Slashdot Mirror
A Database of Patched Software?
Midnight Warrior asks: "I am one system administrator for what is an organization of dozens of LANs. Together, we all must keep our machines patched. Now we can all watch CVE, frequent securityfocus.com, or let LWN [Updated vulnerabilities section] bring things together. LWN does a fabulous job, but I'm looking for something bigger and more personalized that doesn't require the system be on the internet.
Freshmeat, SourceForge, and Google are all NULL on this question: is there a database, and scraping agents in existence that will let one person oversee dozens of OS installations, a mish-mash of software packages, and an even worse level of up-to-date patching exist so that when a new vulnerability against, say, OpenSSH comes out, I can look up which systems need to be tested and patched? My work should be limited to maintaining OS (not just Linux distros), software versions, and current patch lists. This is a classic database problem, but has someone already solved it?"
Sounds like you've found yourself a new job. I'll leave $1 in the tips jar.
All the high profile Linux hackers I know use the official update site for all their needs.
Why would you be hand-maintaining most of this software in the first place? Why not standardize on a distro or two that have auto-update functionality and use this to update via cron job against a local repository?
I do not have a signature
One possible solution is a commercial Vulnerbility assessment solution such at Qualysguard - it'll scan your network and tell you which machines need updated. You can also go open source with Nessus, but it's UI is a lot weaker and it doesn't feature the task management tools that Qualys has (and you seem to be interested in this). Of course this will only tell you about software which can be remotely exploited, local updates are somewhat hard ;-)
Novell has made a huge push into this space with their Zenworks package. It has all sorts of database and report writing functionality, and they've added Linux support in addition to the traditional Windows support.
...way to solve your problem is to use Gentoo.
First run "emerge sync" and the "emerge -vp world" to see what kind of updates that would be needed on the system.
And if you have one system that include the feature "buildpkg", the rest of your system could take the pre-compiled packages from the first system and just install it.
(Run "emerge --usepkg -vp world")
Couldn't you just set up a CVS type system, with different branches based on architectures you are supporting? Then you would only need one machine with outside access.
Or am I missing something obvious here (related to the discussion at hand, of course)?
For linux you can mostly rely on either RPM or apt to know what you have installed assuming you stay with the vendor released binaries.
However, for windows, how do you get a list of installed software? Got me, I have no idea. How do you get a list of features you have enabled, or installed?
Just getting a reliable list of installed software is tricky. Now you have to do it while running remotely. Even more fun. If your terribly clever you'd do this with SNMP somehow to query the hardware/software for it's current configuration for inventory of both hardware and software to ensure compliance with all your license, and to ensure no one has swiped any hardware from you.
Now once you get that done, you have to feed it a list of known buggy software. This is also trickier then it seems. For Windows, as far as I know, the patches don't have versions, they aren't software. They are windows updates. With say RedHat software, OpenSSH 2.5 has some security flaw, but the redhat patched OpenSSH 2.5-p5 won't. So you have to be pretty darn specific.
It'd probably be easier to have each tool setup to query the security tool of choice and send out an SNMP alert saying that something is out of date. How exactly to do that on Windows I don't know. How to do it on redhat is easy. Use rhn-applet-tui, it will tell you. You send out an SNMP alert to you SNMP monitor, which converts that into an e-mail.
Then each machine monitors itself. You also setup the monitoring to send out a positive alert that everything is up to date once in a while (1 per day, 1 per week or 1 per month, depending on how many machines you have).
which machines need updated.
Alright, that does it!!! I can't stand it any more. The phrase above should be correctly written; which machines need to be updated. People are getting more and more lazy with their speech and are destroying the English language. Constantly I hear people who choose to leave the words "to be" out of their vocabulary. Constantly people say things like the above or they say things like "that needs painted" and "that needs fixed". What needs to be fixed is their pathetic comprehension of the English language. For God's sake don't forget to be, you illiterate bastards!
Once that is taken care of we can start working on things like "also too". But, that is a whole other rant.
I know RedHat has a nice looking system for keeping you notifed of server versions. As far as Windows? I don't know.
Mike http://thenextgenerationofradio.com
Please have a look at the free Cassandra system:u dit.exeu dit.sit
https://cassandra.cerias.purdue.edu
You can create any number of profiles, and you get emails daily about new CVE entries in ICAT (icat.nist.gov) or Secunia advisories (Secunia) that relate to the software or keywords you select.
You can use the freeware KeyAudit to scan your systems:
Windows KeyAudit: http://www.sassafras.com/restricted/keyaudit/keya
Mac KeyAudit: http://www.sassafras.com/restricted/keyaudit/keya
Sassafras just stopped maintaining KeyAudit, so I'm looking for an alternative application scanner to replace KeyAudit, as well as a Linux/UNIX equivalent (I'm the author of Cassandra).
I'm aware that it's not perfect, and the html and presentations are rather basic. However, it's free, it has been working for a few years now, and I'm listening for suggestions and open to criticism. I'll try to improve it as time allows.
Cheers
Pascal Meunier
Use configuration management so you can control and know exactly what is running on your systems.
Papers have been written about automating patch management using cfengine and a database.
Get in touch with Novell or Redhat and find out what platforms they can support using their products. Novell's (well, Ximians really) RedCarpet would probably be more likely to allow you to run it across multiple platforms.
There are heaps of products out there for this kind of updating. No matter what, there will always be an admin involvement in them however. You'll still need to keep an eye on things regardless of how you automate it. You'll still need to update the hosts and you'll still want to keep your eye on what the software you choose does to those hosts it monitors.
For more broad range of platforms, Tivoli and its like spring to mind. Tivoli can cover pretty much all "mainstream" platforms out there, but its probably overkill for what you're after.
I started working on this problem for the NI team where I work. They went another direction, so I shelved my work for the time being. I didn't come up with much more than a prototype, but I had planned to produce the tool you're looking for. We'd also planned on integrating it with Nessus, so the tool could display warnings detected. I wanted (though NI was a little scared of the idea) to build router ACLs from the data in the table. That way, only traffic to registered applications/hosts would be permitted in to the network. That's the only way I can conceive of keeping the information up to date: make the tool the only way to get any applications working.
w ork-map /
The prototype is here:
http://phantom.dragonsdawn.net/~gordon/net
Look if you like. Ignore it if you don't.
Have a look at that: http://www.shavlik.com/
It works only for Windows, though. But reports patches, missing or not, for Windows, Office, and some other products. Probably some option to export current state, or make a report.
Lets you push patches too, forcing installation.
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
This really depends on how well managed your LANs are but can work smoothly if the architectures and OS's are homogenous (per LAN). try this:
/var/run/lock-patchdb)
On each host in each LAN, make a list of programs you want to keep patched and store their names, MD5 hashes, revision numbers (or patch numbers), and revision dates in a file, say "patched.db". Ideally, you'll want to patch everything, but if your topology includes well-configured network firewalls in front of each LAN, then you can minimize and pinpoint an attack if a host gets comprimised, which gives the patch-admins in each LAN more time to patch.
One host should be designated in each LAN as the "patch-box". (got a spare 486 and linux distro?) You'll need to have MD5SUM and (GNU?)PGP on every box in the LAN and the patch-box should be running FTP, or even SSH if you want overkill (but as long as every host has cached copies of every public key of every host in the LAN, its own private key, and can sign or verify the integrity of the data, then the security of the channel won't matter). Now, every host should MD5SUM its patched.db file and sign the md5sum with their private key. It then packages patched.db and patched.db.md5 into patched-hostname-date.tar.gz and uploads this to the patch-box.
The patch-box then verifies the integrity of each patched.db from each host and then compares the revision numbers against the master list for that LAN, say patch-master.db. Now, at this point, you could just let the patch-boxes check sites for patches, but you specified only one host would be allowed to do this. Well, then that designated host connecting to the internet will be known as "fetch-box". Fetch-box will check for and download any patches if their revision number exceeds that of a file on in its harddrive (this will most likely need to be done manually since the integrity of the patches needs to be verified and the patches need to be tested by the network-admin, unless you can want to make use of up2date or win-auto-update). Every file/patch downloaded will be noted in a file similar to patched.db, which we'll name patch-control.db.
Meanwhile, each patch-box from each LAN will hash&sign the patch-master.db file and package these files into patch-master-LANname-date.tar.gz and upload this file to the fetch-box. Then fetch-box will verify the integrity of each patch-master.db file and compare it against patch-control.db to determine if more entries need to be added to patch-control.db (ie. suppose host-A in LAN-B just added program-c to its inventory (AFTER implementing your patch-scheme) and this program needs to stay patched). Later, each patch-box will download and verify the hashed&signed copy of patch-control.db from fetch-box to determine if it has downloaded (and is releasing) a new patch. If so, then patch-box will download the patch, make it available for download for any host on the LAN, and update the revision numbers for patch-master.db. In turn, each host will download and verify a hashed&signed copy of patch-master.db and compare it against patched.db. If there are any changes, then it will download these files from the patch-box.
Wash, rinse, repeat.
Some issues:
0) You desire quick security patching, but system reaction is unpredictable, regardless of homogenity. You should rather focus on extending the time needed to patch. This can be accomplished through well-configured firewalls, proxies, and NDS's. With more time, you can test patches to make sure they are not corrupt and not rootkits. I also hope you have good backups of every system in case you need to disconnect and restore a comprimised one.
1) what happens when you need to downgrade software?
2) what happens when you run into race conditions? will a file-locking scheme need to be imposed as not to corrupt these databases? (ie. touch
3) this can all be automated except for the part of acquiring, testing, and releasing the patches. At worst,
...small furry creatures from Alpha Centauri...
For the end-user, SuSE's scheme is too easy
and also -flexible- enought to enable Users
to accept or reject offered updates to SuSE
ans non-SuSE software.
Why not use a similar scheme for Sys Admin?
BTW, one of the happy surprises, that we've
seen auto-installed by YaST2 (with User con-
cent) is a mechanism that hides most of the
boot-time console messages from the eyes of
the User who doesn't care to view it - in a
way, that also enables another User to show
those messages (by pressing F2, I believe).
MySQL was recently auto-updated as well.
windows comes packed with this tool for monitoring and managing patch levels on multiple hosts, though it's not installed by default
if you need to patch entire network, see the hfnetchk homepage for pro/enterprise version
In 1999--2000, we tried doing what you describe (at the company I work for). We have a large WAN with a couple of hundred sites scattered around the world. We used a commercial product called Asset Insight to do the scanning on UNIX, and we used MS SMS on the PCs. Note, we have a very small number of Macs and it wasn't cost effective to address them in the project scope.
Asset Insight and SMS allowed us to tier the data collectors: large sites consolidated their scans and then forwarded the consolidated data on to the global data collector. This was very necessary to keep network utilisation in a predictive state.
The project's ultimate stumbling block became focused within the PCs and workstations themselves:
We still have the system deployed, but it turned out to be much less useful than we had hoped---plus, it is very labour intensive:
Our approach with the data today is to focus on the major applications and OSes in use, and not worry too much about the little things. Our security team watches CERT et al and this provides the software management team with some direction w.r.t. the applications to stay on top of.
Sorry I don't have any software recommendations, but I hope our experience will assist you in your planning.