What Is Patch Management In Linux A Deep Dive
In this article i am going to explain you What is Patch Management in Linux. to Understand Patch Management you have to understand Software development cycle, releases, version and Updates. Why all this you have to know because that’s where actual patching staff will start.
What is Software..?
Software is an group of programs written to accomplish particular job. When this particular software is under development stage they call is it as version 1.0. After development completes they ask Testing team to test functionality as per given description. Again Quality team will verify software integrity, code quality and its performance. UAT (User acceptance Test) then release to production.
Let’s take one simple example to explain how RPM (Red Hat Package Manager) name is defined
bash = Package Name (Label)
3 = Major Number
1 = Minor Number
16 = Path Number
1386 = Architecture the software designed
.rpm = Package Extension (Red Hat Package Manager)
Major Number will change only when version release (which means there is an new feature Or enhancement)
Minor Number will change when testing is identified there is an BUG Or functionality not working as expected
Path Number change when there is any missing program parameters Or identified security related loops. Software Developer should release immediate hot-fix to fix the vulnerability.
What is Patch Management in Linux
Here actual security program / vulnerability management program starts. Most of the corporate companies will have separate security team. Network Security/Information Security team will scan all the server machines including Windows/Linux and MAC. They Use SIEM Tools and Penetration testing tools.
All software’s and Operating system’s related loop wholes will be explioted and recorded. Now action begins Security Team will ask Windows Adminstrators/Linux Adminstrators/Technical team to update installed programs. When they ask to update you can’t simply update them, to update verify below things first.
1. Verify compatibility issues based on your Operating System version
2. Check any depent applications
3. What are the enhancements will come if you update
4. Is there any impact to current running apps in prod
5. If new feature additions think about end user training’s on it
There are much more you have to check/verify.
Do i need to remediate all vulnerabilities.?
As per my experience No, You must remediate a few. Based on Common Vulnerability Scoring System (CVSS) you have to take call. CVSS score is measured based on so many paramenters.
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interface
- Exploit Code Maturity
The CVSS provides an Open framework for communicating the characteristics and impacts of IT vulnerabilities. It’s quantitative model ensures repeatable accurate measurement while enabling users to see underlying vulnerability characteristics that were used to generate the scores. Based on CVSS characteristics vulnerabilities are labeled “Low” (Score from 0.0 -3.9), “Medium” (4.0 – 6.9), “High” (7.0 – 8.9) and “CRITICAL” (9.0 – 10.0).
Consider marked as High and Critical must be patched.
How do you do Patch Linux Servers
You no need to do manual installation to each and every single server. Then how.? In opensource market lot of tools available for that
1. Red Hat Satellite Server
6. YUM Repository
What is the Patching procedure
Before proceeding to execute an action from any tool, take simple testing environment which should contain all of your production environment applications and version’s should be same.
Example : In Production if you have Oracle 11g, OS is RHEL 5.9 and 1289 Packages installed in it.
Setup simulated environment for testing and deploy patches ask end users to test applications. If applications working as expected. If yes, then proceed to deploy in production environment. If applications are not working as expected then you have to think other way work around.
Note: Always be ready with revert back plan if anything goes wrong with patch deployment – patch management in Linux.
Always be sure to verify software version’s and there features, improvements, enhancements before your going to patch Linux Servers. Compatibility of new software should be validated before pushing to production.
Thanks. That’s it about ” What is Patch Management in Linux “