HPE Community
Operating System - Linux
1751934 Members
5002 Online
108783 Solutions
New Discussion юеВ

Re: Understanding Security Patching

 
SOLVED
Go to solution
ClaudioD'Anduono
Occasional Advisor

тАО03-31-2009 02:19 AM

тАО03-31-2009 02:19 AM

Understanding Security Patching

Hi,
I would like to verify if I understood redhat securiry patching procedure.

1) Is it true that only way to apply security patches on redhat is installing new kernel ?

2) I have to manage about 30 redhat enterprise systems of various releases (4.4, 4.6, 4.7) and I have to align all systems to last securiry patch without changing kernel release; all I have to do is to take last build of a kernel ? For example, a system has a rhel 4.6 (kernel 2.6.9-67), so I have to install last build for that kernel (2.6.9-67.0.22) that includes all security patches released till now. Is it right ?

Thank you

Claudio
0 Kudos
Reply
8 REPLIES 8
Ivan Krastev
Honored Contributor

тАО03-31-2009 02:57 AM

тАО03-31-2009 02:57 AM

Re: Understanding Security Patching

Hi Claudio,

1. You may have security pathes for sshd daemon for example, not kernel related.
2. Config up2date to install all needed patches, but exclude kernel. This will move your systems to the same patch level.

regards,
ivan
Reply
ClaudioD'Anduono
Occasional Advisor

тАО03-31-2009 04:14 AM

тАО03-31-2009 04:14 AM

Re: Understanding Security Patching

Hi Ivan,
thank you very much for your answer
When Redhat releases a new build for a kernel (for example 2.6.9-67.0.1 for kernel 2.6.9-67) it's because there is an update (example: a security update) for this kernel, not an upgrade. So, if it's critical, I have to install new kernel. Right ?

What about security patches ?
Where can I find rpms to update system packages (only for security purposes) without "jump" to another redhat release (from 4.6 to 4.7) ?

Thank you very much again
0 Kudos
Reply
ClaudioD'Anduono
Occasional Advisor

тАО03-31-2009 04:59 AM

тАО03-31-2009 04:59 AM

Re: Understanding Security Patching

Ok, I found answer to my question; all errata are available on RHN; now my problem is that systems can't connect to internet and I can't setup a RHN Proxy, so I have to group errata for OS release (4.4, 4.5, 4.6) as I can deploy them on my systems.
How can I do that ?
0 Kudos
Reply
dirk dierickx
Honored Contributor

тАО04-01-2009 12:19 AM

тАО04-01-2009 12:19 AM

Solution

Re: Understanding Security Patching

if you update you 4.4 with the latest security patches etc, it won't be 4.4 anymore.

anyway, if there is no way to connect your systems to the net (why not? as long as you block incomming you should be fine), you should put the rpm's on a internal server and point your servers to that repository to get their updates from.
Reply
Steven E. Protter
Exalted Contributor

тАО04-01-2009 01:50 AM

тАО04-01-2009 01:50 AM

Re: Understanding Security Patching

Shalom Claudio,

Sorry for the late response but I'm on the go and am sitting in a mall between appointments.

1) No. Red Hat provides security patches for critical components of the OS in rpm form, which replaces the old binaries. Many of these patches do not require a Kernel upgrade.

Take note that security fix to RHCS, Red Hat Cluster Suite that updates its kernel components often does require a kernel upgrade. Also note that many security issues are with the kernel and DO require a kernel upgrade. If you use GFS or RHCS, take care that any kernel upgrades work with those two packages in the lab.

2) Best thing to do is update them all to 4.7 stable kernel release. There may be application reasons not to do this, but its the way to go most of the time.

You can use yum and set up your own little rpm patch repository to have a central patch server and lower the amount of traffic on the Internet to and from Red Hats servers.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
ClaudioD'Anduono
Occasional Advisor

тАО04-02-2009 12:34 AM

тАО04-02-2009 12:34 AM

Re: Understanding Security Patching

Dirk, Steven,
thank you very much.
Now it's almost clear.
I can't connect systems to internet because customer has a very strict firewall policy.
I have only one other question. If I upgrade 2 systems in cluster 4.4 to 4.7, can I do a rolling upgrade ? Or have I to schedule a stop for both systems ?

Thank you very much again
0 Kudos
Reply
ClaudioD'Anduono
Occasional Advisor

тАО04-03-2009 01:52 AM

тАО04-03-2009 01:52 AM

Re: Understanding Security Patching

I have another question too.
I'm tryng to update to 4.7 copying all rpms to a local repository (/var/spool/up2date) and I would like to run up2date reading rpms from that directory, but it fails because it tries to connect to RHN and my system is not connected to internet. How can I disable RHN registration ? I tried to read up2date config file but I found nothing.

Thank you
0 Kudos
Reply
smatador
Honored Contributor

тАО04-03-2009 07:28 AM

тАО04-03-2009 07:28 AM

Re: Understanding Security Patching

Hi,
For the last questions, perhaps, you could test first with this theads, the up2date to a local directory
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1115567
or automated system updates with /usr/bin/up2date-config for example
http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html#UP2DATE
Regards
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.