solved it?"
Get to work (Score:2)
Re:You are a newbie (Score:1)
Huh? (Score:3, Informative)
Re:Huh? (Score:1)
Re:Huh? (Score:1)
Re:Huh? (Score:2)
After all, the few gems that lie here are worth more than the pride of putting an ASK SLASHDOT here.
Re:Huh? (Score:2)
First, you have to have a person find and catalog a location of a patch..possibly a random FTP site.
I sounds like there are several people at various locations doing this with him. The idea here appears to be to share, and to provide a catalog of sites for easy access should the need arise. Then, even if it requires some manual work, at least
Commercial Solution? (Score:3, Interesting)
Re:To be or not to be? There is no question! (Score:2)
Alright, that does it!!! I can't stand it any more. The phrase above should be correctly written; which machines need to be updated. People are getting more and more lazy with their speech and are destroying the English language.
Have you ever thought about the fact that he might have just meant "which machines need updates."?
Re:To be or not to be? There is no question! (Score:2)
Re:To be or not to be? There is no question! (Score:1)
Novell's Zenworks (Score:2, Informative)
Novell has made a huge push into this space with their Zenworks package. It has all sorts of database and report writing functionality, and they've added Linux support in addition to the traditional Windows support.
Re:Novell's Zenworks (Score:2)
Hmmm. Very interesting. I will have to check this out further. Thanks for the reply.
I think one.. (Score:3, Interesting)
First run "emerge sync" and the "emerge -vp world" to see what kind of updates that would be needed on the system.
And if you have one system that include the feature "buildpkg", the rest of your system could take the pre-compiled packages from the first system and just install it.
(Run "emerge --usepkg -vp world")
Re:I think one.. (Score:2)
Please read the question again. Heterogeneous, loosely connected machines. Add in a "not connected to the internet" catch and the mix falls apart.
Re:I think one.. (Score:1)
You just need to configure this in your
Another question is, if you don't can get the update from somewhere, how do you know which upgrade to apply?
In Gentoo you can supply all the upgrades on a cdrom to all of your servers, if you like.
CVS (Score:1)
Or am I missing something obvious here (related to the discussion at hand, of course)?
It's a hard problem.... (Score:4, Insightful)
For linux you can mostly rely on either RPM or apt to know what you have installed assuming you stay with the vendor released binaries.
However, for windows, how do you get a list of installed software? Got me, I have no idea. How do you get a list of features you have enabled, or installed?
Just getting a reliable list of installed software is tricky. Now you have to do it while running remotely. Even more fun. If your terribly clever you'd do this with SNMP somehow to query the hardware/software for it's current configuration for inventory of both hardware and software to ensure compliance with all your license, and to ensure no one has swiped any hardware from you.
Now once you get that done, you have to feed it a list of known buggy software. This is also trickier then it seems. For Windows, as far as I know, the patches don't have versions, they aren't software. They are windows updates. With say RedHat software, OpenSSH 2.5 has some security flaw, but the redhat patched OpenSSH 2.5-p5 won't. So you have to be pretty darn specific.
It'd probably be easier to have each tool setup to query the security tool of choice and send out an SNMP alert saying that something is out of date. How exactly to do that on Windows I don't know. How to do it on redhat is easy. Use rhn-applet-tui, it will tell you. You send out an SNMP alert to you SNMP monitor, which converts that into an e-mail.
Then each machine monitors itself. You also setup the monitoring to send out a positive alert that everything is up to date once in a while (1 per day, 1 per week or 1 per month, depending on how many machines you have).
Use RedHat? (Score:2, Informative)
Cassandra (Score:3, Informative)
https://cassandra.cerias.purdue.edu [purdue.edu]
You can create any number of profiles, and you get emails daily about new CVE entries in ICAT (icat.nist.gov) or Secunia advisories (Secunia [secunia.com]) that relate to the software or keywords you select.
You can use the freeware KeyAudit to scan your systems:
Windows KeyAudit: http://www.sassafras.com/restricted/keyaudit/keya
Mac KeyAudit: http://www.sassafras.com/restricted/keyaudit/keya
Sassafras just stopped maintaining KeyAudit, so I'm looking for an alternative application scanner to replace KeyAudit, as well as a Linux/UNIX equivalent (I'm the author of Cassandra).
I'm aware that it's not perfect, and the html and presentations are rather basic. However, it's free, it has been working for a few years now, and I'm listening for suggestions and open to criticism. I'll try to improve it as time allows.
Cheers
Pascal Meunier
Re:Cassandra (Score:2)
Excellent. Thank you. This is very much in line with what I am thinking. Half the replies seem to think I had a system that is connected to the internet. The other half believe that everything is Linux. Even though I have had Linux running since Slackware was hot stuff, my customers are not prepared to take the Linux leap and thus have many Unix-type OSes as well as various Microsoft flavors.
The best way to protect a computer is to not connect it to anything, or at least not the network it sits on. G
Configuration management (Score:3, Informative)
Papers [uchicago.edu] have been written about automating patch management using cfengine [cfengine.org] and a database.
RedCarpet || RHN (Score:2)
There are heaps of products out there for this kind of updating. No matter what, there will always be an admin involvement in them however. You'll still need to keep an eye on things regardless of how you automate it. You'll still need to update the hosts and you'll still want to keep yo
Re:RedCarpet || RHN (Score:1)
Zenworks (for Windows)
RedCarpet (for Linux)
just went to a seminar on 'why Novell is into Linux,' actually, here in the Twin Cities. They gave the TCLUG (www.mn-linux.org) 15 seats. Nice presentation. They have or will have most of their Netware services (iFolder, etc) running under Linux.
aborted project (Score:2)
Re:aborted project (Score:2)
I think I can see what you were trying to do. If automatic building of router ACLs or filter rules was your target, then you were on a reasonable path. My company also firmly believes in the human-only principle to firewall modifications, and each mod needs a 2-person check, so paranoia is sometimes warranted.
The target I am trying to hit is a database disconnected from the production-level machines so that I can figure out which patches need to be cut to CD and moved onto the isolated networks. I have
May help some (Score:2)
It works only for Windows, though. But reports patches, missing or not, for Windows, Office, and some other products. Probably some option to export current state, or make a report.
Lets you push patches too, forcing installation.
Here's a quick idea if you need a scheme, NOW.... (Score:1)
On each host in each LAN, make a list of programs you want to keep patched and store their names, MD5 hashes, revision numbers (or patch numbers), and revision dates in a file, say "patched.db". Ideally, you'll want to patch everything, but if your topology includes well-configured network firewalls in front of each LAN, then you can minimize and pinpoint an attack
Try SuSE's Auto-Updater (YaST2) (Score:2)
For the end-user, SuSE's scheme is too easy
and also -flexible- enought to enable Users
to accept or reject offered updates to SuSE
ans non-SuSE software.
Why not use a similar scheme for Sys Admin?
BTW, one of the happy surprises, that we've
seen auto-installed by YaST2 (with User con-
cent) is a mechanism that hides most of the
boot-time console messages from the eyes of
the User who doesn't care to view it - in a
way, that also enables another User to show
those messages (by pressing F2, I
An experience report (Score:2)
In 1999--2000, we tried doing what you describe (at the company I work for). We have a large WAN with a couple of hundred sites scattered around the world. We used a commercial product called Asset Insight [tangram.com] to do the scanning on UNIX, and we used MS SMS [microsoft.com] on the PCs. Note, we have a very small number of Macs and it wasn't cost effective to address them in the project scope.
Asset Insight and SMS allowed us to tier the data collectors: large sites consolidated their scans and then forwarded the consolidated