Ways to catch up with cumulative OS security patches for newly provisioned VMs / servers

Almost daily we have new VMs being provisioned & as we know MS, Redhat
& Oracle release patches.  Not feasible for us to keep updating the template
with these patches (that may be up to 3 years ago ie from the time MS, Redhat
& oracle first release patches for specific platform, say Win2008 R2, it could be
as long as four years back.

Is the monthly MS security patches cumulative?  I think it's not.
So how do we 'catch up' with all these patches?
Also, RHEL OpenSSL & OpenSSH updates, just to name a few.
What are the best ways out there people catch up with such
patches & updates?

Is there any way we can continually update our VM templates
(we have 3 sets of RHEL 5/6 templates, 3 Solaris x86 templates,
3  SuSe linux templates & 3  Win 2008 R2 : 3  because we have 3
 different sets of vCenters in separate networks)

Does tools like Secunia help to keep such patches/updates
up to date?  We don't have WSUS but I guess all the cumulative
patches stored in WSUS can be pushed down to new VMs to
keep them up to date, is this right?
What about Solaris & Linux ?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
This is why scanning regime and health check with patch mgmt and vulnerability mgmt systems are in place to ensure this. WSUS is supposed to help rollout the patch but most time domain enterprise server/clients it is not connected directly to internet hence it is offline push down via SCCM or SCOM. for VM image it need to also take up the same regime update (not focusing only in the host). There is MS cumulative patch per se but not necessarily applicable for all OS.

For virtual image is tricky as it can be offline even if you will want to push patch. There is for VMware case, the vSphere Update Manager http://www.vmware.com/products/vsphere/features/update-manager

You may want to check out WSUS Offline Update to build up cumulative patch manually and rollout - http://www.wsusoffline.net/docs/

For assessment the fundamental tools like MBSA, MS Security compliance and Secunia checker are applicable but to scale for enterprise wide, the patch mgmt and vul mgmt system is an area to explore further to keep the patch up to date at earliest time
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Not feasible for us to keep updating the template with these patches (that may be up to 3 years ago ie from the time MS, Redhat& oracle first release patches for specific platform

Why is that? On the Microsoft front SCVMM can update templates and vm's you just need 2 instances which 1 is an update server. This saves time and also saves having machines that are vulnerable.
Performing Update Remediation in VMM

Create Update Baselines and check for conformance
gheistConnect With a Mentor Commented:
MS patches mention if they replace previous patch. WSUS is easiest way to manage them.
RHEL: yum-cron can be made to download security patches and send out an e-mail when they are downloaded
I doubt it is easily "provisioned" as you need to register every system.

Yes, you convert them to a VM, update, and convert back. I actually keep templates in powered-off VMs You get more or less same settings asked when cloning a VM.

You need WSUS for windows
Linux: learn anaconda scripting. You have chance to run "yum upgrade" on first start or at end of install.
Solaris: depends on version, but again if you build sufficient netboot infrastructure you can again push patches down the throat of it.

What I want to emphasize: it is quite impractical to provision Linux or Solaris, as they have their own very mature provisioning infrastructures. It stands true even if you have desktop admin in house to help you dig through syspreps.
btanConnect With a Mentor Exec ConsultantCommented:
Just to clarify also the patch catch up is part and parcel of patch mgmt.

Timely patch is viable if the systems are connected to internet but as shared that is most not possible for Enterprise. Patch mgmt is the means to the end as eventually patch need to be verified that the rollout is done and indeed updated hence the Vulnerability mgmt kick in to do the checker role.  

For Virtual images running Guest OS, they should be treated no different from Host OS or physical machine OS patching and vulnerability mgmt. The key oversight is to review constantly the Virtual machine templates and review the  
- Antivirus software and keep it up to date:
- Latest operating system patches, and stay current with the latest releases
- Version tracking and related notes pertaining to the template
- Segregate LAN for updating the template (treat it like mgmt and admin task instead of production data segment)
- Review the safeguard to protect template from being tamper and named accordingly for "Gold image" on various production version esp different OS type etc

More info on Update Mgr
To deploy groups of patches you will create Baselines which allow you to bundle patches together for installation. Hosts will then be scanned against a baseline and can install those updates which they require. Baselines can be of two types; either Fixed or Dynamic. Use Fixed Baselines when you wish to manually specify a patch or list of patches to be scanned against, this will not change when new patches are downloaded to the repository, unless the administrator amends the Baseline. Dynamic Baselines are based on specific criteria such as containing particular text or during a date range, these will up dynamically updated if newly downloaded patches meet the criteria.
- https://www.simple-talk.com/sysadmin/virtualization/using-vmware-vcenter-update-manager-to-keep-your-vsphere-hosts-up-to-date-with-patching/

Separately instead of reviewing tool on latest update as shared ... Risk assessment is lacking and I thought this link will help you chart your strategy in patch and vulnerability mgmt aspects..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.