고정 헤더 영역
상세 컨텐츠
본문
In this article, we will examine Red Hat Linux Patch Management, how you can check available vulnerabilities list, security updates lists via yum and external sources, in LIVE production environment, and where you should get patches for RHEL Linux distributions. Patch management and steps to apply patch methods vary by distribution. If you’re paying for support from Red Hat or SUSE, you’re paying in part for support through their patch management systems to apply patch.What Is Security Patch?A security patch is an update to fix certain vulnerability.
It incorporates changes in source code. Security Patches are normally applied to specific software components, such as the kernel, or a service, such as vsFTP. Security patches may fix bugs, address vulnerability issues etcIdentifying security vulnerabilities listFrom time to time multiple security related vulnerabilities list are reported on Linux platform. If you’ve paid for a subscription to a Red Hat or a SUSE distribution, you can get email warnings about these vulnerabilities list and security updates lists.You can use below pages to get the globally identified vulnerabilities list and CVE (Common Vulnerabilities and Exposures) list.Now there are 1000s of security vulnerabilities list identified on a daily basis so it is not possible for anyone to check these vulnerabilities list individually and then map them to your environment. Below table shows the vulnerable kernel rpm and the one from security updates list which we should install to mitigate all the reported vulnerabilities list.Security Patch SourcesThere are several sources for security patches and upgrades. The best source is generally the upgrade repository pre configured for your distribution. However, there is often a delay when distribution developers process updates from other sources, such as the kernel, or services, such as the Apache Web server.Depending upon your support contract you can request the developers to prioritise the patch delivery timelines.
If you’re in a hurry, you can download packages from the Web site directly associated with your service. While not built for your distribution, it can help you get new features into service as quickly as possible.Now depending upon your environment you can choose for online patch source or an offline patch source. We will discuss both these topics in depth later in this article.Perform Patch Management in RHEL 6/7/8 LinuxIdeally Linux patch management refers when you have been reported with a mission critical vulnerability (since this article is all about security fixes we will consider vulnerability as our primary root cause) and customer is requesting for an immediate fix to apply patch.In such case you may deliver a small hotfix which will apply patch on all the nodes as per security updates list in customer environment.
Now this security hotfix can apply patch and security updates online as well as offline.Apply Patch OnlineTo use online linux patch management your RHEL Linux mapped with proper subscription channel to get the required security updates. If you have a substantial number of Linux computers, it may be cost effective to buy, configure, and dedicate one or more computers to the patch management task. For example, assume that you have a network of 100 computers, and linux patch management requires that each of these computers downloads 20MB per day. Downloading an additional 2GB per day, every day, can be expensive on business-level Internet connections.In RHEL 7 and 8 this can be achieved using yum-security plugin, for RHEL 6 you must install yum-plugin-security rpm manuallyOn RHEL 6. List Available Security ErratasTo list all available security erratas without installing them, run: # yum updateinfo list availableRHSA-2014:1031 Important/Sec.
389-ds-base-1.3.1.6-26.el70.x8664RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x8664RHBA-2015:0626 bugfix 389-ds-base-1.3.3.1-15.el71.x8664RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el71.x8664RHBA-2015:1554 bugfix 389-ds-base-1.3.3.1-20.el71.x8664RHBA-2015:1960 bugfix 389-ds-base-1.3.3.1-23.el71.x8664RHBA-2015:2351 bugfix 389-ds-base-1.3.4.0-19.el7.x8664Security Updates ListTo list all available rpms from security updates list without installing them, run: # yum updateinfo list security allRHSA-2018:3056 Moderate/Sec. Samba-client-4.8.3-4.el7.x8664RHSA-2019:2099 Moderate/Sec.
Samba-client-4.9.1-6.el7.x8664i RHSA-2016:0006 Moderate/Sec. Samba-client-libs-4.2.3-11.el72.x8664i RHSA-2016:0448 Moderate/Sec. Samba-client-libs-4.2.3-12.el72.x8664i RHSA-2016:0612 Critical/Sec. Samba-client-libs-4.2.10-6.el72.x8664 # yum updateinfo list seci RHSA-2014:0678 Important/Sec. Kernel-3.10.0-123.1.2.el7.x8664i RHSA-2014:0786 Important/Sec. Kernel-3.10.0-123.4.2.el7.x8664i RHSA-2014:0923 Important/Sec.
Kernel-3.10.0-123.4.4.el7.x8664i RHSA-2014:1023 Important/Sec. Kernel-3.10.0-123.6.3.el7.x8664i RHSA-2014:1281 Moderate/Sec. Kernel-3.10.0-123.8.1.el7.x8664To get a list of rpms from the currently installed security updates list this command can be used: # yum updateinfo list security installedRHSA-2014:0678 Important/Sec. Kernel-3.10.0-123.1.2.el7.x8664RHSA-2014:0786 Important/Sec.
Kernel-3.10.0-123.4.2.el7.x8664RHSA-2014:0923 Important/Sec. Kernel-3.10.0-123.4.4.el7.x8664RHSA-2014:1023 Important/Sec. Such configuration requires you to have fast physical servers with good CPU, memory speed and most importantly large storage device to store all these security updates.
How To Check Current Patch Level In Solaris 10
Create a security hotfix with all the packages. This hotfix will contain scripts to and update the packages locally on individual nodes. With this you do not need access to external network in your production environment and is the most secure method to perform patch management and apply security hotfix.Steps to create offline security hotfixBased on Nessus scan report you will get the list of CVE or vulnerabilities list which are impacting your Linux node. So you can which fixes the respective CVE as explained underPlace all the rpms from security updates list under one location on any Linux node, for example in our case we will keep all the rpms under /tmp/rhelsecurityupdates # mkdir /tmp/rhelsecurityupdatesNext once you have the list of rpms which you need to download, you can then and keep it under the same path to apply patch.Next execute createrepo as shown below # cd /tmp/rhelsecurityupdates# createrepo.This will create the necessary repodata files required toNow our repo directory is ready to apply patch offline (security hotfix). You can create a script which can now do the below list of tasks.
Create repo file required to create a repo on individual node. A sample content is placed belowrhel74updatesname=rhel74updatesbaseurl=file:///tmp/rhelsecurityupdatesgpgcheck=1enabled=1gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release. Update all the rpms using ( yum update -y). Verify if the update was successfulPerform Rollback or Fallback after applying security hotfixNow it is very important that in production environment you have an option available to rollback or fallback. So after you apply patch, to fallback or rollback to the older working state of your RHEL Linux host you must know the last state.Here I mean that assuming the existing (before you apply patch or security hotfix) your RHEL system had 500 rpms then after fallback it is expected that you return the system to same set with 500 rpms. Now before applying security hotfix I had below list of kernel rpms so after fallback also I should have same set of rpms # rpm -qa grep kernelkernel-tools-libs-3.10.0-957.21.3.el7.x8664kernel-3.10.0-957.21.3.el7.x8664kernel-tools-3.10.0-957.21.3.el7.x8664This is really tricky to handle because with every security update you install on your RHEL Linux host, there are a number of dependencies and additional rpms which gets installed.Now for example I wish to update samba-common rpm due to some vulnerability. Currently my RHEL system has samba-common-4.8.3-4.el7.noarch # rpm -qa grep sambasamba-common-libs-4.8.3-4.el7.x8664samba-common-4.8.3-4.el7.noarchsamba-client-libs-4.8.3-4.el7.x8664While there is a security update available with samba-common-4.9.1-6.el7.noarch # yum updateinfo list sec grep sambaRHSA-2019:2099 Moderate/Sec.
Samba-client-libs-4.9.1-6.el7.x8664RHSA-2019:2099 Moderate/Sec. Samba-common-4.9.1-6.el7.noarchRHSA-2019:2099 Moderate/Sec.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features.
Registration is quick, simple and absolutely free. Today!Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.Are you new to LinuxQuestions.org? Visit the following links: If you have any problems with the registration process or your account login, please. If you need to reset your password,.Having a problem logging in?
Please visit to clear all LQ-related cookies. Introduction to Linux - A Hands on GuideThis guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration.
This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.to receive this Complete Guide absolutely free.
