The Linux patch management challenge

The Linux patch management challenge

Summary: Vulnerability management is a service, not software, and one well worth paying for.

TOPICS: Open Source

My post yesterday (and your kind Talkbacks to it) point out a basic issue, the challenge of managing patches on Linux systems.

There are several good software systems out there, for both Linux and heterogenous networks. But there are three steps involved in a sound process, and good software only solves the last problem, implementing patches.

You also have to find vulnerabilities and fix them.

"Commercial" Linux vendors like Red Hat (discussed yesterday) and Novell earn their money by offering a complete service -- find it, fix it, help you patch it.

GPL folks are often on their own. But there is no need for this. Vulnerability management is a service, not software, and one well worth paying for.

Tenable, which manages the Nessus security scanner project, offers a GPL feed of patches. But if you have an installation of any scale, patch management using Nessus is going to be a full-time job, and as you scale further, you may find yourself building an expensive department.

Is this a problem?

Yes. But I think it's also an opportunity. Someone who automates the whole vulnerability management process, and who supports GPL software, is going to make a lot of money.

Or is someone already doing so?

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • challenge?

    How hard is it to occasionally run a system update (apt-get, yum, or whatever you prefer) and subscribe to the announcement lists of any software you use that didn't come from a repository?
    • Very easy

      and it's splendid until the day that an update breaks your employee timewriting application.

      Yes, it happens. Usually just before the deadline for timecards to make the next payroll.
      Yagotta B. Kidding
    • Very easy...

      ...for a small number of systems. But when you get into hundreds/thousands of machines, all with different apps/OS versions. It becomes not so easy.
  • Watch that middle step

    The ugliest part of [b]any[/b] patch management process is the qualification (regression testing) stage.

    It really doesn't matter whether you run Linux, Solaris, or MS-Windows. It doesn't matter whether you subscribe to some support service or not, either. Whatever the exact odds, the prospect exists that some patch will take down a critical business process and then you are royally [b]hosed.[/b]

    Running a platform that is supported by (for instance) Red Hat does make things simpler. It means that the patches won't take down the core system, and that may be enough for some of your users. Running hosted apps helps, too, since you can isolate the service or rewind it from a single point. However, just about every enterprise is up against {i]some[/i] third-party application that isn't covered by Red Hat's regression testing and at that point you're on your own.

    Speaking from personal experience, regression testing sucks. Frequent regression testing sucks bricks. Frequent regression testing of [i]combinations[/i] of applications sucks moldy bricks from 17th-century sewers.

    Now, if someone wants to qualify for short-term IT sainthood ....
    Yagotta B. Kidding
  • The Linux patch management challenge

    When the whole operating system is made up of nothing but patches you'd think they would have patch management perfected. That couldn't be farther from the truth.
    Loverock Davidson
  • Patching is nightmare!

    Patching is nightmare on both Linux and Unix. Unless they redesign the whole system, it will take away lots of human maintenance time. This costed me far far far more than Windows systems. So I no longer upgrade old Linux system. It's simply not worthy. I think many of those are just busy spinning anti-other s/w, but fail to see better side of them and improve theirs.

    By the way, who can expect such effort from part time develpers.

    • Depends on your regression testing

      apt-get update;apt-get dist-upgrade, not exactly difficult mechanism to patch with, right on par with Windows patching.

      The problem is testing to make sure your custom stuff isn't broken, and that's independent of OS, it's a generic change control problem.
    • They aren't even comparable!

      Windows is WAY harder to upgrade/patch than many of the current Linux distros. You need to keep track of, hunt down, download, and reinstall most of the apps you installed on your system. In sharp contrast, most distros do all these tasks for you. In fact it is so hard on Windows, people usually don't do that. Instead they just reinstall the whole thing when something goes wrong.

      Ofcourse no system is perfect, and it isn't at all surprising that people run into compile, and dependency problems when you are dealing with over a hundred small programs. As for me, most of the time, it (Gentoo) just works.
      • I assume you don't use Windows XP often

        On Windows XP, everything is automatic for you. You don't even bother to do anything. It checks for new update and update according to your setting. With Linux, you have to download patches and check dependencies (which is nightmare) and recompile, blah, blah, blah..... That goes on. Cheaper alternative is to reinstall with new CDs. This costed me far far more than I paid for Windows OEM license!
        • Umm... Not what he said.

          What he was saying was, Microsoft Autoupdate only updates Microsoft products, whereas YAST, URPMI, Portage, YUM, Apt and the other Linux package managers update every piece of software on the system. You have to hunt down updates to non-Microsoft updates on Windows, but all updates are in the same place on Linux.

          Makes some things easier, some things harder...
        • Safe to assume you don't use a modern Linux Distro

          In Gentoo (the distro he specified), dependencies are automaitcally checked and installed/updated via Portage. 'emerge --sync ; emerge --update --deep world' is all you need to do to updated your system. If you're running bleeding edge apps (those still masked), you may have to do more, but that's the risk you take.

          The larger point is that MS Update (even the new one that does Office too) can only do MS stuff. If you run, for instance, FF or OOo, you're on your own on an XP box.
          Real World
  • I don't know,

    It's really not a problem to patch and update Linux. I used to have to recompile the Kernel back in the day. Now it's just yum update. I do have a nice gui for yum too!

    I have never had to bring a system down. I would however like to see things become a little easier for the newbies. But it's really a pice of cake anymore. My systems are automated too. I get updated while I'm working in other applications.

    In fact, I think alot of people are going to be suprized at how much easier Linux will be to use, update, and manage. Get ready! :)
  • its already been done, and they make a ton of money too

    If you still havent figured out the answer its Microsoft.
  • Linux patch management for the mentally challenged

    "Vulnerability management is a service, not software, and one well worth paying for. "
    If you are charging for a service, then whats the difference between proprietary software and open source.
    If one has to pay for open source, its not worth paying more than $5.
    Maybe you ought to see the security updates on FireFox before you brag about open source.
    • Check out all

      The "unpatched" updates for IE. Firefox has it's issues also but does not represent "all" open source. Did you not bother to look at everything?

      It's not a question of "why should software be free" It is. The Service provides patches and updates on demand as needed. "The software like Yum and Yast for example" is used to install it. Service like the RedHat network "alert" you of patches and updates.

      Just like Windows.

      I got my Kerberos patch and I didn't have to wait for it. I didn't have to wait for a "Patch Tuesday" I was patched and updated on the fly.

      You need to sing your Sunday song to those who will listen to your garble.


      That's an XP SP2 DoS bug.
    • The difference is...

      The difference between Open Source and Propriety has always been about *freedom*, not *free of cost*. Charging for managed updates does not limit your freedom, and does not make it no longer Open Source.
      • even proprieteray software you have freedom

        You have paid for the licence and so you are free to do with the software on that one PC for which you have licence.
        If you want to pay for 1 licence and want to distribute to more than one PC, then you are a cheapskate. If you like to be paid for your work then someone else wants to be paid for his work (and his work was developing software).
        And thirdly I used to believe in the hype of Linux. I learnt to program and frankly Linux is a poor platform. Unix too is not that great. The only reason Unix and Linux exist is because they are free. Only a person who is penny wise and pound foolish would want to use Linux (and larger the number of linux/unix computers more the reason to stay away).
        Fourthly I'd like to know how many of the Linux & Open Source supporters know to program. If they do know please post. I bet the number will be less than the fingers on my one hand. So what this would mean is that most people are talking about stuff they dont know much about.
        • Um... other than BSDs and Sol-10, Unix *isn't* free...

          To clarify the situation, Linux *is* free, other than the BSDs and Solaris 10 (did I miss anybody?), Unix is *not.*

          So your argument about Unix and Linux only being used because because they are free breaks down rather rapidly.

          Besides, just what *freedom* does proprietary software give you? Not much that I can see.
        • Free to do what?

          You said "You have paid for the licence and so you are free to do with the software on that one PC for which you have licence."

          Well, I'm free to use it for specific purposes, but am I free to reverse engineer it? See the source? Modify it to suit my needs?

          I never said open source is better. Goodness sakes, if a commercial app suits your purposes, use it! (I use Opera often)

          You simply asked "whats the difference between proprietary software and open source" if the open source charges for managed updates. I told you.

          Oh, and you must love Windows, because it's the only non-Unix OS still used. Unix is hardly free, too. Don't know where you got that one from...

          Are you just trying to provoke a reaction? Well, you did :)
  • Dana - question to you

    Why should software be free.
    And service worth paying money for.