Let's talk about patching for our good friend Tux the Linux Penguin (if you don't know about Tux, click here.). How many of us out there work in a Linux heavy environment? In the past it might have been a much smaller number, however with the emergence of virtualization and the ability to run Linux and Windows VMs on the same hardware, it's become a common occurrence to support both OS platforms. Today I thought we'd talk about patching techniques and methods specifically related to Linux systems. Below I've compiled a list of the 3 most common methods I've used for patching for Linux systems. After reading the list you may have a dozen more way successful and easy to use methods that the ones that I've listed here, I encourage you to share your list with the forum in order to gain the best coverage of methods to use for patching Linux systems.
Open Source Patching Tools
There are a few good open source tools out there for use in patching your Linux systems. One tool that I've tested with in the past is called Spacewalk. Spacewalk is used to patch systems that are derivatives of RedHat such as Fedora and CentOS. Most federal government Linux systems are running Red Hat Enterprise Linux, in this case you would be better off utilizing the Red Hat Satellite suite of tools to manage patches and updates for your Red Hat system. In the case, your government client or commercial client allows Fedora/CenOS as well as open source tools for managing updates, then Spacewalk is a viable option. For a decent tutorial and article on Spacewalk and it's capabilities, click here.
YUMmy for my tummy!
No, this has nothing to do with Cheetos, everybody calm down. Configuring a YUM repository is another good method for managing patches in a Linux environment. If you have the space, or even if you don't you should make the space to configure a YUM repository. Once you have this repository created you can then build some of your own scripts in order to pull down and apply them on demand or with a configured schedule. It's easy to set up a YUM repository, especially when utilizing the createpro tool. For a great tutorial on setting up a YUM repository, check out this video.
Manual Patching from Vendor Sites
Obviously the last method I'm going to talk about is manual patching. For the record, I abhor manual patching, it's a long process and it can become quite tedious if you have a large environment. I will preface this section by stating that if you can test a scripted/automated process for patching and it's successful enough that you can deploy it, the please by all means, go that route. If you simply don't have the time or aptitude for scripting, then manual patching it is. The most important thing to remember when you are downloading patches via FTP site, you must ensure that it's a trustworthy site. With RedHat and SUSE, you're going to get their trusted and secured FTP site to download your patches, however with other distros of Linux such as Ubuntu (Debian based) or CentOS, you're going to have to find a trustworthy mirror site that won't introduce a Trojan to your network. The major drawback with manual patching is security, unfortunately there are a ton of bad sites out there that will help you introduce malware into your systems and corrupt your network. Be careful!
That's all folks! Does any of thing seem familiar to you? What do you use to patch your Linux systems? If you've set up an elaborate YUM repository or apt/get repository, please share the love!