Thanks very much for this. It's exactly the kind of info I was looking for.
-----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, June 11, 2010 5:26 PM To: NT System Admin Issues Subject: Re: Patch Management - again On Fri, Jun 11, 2010 at 5:37 PM, Crawford, Scott <crawfo...@evangel.edu> wrote: >> Our only non-Windows computers are running Linux, and Linux makes >> patch management ridiculously easy. > > I'm sure there's countless places I could find this information, but > could you elaborate on that statement a bit? Well, this is really off-topic for this list, but then, so is the World Cup. I'll mention a few things. More in-depth discussion belongs elsewhere, like the patch-management list. We use CentOS, so the examples I give are for that distribution. Most other distros have similar methods. Most Linux distributions use a tool called a "package manager" to install and update software. Every software component is part of a package. Every program file installed on the system is owned by a package. The same tools are used to install, uninstall, and update every software package on the system. To install the Wireshark packet sniffer: yum install wireshark To update it: yum update wireshark So if you don't care about bandwidth, you can just do: yum update and all the software gets updated. Now, if you have a fleet of machines and don't want to suck up your Internet bandwidth downloading updates, you'll need some kind of local repository of updates. Your "patch server", so to speak. But unlike Microsoft, all the updates are posted to public FTP/HTTP servers, in a plain directory structure. So to maintain a mirror, all you need to do is use a standard download tool. Thus: cd /pub/mirror/centos wget --mirror --no-host-dir --cut-dirs=1 http://mirror.centos.org/centos/5/updates/i386/RPMS/ Now you've got a local repository with all the updates. You can share that out using NFS or SMB or whatever you use to share files. To tell a computer to update against that: rpm --freshen /pub/mirror/centos/5/updates/i386/RPMS/* The "freshen" command tells the package manage to install newer packages, but only for packages which are already installed. I've been using this technique in various environments off-and-on since roughly 1996 or so. It still works, so I haven't had need to research other methods. However, if you want, the tools to build the index yum needs from a repository of files are included in the distribution. I'm told it would be as easy as: yum-arch /pub/mirror/centos/5/updates/i386/RPMS/ and then editing /etc/yum.conf to look at your own server rather than the default mirror network. If you want to test the integrity of the software on the system, you can do: rpm --verify --all That will check every file of every installed package. It will report differences in date, time, permissions, checksum, etc. It will also report broken dependencies. Like most *nix commands, it's normally silent, so silence is golden. Any of these commands can be put in a scheduled job to run every night. No special background services or poorly-documented software is required to maintain the repository. It's all standard commands you use anyway. The repository is just a directory with a bunch of package files in it. There's no need to run a special web server, or to have a database backend; there's no special download protocol. The update packages are just like regular packages; there's no cryptic format or special installers. There's a package called "yum-cron"; if you install it, it will email you a report every night if there are pending updates to install. I use a mail filter to route those messages to a mail folder. If it's empty, all is well. Things needing attention show up as new mail. That's all I've ever needed or wanted for reporting. I've had people ask about things like pie charts. I honestly don't see how pie charts help patch management, but if you want that sort of thing, Red Hat sells a fancy GUI thing called "Red Hat Network". You get a year if you buy their commercial packaged distro. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~