Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Operating Systems Software

A Database of Patched Software? 37

Posted by Cliff from the bringing-it-all-together dept.
Midnight Warrior asks: "I am one system administrator for what is an organization of dozens of LANs. Together, we all must keep our machines patched. Now we can all watch CVE, frequent securityfocus.com, or let LWN [Updated vulnerabilities section] bring things together. LWN does a fabulous job, but I'm looking for something bigger and more personalized that doesn't require the system be on the internet. Freshmeat, SourceForge, and Google are all NULL on this question: is there a database, and scraping agents in existence that will let one person oversee dozens of OS installations, a mish-mash of software packages, and an even worse level of up-to-date patching exist so that when a new vulnerability against, say, OpenSSH comes out, I can look up which systems need to be tested and patched? My work should be limited to maintaining OS (not just Linux distros), software versions, and current patch lists. This is a classic database problem, but has someone already solved it?"
This discussion has been archived. No new comments can be posted.

A Database of Patched Software? More

A Database of Patched Software?

Comments Filter:
  • Sounds like you've found yourself a new job. I'll leave $1 in the tips jar.

  • Huh? (Score:3, Informative)

    by ichimunki ( 194887 ) on Monday October 06, 2003 @04:42PM (#7147086)
    Why would you be hand-maintaining most of this software in the first place? Why not standardize on a distro or two that have auto-update functionality and use this to update via cron job against a local repository?
    • We don't know what kind of LANs are being maintained, and it was mentioned Internet-connectivity is not always there. This has nothing to do with software selection. For all we know, he is managing Secret or Top Secret NSA or CIA LANs. Hopefully however, it this is true, he isn't asking Slashdot.
      • Yeah, he also said not all Linux, so he might have some proprietary Unix systems or whatever going on-- my comment wasn't entirely fair. And really he's looking for a couple things: a central data feed of security/update info, a local database of which machines use what, and a way to relate the two. The first item in the list is the hard part, really, since software isn't all that intelligent yet and sifting through various mailing lists and security web sites to cull both unique items and relevant items is
      • Are you soo sure of this? If I was high ranking in the government, I'd love free help and suggestions to further my plan.

        After all, the few gems that lie here are worth more than the pride of putting an ASK SLASHDOT here.
    • Yes, but not even Microsoft has ALL the patches posted for automatic update. Even with MS you have to do a fair amount of legwork for the non-common programs.

      First, you have to have a person find and catalog a location of a patch..possibly a random FTP site.
      I sounds like there are several people at various locations doing this with him. The idea here appears to be to share, and to provide a catalog of sites for easy access should the need arise. Then, even if it requires some manual work, at least

  • Commercial Solution? (Score:3, Interesting)

    by illectro ( 697914 ) on Monday October 06, 2003 @04:42PM (#7147088)
    One possible solution is a commercial Vulnerbility assessment solution such at Qualysguard - it'll scan your network and tell you which machines need updated. You can also go open source with Nessus, but it's UI is a lot weaker and it doesn't feature the task management tools that Qualys has (and you seem to be interested in this). Of course this will only tell you about software which can be remotely exploited, local updates are somewhat hard ;-)

  • Novell's Zenworks (Score:2, Informative)

    by Anonymous Coward

    Novell has made a huge push into this space with their Zenworks package. It has all sorts of database and report writing functionality, and they've added Linux support in addition to the traditional Windows support.

  • I think one.. (Score:3, Interesting)

    by fredan ( 54788 ) on Monday October 06, 2003 @04:57PM (#7147246) Homepage Journal
    ...way to solve your problem is to use Gentoo.

    First run "emerge sync" and the "emerge -vp world" to see what kind of updates that would be needed on the system.

    And if you have one system that include the feature "buildpkg", the rest of your system could take the pre-compiled packages from the first system and just install it.
    (Run "emerge --usepkg -vp world")

    • Please read the question again. Heterogeneous, loosely connected machines. Add in a "not connected to the internet" catch and the mix falls apart.

      • no it doesn't. If you have one server internally in your network that grabs everything from the internet (every now and then) you can still continue the operation of your server(s), if the internet goes down.
        You just need to configure this in your /etc/make.conf file for this.

        Another question is, if you don't can get the update from somewhere, how do you know which upgrade to apply?
        In Gentoo you can supply all the upgrades on a cdrom to all of your servers, if you like.
  • Couldn't you just set up a CVS type system, with different branches based on architectures you are supporting? Then you would only need one machine with outside access.

    Or am I missing something obvious here (related to the discussion at hand, of course)?

  • It's a hard problem.... (Score:4, Insightful)

    by ComputerSlicer23 ( 516509 ) on Monday October 06, 2003 @05:09PM (#7147370)
    Well there are a lot of problems with this. First and foremost is having the machine maintain a list of known installed software. That means no custom installs for anything. So if you built sendmail and installed it in /usr/local, you have problems building an off the shelf solution. For a variety of reasons.

    For linux you can mostly rely on either RPM or apt to know what you have installed assuming you stay with the vendor released binaries.

    However, for windows, how do you get a list of installed software? Got me, I have no idea. How do you get a list of features you have enabled, or installed?

    Just getting a reliable list of installed software is tricky. Now you have to do it while running remotely. Even more fun. If your terribly clever you'd do this with SNMP somehow to query the hardware/software for it's current configuration for inventory of both hardware and software to ensure compliance with all your license, and to ensure no one has swiped any hardware from you.

    Now once you get that done, you have to feed it a list of known buggy software. This is also trickier then it seems. For Windows, as far as I know, the patches don't have versions, they aren't software. They are windows updates. With say RedHat software, OpenSSH 2.5 has some security flaw, but the redhat patched OpenSSH 2.5-p5 won't. So you have to be pretty darn specific.

    It'd probably be easier to have each tool setup to query the security tool of choice and send out an SNMP alert saying that something is out of date. How exactly to do that on Windows I don't know. How to do it on redhat is easy. Use rhn-applet-tui, it will tell you. You send out an SNMP alert to you SNMP monitor, which converts that into an e-mail.

    Then each machine monitors itself. You also setup the monitoring to send out a positive alert that everything is up to date once in a while (1 per day, 1 per week or 1 per month, depending on how many machines you have).

  • Use RedHat? (Score:2, Informative)

    by Koldark ( 267388 )
    I know RedHat has a nice looking system for keeping you notifed of server versions. As far as Windows? I don't know.

  • Cassandra (Score:3, Informative)

    by pmeunier ( 713890 ) on Monday October 06, 2003 @05:26PM (#7147519)
    Please have a look at the free Cassandra system:
    https://cassandra.cerias.purdue.edu [purdue.edu]
    You can create any number of profiles, and you get emails daily about new CVE entries in ICAT (icat.nist.gov) or Secunia advisories (Secunia [secunia.com]) that relate to the software or keywords you select.
    You can use the freeware KeyAudit to scan your systems:
    Windows KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.exe
    Mac KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.sit

    Sassafras just stopped maintaining KeyAudit, so I'm looking for an alternative application scanner to replace KeyAudit, as well as a Linux/UNIX equivalent (I'm the author of Cassandra).

    I'm aware that it's not perfect, and the html and presentations are rather basic. However, it's free, it has been working for a few years now, and I'm listening for suggestions and open to criticism. I'll try to improve it as time allows.
    Cheers
    Pascal Meunier

    • Excellent. Thank you. This is very much in line with what I am thinking. Half the replies seem to think I had a system that is connected to the internet. The other half believe that everything is Linux. Even though I have had Linux running since Slackware was hot stuff, my customers are not prepared to take the Linux leap and thus have many Unix-type OSes as well as various Microsoft flavors.

      The best way to protect a computer is to not connect it to anything, or at least not the network it sits on. G

  • Configuration management (Score:3, Informative)

    by heydrick ( 91504 ) on Monday October 06, 2003 @06:33PM (#7148169)
    Use configuration management so you can control and know exactly what is running on your systems.

    Papers [uchicago.edu] have been written about automating patch management using cfengine [cfengine.org] and a database.
  • Get in touch with Novell or Redhat and find out what platforms they can support using their products. Novell's (well, Ximians really) RedCarpet would probably be more likely to allow you to run it across multiple platforms.

    There are heaps of products out there for this kind of updating. No matter what, there will always be an admin involvement in them however. You'll still need to keep an eye on things regardless of how you automate it. You'll still need to update the hosts and you'll still want to keep yo
    • Novell's got two products:

      Zenworks (for Windows)
      RedCarpet (for Linux)

      just went to a seminar on 'why Novell is into Linux,' actually, here in the Twin Cities. They gave the TCLUG (www.mn-linux.org) 15 seats. Nice presentation. They have or will have most of their Netware services (iFolder, etc) running under Linux.
  • I started working on this problem for the NI team where I work. They went another direction, so I shelved my work for the time being. I didn't come up with much more than a prototype, but I had planned to produce the tool you're looking for. We'd also planned on integrating it with Nessus, so the tool could display warnings detected. I wanted (though NI was a little scared of the idea) to build router ACLs from the data in the table. That way, only traffic to registered applications/hosts would be perm

    • I think I can see what you were trying to do. If automatic building of router ACLs or filter rules was your target, then you were on a reasonable path. My company also firmly believes in the human-only principle to firewall modifications, and each mod needs a 2-person check, so paranoia is sometimes warranted.

      The target I am trying to hit is a database disconnected from the production-level machines so that I can figure out which patches need to be cut to CD and moved onto the isolated networks. I have

  • Have a look at that: http://www.shavlik.com/ [shavlik.com]
    It works only for Windows, though. But reports patches, missing or not, for Windows, Office, and some other products. Probably some option to export current state, or make a report.
    Lets you push patches too, forcing installation.
  • This really depends on how well managed your LANs are but can work smoothly if the architectures and OS's are homogenous (per LAN). try this:

    On each host in each LAN, make a list of programs you want to keep patched and store their names, MD5 hashes, revision numbers (or patch numbers), and revision dates in a file, say "patched.db". Ideally, you'll want to patch everything, but if your topology includes well-configured network firewalls in front of each LAN, then you can minimize and pinpoint an attack

  • For the end-user, SuSE's scheme is too easy
    and also -flexible- enought to enable Users
    to accept or reject offered updates to SuSE
    ans non-SuSE software.

    Why not use a similar scheme for Sys Admin?

    BTW, one of the happy surprises, that we've
    seen auto-installed by YaST2 (with User con-
    cent) is a mechanism that hides most of the
    boot-time console messages from the eyes of
    the User who doesn't care to view it - in a
    way, that also enables another User to show
    those messages (by pressing F2, I

  • In 1999--2000, we tried doing what you describe (at the company I work for). We have a large WAN with a couple of hundred sites scattered around the world. We used a commercial product called Asset Insight [tangram.com] to do the scanning on UNIX, and we used MS SMS [microsoft.com] on the PCs. Note, we have a very small number of Macs and it wasn't cost effective to address them in the project scope.

    Asset Insight and SMS allowed us to tier the data collectors: large sites consolidated their scans and then forwarded the consolidated

Slashdot Top Deals

To do nothing is to be nothing.

Close