Solved

Ways to catch up with cumulative OS security patches for newly provisioned VMs / servers

Posted on 2015-01-20
4
277 Views
Last Modified: 2015-01-27
Almost daily we have new VMs being provisioned & as we know MS, Redhat
& Oracle release patches.  Not feasible for us to keep updating the template
with these patches (that may be up to 3 years ago ie from the time MS, Redhat
& oracle first release patches for specific platform, say Win2008 R2, it could be
as long as four years back.

Q1:
Is the monthly MS security patches cumulative?  I think it's not.
So how do we 'catch up' with all these patches?
Also, RHEL OpenSSL & OpenSSH updates, just to name a few.
What are the best ways out there people catch up with such
patches & updates?

Q2:
Is there any way we can continually update our VM templates
(we have 3 sets of RHEL 5/6 templates, 3 Solaris x86 templates,
3  SuSe linux templates & 3  Win 2008 R2 : 3  because we have 3
 different sets of vCenters in separate networks)

Q3:
Does tools like Secunia help to keep such patches/updates
up to date?  We don't have WSUS but I guess all the cumulative
patches stored in WSUS can be pushed down to new VMs to
keep them up to date, is this right?
What about Solaris & Linux ?
0
Comment
Question by:sunhux
  • 2
4 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 135 total points
ID: 40561329
Not feasible for us to keep updating the template with these patches (that may be up to 3 years ago ie from the time MS, Redhat& oracle first release patches for specific platform

Why is that? On the Microsoft front SCVMM can update templates and vm's you just need 2 instances which 1 is an update server. This saves time and also saves having machines that are vulnerable.
Performing Update Remediation in VMM
http://blogs.technet.com/b/scvmm/archive/2011/11/01/automating-update-server-synchronization-in-vmm-2012-part-2-of-5.aspx

Create Update Baselines and check for conformance
https://technet.microsoft.com/en-ca/library/gg675110.aspx
0
 
LVL 61

Accepted Solution

by:
btan earned 225 total points
ID: 40561353
This is why scanning regime and health check with patch mgmt and vulnerability mgmt systems are in place to ensure this. WSUS is supposed to help rollout the patch but most time domain enterprise server/clients it is not connected directly to internet hence it is offline push down via SCCM or SCOM. for VM image it need to also take up the same regime update (not focusing only in the host). There is MS cumulative patch per se but not necessarily applicable for all OS.

For virtual image is tricky as it can be offline even if you will want to push patch. There is for VMware case, the vSphere Update Manager http://www.vmware.com/products/vsphere/features/update-manager

You may want to check out WSUS Offline Update to build up cumulative patch manually and rollout - http://www.wsusoffline.net/docs/

For assessment the fundamental tools like MBSA, MS Security compliance and Secunia checker are applicable but to scale for enterprise wide, the patch mgmt and vul mgmt system is an area to explore further to keep the patch up to date at earliest time
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 140 total points
ID: 40561398
A1:
MS patches mention if they replace previous patch. WSUS is easiest way to manage them.
RHEL: yum-cron can be made to download security patches and send out an e-mail when they are downloaded
I doubt it is easily "provisioned" as you need to register every system.

A2:
Yes, you convert them to a VM, update, and convert back. I actually keep templates in powered-off VMs You get more or less same settings asked when cloning a VM.

A3:
You need WSUS for windows
Linux: learn anaconda scripting. You have chance to run "yum upgrade" on first start or at end of install.
Solaris: depends on version, but again if you build sufficient netboot infrastructure you can again push patches down the throat of it.

What I want to emphasize: it is quite impractical to provision Linux or Solaris, as they have their own very mature provisioning infrastructures. It stands true even if you have desktop admin in house to help you dig through syspreps.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 225 total points
ID: 40561748
Just to clarify also the patch catch up is part and parcel of patch mgmt.

Timely patch is viable if the systems are connected to internet but as shared that is most not possible for Enterprise. Patch mgmt is the means to the end as eventually patch need to be verified that the rollout is done and indeed updated hence the Vulnerability mgmt kick in to do the checker role.  

For Virtual images running Guest OS, they should be treated no different from Host OS or physical machine OS patching and vulnerability mgmt. The key oversight is to review constantly the Virtual machine templates and review the  
- Antivirus software and keep it up to date:
- Latest operating system patches, and stay current with the latest releases
- Version tracking and related notes pertaining to the template
- Segregate LAN for updating the template (treat it like mgmt and admin task instead of production data segment)
- Review the safeguard to protect template from being tamper and named accordingly for "Gold image" on various production version esp different OS type etc

More info on Update Mgr
To deploy groups of patches you will create Baselines which allow you to bundle patches together for installation. Hosts will then be scanned against a baseline and can install those updates which they require. Baselines can be of two types; either Fixed or Dynamic. Use Fixed Baselines when you wish to manually specify a patch or list of patches to be scanned against, this will not change when new patches are downloaded to the repository, unless the administrator amends the Baseline. Dynamic Baselines are based on specific criteria such as containing particular text or during a date range, these will up dynamically updated if newly downloaded patches meet the criteria.
- https://www.simple-talk.com/sysadmin/virtualization/using-vmware-vcenter-update-manager-to-keep-your-vsphere-hosts-up-to-date-with-patching/

Separately instead of reviewing tool on latest update as shared ... Risk assessment is lacking and I thought this link will help you chart your strategy in patch and vulnerability mgmt aspects..
http://www.isaca.org/Journal/Past-Issues/2011/Volume-1/Pages/Auditing-Security-Risks-in-Virtual-IT-Systems.aspx
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now