Equivalent of WSUS for Solaris, AIX and Cisco devices

sunhux
sunhux used Ask the Experts™
on
There has been patches that were missed & lapses in patching timely for non-Windows
platforms.   I noticed, Wintel was quite up to the mark on patching & I reckon this is
due patch management automation using WSUS : patches (for both functional fixes
as well as security patches) are downloaded early.

Q1:
I heard Redhat Satellite (for patching automation like WSUS) can be used on Solaris
besides Linux.  Is there any equiv products for AIX & Cisco devices (routers, switches)?

Q2:
Does WSUS assess if particular MS patch is relevant or applicable to each server/endpoint
prior to deployment?  I mean if a software, eg, MS Access is running on that server/end-
point, then only patches for MS Access will be deployed to that server & checks the version
of the MS Access is applicable for the patches that are released
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Q1) IBM BigFix Patch (costly option) comes to mind for AIX and Solaris systems, granted you could use it for Windows as well if you wanted. As far as Cisco goes, I think that Cisco Prime might be as close as you'll get. As far as free options for Solaris go, you *could* look at Patch Check Advanced, which obviously Oracle does not support in any way. Satellite is more Linux-focused in nature (Red Hat products and RPM packages).
Q2) WSUS itself simply looks for patches for the products you allow it to. However, each system when it grabs allowed updates from the WSUS server assesses whether it needs a given set of patches or not (i.e. if a Windows PC knows it doesn't have MS Office on it, then it would not install the patch). You can group computers together so that you can approve updates for one set of machines, but not another.

Author

Commented:
"IBM BigFix Patch" sounds good for our hundreds of AIX+Solaris environment (while we have less than 10 Linux only):
how is the cost like?  By number of endpoints or just one cost for the whole site regardless on the number of end-
points it's managing?

Author

Commented:
To use PCA, I'll need to permit firewall rules from each of our Solaris server out to Internet on
Tcp80 (or which other ports)?  Have a security concern esp for our servers that are not in
DMZ.

Does PCA checks against Oracle site (to check if our patches are outdated) & get the patches from
Oracle or some other non-Oracle site?
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Author

Commented:
I guess PCA is like Linux yum  but not a central tool like WSUS, is this right?
Distinguished Expert 2018
Commented:
I would assume that the number of workstations and servers come into play for BigFix. IBM isn't necessarily known for simple (or inexpensive) pricing, so I would check with them or a consulting firm that deals with IBM products to get an answer on that one. But if you decide to get BigFix for your AIX systems, you might as well leverage it for Solaris and Windows as well (unless you have a business reason not to). The fewer tools that are able to cover more of your business needs, the better, right?

As far as PCA, it apparently does a check against a file from Oracle. Now whether that file is still out there for it to work still might be a different story. Plus PCA was last updated in 2015 (doesn't mean it no longer works though). But I'd still go with BigFix over this. However, I wanted to see if there would at least be a tool out there that was free.

Question: How are you handling Windows patches now? WSUS, or are you using something more like SCCM?

Author

Commented:
We use WSUS for Windows servers & SCCM for PCs/laptops.

Author

Commented:
If IBM  Big Patch is charged by endpoints, I would start gradually with a few AIX & Solaris first as pilot to see how well it goes
as our biggest audit gap now is with these platforms, not Wintel (presume the Wintel guys cope well with WSUS, SCCM &
MS Desktop Central)

Author

Commented:
Besides the UNIX OS/kernel, even utilities like ssh client+server, sudo, heartbleeds & any CVEs related to
UNIX & its tools   need to be patched, so am hoping PCA can give us a 'healthcheck' report for a start or
can it?
Distinguished Expert 2018

Commented:
As far as Windows, I would leave that alone. Even though I do find it interesting that there is both SCCM and WSUS. As long as things are being handled well no need to rush to fix it.

I don't think that PCA is going to be the ideal tool for you to be honest. You would be better off with a properly supported product.

Author

Commented:
I just wanted to get PCA to see if it will give us a 'health-check' report or listing of
what are the patches missed.

Is the properly supported tool you have in mind BigFix?
Distinguished Expert 2018

Commented:
Based on what's out there, I'd probably say it's your best bet. Especially with such a large number of systems (both AIX and Solaris), you appear to have the challenge of both knowing the health of the systems AND actually patching them (granted if you don't know the health, how do you know what to patch). At least BigFix should allow for both.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial