A Database of Patched Software?

Midnight Warrior asks: "I am one system administrator for what is an organization of dozens of LANs. Together, we all must keep our machines patched. Now we can all watch CVE, frequent securityfocus.com, or let LWN [Updated vulnerabilities section] bring things together. LWN does a fabulous job, but I'm looking for something bigger and more personalized that doesn't require the system be on the internet. Freshmeat, SourceForge, and Google are all NULL on this question: is there a database, and scraping agents in existence that will let one person oversee dozens of OS installations, a mish-mash of software packages, and an even worse level of up-to-date patching exist so that when a new vulnerability against, say, OpenSSH comes out, I can look up which systems need to be tested and patched? My work should be limited to maintaining OS (not just Linux distros), software versions, and current patch lists. This is a classic database problem, but has someone already solved it?"

Huh?

[ichimunki]

Why would you be hand-maintaining most of this software in the first place? Why not standardize on a distro or two that have auto-update functionality and use this to update via cron job against a local repository?

Commercial Solution?

[illectro]

One possible solution is a commercial Vulnerbility assessment solution such at Qualysguard - it'll scan your network and tell you which machines need updated. You can also go open source with Nessus, but it's UI is a lot weaker and it doesn't feature the task management tools that Qualys has (and you seem to be interested in this). Of course this will only tell you about software which can be remotely exploited, local updates are somewhat hard ;-)

Novell's Zenworks

Novell has made a huge push into this space with their Zenworks package. It has all sorts of database and report writing functionality, and they've added Linux support in addition to the traditional Windows support.

I think one..

[fredan]

...way to solve your problem is to use Gentoo.

First run "emerge sync" and the "emerge -vp world" to see what kind of updates that would be needed on the system.

And if you have one system that include the feature "buildpkg", the rest of your system could take the pre-compiled packages from the first system and just install it.
(Run "emerge --usepkg -vp world")

It's a hard problem....

[ComputerSlicer23]

Well there are a lot of problems with this. First and foremost is having the machine maintain a list of known installed software. That means no custom installs for anything. So if you built sendmail and installed it in /usr/local, you have problems building an off the shelf solution. For a variety of reasons.

For linux you can mostly rely on either RPM or apt to know what you have installed assuming you stay with the vendor released binaries.

However, for windows, how do you get a list of installed software? Got me, I have no idea. How do you get a list of features you have enabled, or installed?

Just getting a reliable list of installed software is tricky. Now you have to do it while running remotely. Even more fun. If your terribly clever you'd do this with SNMP somehow to query the hardware/software for it's current configuration for inventory of both hardware and software to ensure compliance with all your license, and to ensure no one has swiped any hardware from you.

Now once you get that done, you have to feed it a list of known buggy software. This is also trickier then it seems. For Windows, as far as I know, the patches don't have versions, they aren't software. They are windows updates. With say RedHat software, OpenSSH 2.5 has some security flaw, but the redhat patched OpenSSH 2.5-p5 won't. So you have to be pretty darn specific.

It'd probably be easier to have each tool setup to query the security tool of choice and send out an SNMP alert saying that something is out of date. How exactly to do that on Windows I don't know. How to do it on redhat is easy. Use rhn-applet-tui, it will tell you. You send out an SNMP alert to you SNMP monitor, which converts that into an e-mail.

Then each machine monitors itself. You also setup the monitoring to send out a positive alert that everything is up to date once in a while (1 per day, 1 per week or 1 per month, depending on how many machines you have).

Use RedHat?

[Koldark]

I know RedHat has a nice looking system for keeping you notifed of server versions. As far as Windows? I don't know.

Cassandra

[pmeunier]

Please have a look at the free Cassandra system:
https://cassandra.cerias.purdue.edu
You can create any number of profiles, and you get emails daily about new CVE entries in ICAT (icat.nist.gov) or Secunia advisories (Secunia) that relate to the software or keywords you select.
You can use the freeware KeyAudit to scan your systems:
Windows KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.exe
Mac KeyAudit: http://www.sassafras.com/restricted/keyaudit/keyau dit.sit

Sassafras just stopped maintaining KeyAudit, so I'm looking for an alternative application scanner to replace KeyAudit, as well as a Linux/UNIX equivalent (I'm the author of Cassandra).

I'm aware that it's not perfect, and the html and presentations are rather basic. However, it's free, it has been working for a few years now, and I'm listening for suggestions and open to criticism. I'll try to improve it as time allows.
Cheers
Pascal Meunier

Configuration management

[heydrick]

Use configuration management so you can control and know exactly what is running on your systems.

Papers have been written about automating patch management using cfengine and a database.