[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mass update deployment strategy



On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote:
> Do you have a strategy or anything to automate this task a little more?
> The server farm is growing and i might have to look after 20 or 30
> installations soon. I can already see myself updating ubuntu/debian
> installations all day long :(.

Let me throw some ideas around...

If your installation where slightly bigger (maybe 100 systems) I would
suggest you invest your time working with OVAL [1] and CVE [2]:

a) deploy an OVAL agent at the nodes with apt-capabilities

b) have a central OVAL server send new signatures to nodes so they can tell
  you wether they are vulnerable or not (and need to have a DSA applied or
  not)

c) priorise work based on the severity of the vulnerability (you can use both
  NIST's CVE DB [1] and the priorities set by the Debian Testing Security
  team in their tracker for this)

d) request systems to update with a patch (remote ssh connection will do for
this)

Unfortunately, a) is not yet possible. I have working OVAL agents for Debian
(i.e. they compile) but have not had the time yet to write an adapter for
Apt (shouldn't be too difficult). I'm trying to finish the DSA to OVAL xml
signature converter so that generating xml signatures from the DSAs published
at the website will be a breeze, but I have not yet finished with that. Any
help with that would be appreciated.

The only thing I can find close to that is to use Nessus with "Local Security
Checks" and use the feed which provides tests for Debian vulnerabilities
(I believe this is possible with the free feed, but maybe they have changed
it). This is hardly optimal as it requires the systems to be live in the
network when you are 'scanning it'.

You can also do it by hand, if you are so inclined:

a) have the systems send you their status files when they are online to a
  central system
b) have a central system pick up those files and compare that information with
  a database of known vulnerabilites in Debian
c) priorise the systems and vulnerabilities based on the above criteria
d) have the central system ask the other systems to install the patch from
  security.debian.org (or your local repository) based on c)

The first two parts of that (by-hand) solution are already written in the
scripts provided by Tiger (check the package source:
systems/Linux/deb_checkadvisories and systems/Linux/2/update_advisories)

Unfortunately, nobody has written off a free "enterprise patch management"
for Debian. There are non-free commercial alternatives you can easily find,
but I'm not going to publitize them in this mailing list (contact me in
private if you are desperate looking for one).

Regards

Javier

[1] http://oval.mitre.org
[2] http://cve.mitre.org
[1] Formerly ICAT, now it's the National Vulnerability Database

Attachment: signature.asc
Description: Digital signature


Reply to: