System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Understanding Security Patching

 
SOLVED
Go to solution
Highlighted
Occasional Advisor

Understanding Security Patching

Hi,
I would like to verify if I understood redhat securiry patching procedure.

1) Is it true that only way to apply security patches on redhat is installing new kernel ?

2) I have to manage about 30 redhat enterprise systems of various releases (4.4, 4.6, 4.7) and I have to align all systems to last securiry patch without changing kernel release; all I have to do is to take last build of a kernel ? For example, a system has a rhel 4.6 (kernel 2.6.9-67), so I have to install last build for that kernel (2.6.9-67.0.22) that includes all security patches released till now. Is it right ?

Thank you

Claudio
8 REPLIES 8
Highlighted
Honored Contributor

Re: Understanding Security Patching

Hi Claudio,

1. You may have security pathes for sshd daemon for example, not kernel related.
2. Config up2date to install all needed patches, but exclude kernel. This will move your systems to the same patch level.

regards,
ivan
Highlighted
Occasional Advisor

Re: Understanding Security Patching

Hi Ivan,
thank you very much for your answer
When Redhat releases a new build for a kernel (for example 2.6.9-67.0.1 for kernel 2.6.9-67) it's because there is an update (example: a security update) for this kernel, not an upgrade. So, if it's critical, I have to install new kernel. Right ?

What about security patches ?
Where can I find rpms to update system packages (only for security purposes) without "jump" to another redhat release (from 4.6 to 4.7) ?

Thank you very much again
Highlighted
Occasional Advisor

Re: Understanding Security Patching

Ok, I found answer to my question; all errata are available on RHN; now my problem is that systems can't connect to internet and I can't setup a RHN Proxy, so I have to group errata for OS release (4.4, 4.5, 4.6) as I can deploy them on my systems.
How can I do that ?
Highlighted
Honored Contributor
Solution

Re: Understanding Security Patching

if you update you 4.4 with the latest security patches etc, it won't be 4.4 anymore.

anyway, if there is no way to connect your systems to the net (why not? as long as you block incomming you should be fine), you should put the rpm's on a internal server and point your servers to that repository to get their updates from.
Highlighted
Exalted Contributor

Re: Understanding Security Patching

Shalom Claudio,

Sorry for the late response but I'm on the go and am sitting in a mall between appointments.

1) No. Red Hat provides security patches for critical components of the OS in rpm form, which replaces the old binaries. Many of these patches do not require a Kernel upgrade.

Take note that security fix to RHCS, Red Hat Cluster Suite that updates its kernel components often does require a kernel upgrade. Also note that many security issues are with the kernel and DO require a kernel upgrade. If you use GFS or RHCS, take care that any kernel upgrades work with those two packages in the lab.

2) Best thing to do is update them all to 4.7 stable kernel release. There may be application reasons not to do this, but its the way to go most of the time.

You can use yum and set up your own little rpm patch repository to have a central patch server and lower the amount of traffic on the Internet to and from Red Hats servers.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Highlighted
Occasional Advisor

Re: Understanding Security Patching

Dirk, Steven,
thank you very much.
Now it's almost clear.
I can't connect systems to internet because customer has a very strict firewall policy.
I have only one other question. If I upgrade 2 systems in cluster 4.4 to 4.7, can I do a rolling upgrade ? Or have I to schedule a stop for both systems ?

Thank you very much again
Highlighted
Occasional Advisor

Re: Understanding Security Patching

I have another question too.
I'm tryng to update to 4.7 copying all rpms to a local repository (/var/spool/up2date) and I would like to run up2date reading rpms from that directory, but it fails because it tries to connect to RHN and my system is not connected to internet. How can I disable RHN registration ? I tried to read up2date config file but I found nothing.

Thank you
Highlighted
Honored Contributor

Re: Understanding Security Patching

Hi,
For the last questions, perhaps, you could test first with this theads, the up2date to a local directory
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1115567
or automated system updates with /usr/bin/up2date-config for example
http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html#UP2DATE
Regards