- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Understanding Security Patching
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-31-2009 02:19 AM
тАО03-31-2009 02:19 AM
I would like to verify if I understood redhat securiry patching procedure.
1) Is it true that only way to apply security patches on redhat is installing new kernel ?
2) I have to manage about 30 redhat enterprise systems of various releases (4.4, 4.6, 4.7) and I have to align all systems to last securiry patch without changing kernel release; all I have to do is to take last build of a kernel ? For example, a system has a rhel 4.6 (kernel 2.6.9-67), so I have to install last build for that kernel (2.6.9-67.0.22) that includes all security patches released till now. Is it right ?
Thank you
Claudio
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-31-2009 02:57 AM
тАО03-31-2009 02:57 AM
Re: Understanding Security Patching
1. You may have security pathes for sshd daemon for example, not kernel related.
2. Config up2date to install all needed patches, but exclude kernel. This will move your systems to the same patch level.
regards,
ivan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-31-2009 04:14 AM
тАО03-31-2009 04:14 AM
Re: Understanding Security Patching
thank you very much for your answer
When Redhat releases a new build for a kernel (for example 2.6.9-67.0.1 for kernel 2.6.9-67) it's because there is an update (example: a security update) for this kernel, not an upgrade. So, if it's critical, I have to install new kernel. Right ?
What about security patches ?
Where can I find rpms to update system packages (only for security purposes) without "jump" to another redhat release (from 4.6 to 4.7) ?
Thank you very much again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-31-2009 04:59 AM
тАО03-31-2009 04:59 AM
Re: Understanding Security Patching
How can I do that ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 12:19 AM
тАО04-01-2009 12:19 AM
Solutionanyway, if there is no way to connect your systems to the net (why not? as long as you block incomming you should be fine), you should put the rpm's on a internal server and point your servers to that repository to get their updates from.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 01:50 AM
тАО04-01-2009 01:50 AM
Re: Understanding Security Patching
Sorry for the late response but I'm on the go and am sitting in a mall between appointments.
1) No. Red Hat provides security patches for critical components of the OS in rpm form, which replaces the old binaries. Many of these patches do not require a Kernel upgrade.
Take note that security fix to RHCS, Red Hat Cluster Suite that updates its kernel components often does require a kernel upgrade. Also note that many security issues are with the kernel and DO require a kernel upgrade. If you use GFS or RHCS, take care that any kernel upgrades work with those two packages in the lab.
2) Best thing to do is update them all to 4.7 stable kernel release. There may be application reasons not to do this, but its the way to go most of the time.
You can use yum and set up your own little rpm patch repository to have a central patch server and lower the amount of traffic on the Internet to and from Red Hats servers.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2009 12:34 AM
тАО04-02-2009 12:34 AM
Re: Understanding Security Patching
thank you very much.
Now it's almost clear.
I can't connect systems to internet because customer has a very strict firewall policy.
I have only one other question. If I upgrade 2 systems in cluster 4.4 to 4.7, can I do a rolling upgrade ? Or have I to schedule a stop for both systems ?
Thank you very much again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2009 01:52 AM
тАО04-03-2009 01:52 AM
Re: Understanding Security Patching
I'm tryng to update to 4.7 copying all rpms to a local repository (/var/spool/up2date) and I would like to run up2date reading rpms from that directory, but it fails because it tries to connect to RHN and my system is not connected to internet. How can I disable RHN registration ? I tried to read up2date config file but I found nothing.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2009 07:28 AM
тАО04-03-2009 07:28 AM
Re: Understanding Security Patching
For the last questions, perhaps, you could test first with this theads, the up2date to a local directory
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1115567
or automated system updates with /usr/bin/up2date-config for example
http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html#UP2DATE
Regards