Ways to catch up with cumulative OS security patches for newly provisioned VMs / servers

Posted on 2015-01-20
Medium Priority
Last Modified: 2015-01-27
Almost daily we have new VMs being provisioned & as we know MS, Redhat
& Oracle release patches.  Not feasible for us to keep updating the template
with these patches (that may be up to 3 years ago ie from the time MS, Redhat
& oracle first release patches for specific platform, say Win2008 R2, it could be
as long as four years back.

Is the monthly MS security patches cumulative?  I think it's not.
So how do we 'catch up' with all these patches?
Also, RHEL OpenSSL & OpenSSH updates, just to name a few.
What are the best ways out there people catch up with such
patches & updates?

Is there any way we can continually update our VM templates
(we have 3 sets of RHEL 5/6 templates, 3 Solaris x86 templates,
3  SuSe linux templates & 3  Win 2008 R2 : 3  because we have 3
 different sets of vCenters in separate networks)

Does tools like Secunia help to keep such patches/updates
up to date?  We don't have WSUS but I guess all the cumulative
patches stored in WSUS can be pushed down to new VMs to
keep them up to date, is this right?
What about Solaris & Linux ?
Question by:sunhux
  • 2
LVL 85

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 540 total points
ID: 40561329
Not feasible for us to keep updating the template with these patches (that may be up to 3 years ago ie from the time MS, Redhat& oracle first release patches for specific platform

Why is that? On the Microsoft front SCVMM can update templates and vm's you just need 2 instances which 1 is an update server. This saves time and also saves having machines that are vulnerable.
Performing Update Remediation in VMM

Create Update Baselines and check for conformance
LVL 66

Accepted Solution

btan earned 900 total points
ID: 40561353
This is why scanning regime and health check with patch mgmt and vulnerability mgmt systems are in place to ensure this. WSUS is supposed to help rollout the patch but most time domain enterprise server/clients it is not connected directly to internet hence it is offline push down via SCCM or SCOM. for VM image it need to also take up the same regime update (not focusing only in the host). There is MS cumulative patch per se but not necessarily applicable for all OS.

For virtual image is tricky as it can be offline even if you will want to push patch. There is for VMware case, the vSphere Update Manager http://www.vmware.com/products/vsphere/features/update-manager

You may want to check out WSUS Offline Update to build up cumulative patch manually and rollout - http://www.wsusoffline.net/docs/

For assessment the fundamental tools like MBSA, MS Security compliance and Secunia checker are applicable but to scale for enterprise wide, the patch mgmt and vul mgmt system is an area to explore further to keep the patch up to date at earliest time
LVL 62

Assisted Solution

gheist earned 560 total points
ID: 40561398
MS patches mention if they replace previous patch. WSUS is easiest way to manage them.
RHEL: yum-cron can be made to download security patches and send out an e-mail when they are downloaded
I doubt it is easily "provisioned" as you need to register every system.

Yes, you convert them to a VM, update, and convert back. I actually keep templates in powered-off VMs You get more or less same settings asked when cloning a VM.

You need WSUS for windows
Linux: learn anaconda scripting. You have chance to run "yum upgrade" on first start or at end of install.
Solaris: depends on version, but again if you build sufficient netboot infrastructure you can again push patches down the throat of it.

What I want to emphasize: it is quite impractical to provision Linux or Solaris, as they have their own very mature provisioning infrastructures. It stands true even if you have desktop admin in house to help you dig through syspreps.
LVL 66

Assisted Solution

btan earned 900 total points
ID: 40561748
Just to clarify also the patch catch up is part and parcel of patch mgmt.

Timely patch is viable if the systems are connected to internet but as shared that is most not possible for Enterprise. Patch mgmt is the means to the end as eventually patch need to be verified that the rollout is done and indeed updated hence the Vulnerability mgmt kick in to do the checker role.  

For Virtual images running Guest OS, they should be treated no different from Host OS or physical machine OS patching and vulnerability mgmt. The key oversight is to review constantly the Virtual machine templates and review the  
- Antivirus software and keep it up to date:
- Latest operating system patches, and stay current with the latest releases
- Version tracking and related notes pertaining to the template
- Segregate LAN for updating the template (treat it like mgmt and admin task instead of production data segment)
- Review the safeguard to protect template from being tamper and named accordingly for "Gold image" on various production version esp different OS type etc

More info on Update Mgr
To deploy groups of patches you will create Baselines which allow you to bundle patches together for installation. Hosts will then be scanned against a baseline and can install those updates which they require. Baselines can be of two types; either Fixed or Dynamic. Use Fixed Baselines when you wish to manually specify a patch or list of patches to be scanned against, this will not change when new patches are downloaded to the repository, unless the administrator amends the Baseline. Dynamic Baselines are based on specific criteria such as containing particular text or during a date range, these will up dynamically updated if newly downloaded patches meet the criteria.
- https://www.simple-talk.com/sysadmin/virtualization/using-vmware-vcenter-update-manager-to-keep-your-vsphere-hosts-up-to-date-with-patching/

Separately instead of reviewing tool on latest update as shared ... Risk assessment is lacking and I thought this link will help you chart your strategy in patch and vulnerability mgmt aspects..

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question