Ask Slashdot: Patch Management For Offline Customer Systems?

New submitter Nillerz writes: What, in your experience, is generally the best way to distribute patches in a way so customers can download them, considering that the machines are offline? Are there any software packages (open source preferred) that pretty much allow engineers to upload a patch with a description to a web server, and allow customers with credentials that are registered in LDAP to browse and download them quickly? And if not, how do you distribute patches to air-gapped machines?

Re:Is there even a reason to patch airgapped machi

[El_Muerte_TDS]

To fix non-security related bugs.

sneakernet

[TWX]

Ship encrypted files on flash with instructions for them to call when the media arrives. Provide phone support to walk them through the install process, where you provide the password to the files at that time. Once the patch is installed, walk them through formatting the flash media and mailing it back to you.

If you really want to be fancy, make the installer check for something that is supposed to be on a legitimate customer system before it even prompts for credentials to decrypt the files, to make sure that it is being used on the correct machines and that it actually is the customer calling.

Re:sneakernet

[techno-vampire]

Ship encrypted files on flash with instructions for them to call when the media arrives.

No. Not on flash. Flash can be intercepted and modified. Send it on a CD/DVD that's not rewritable, and send a hardcopy of the MD5 hash in a second package. Then, before running the update, calculate the hash and compare it by eye with the hardcopy. I won't say that it's impossible for anybody to slip an infection past this, but it's not going to be easy, especially if you send the two parts of the message by different companies.

Re:Is there even a reason to patch airgapped machi

[allquixotic]

Or maybe you might have an airgapped "kiosk", with a keyboard and/or mouse and a dedicated application running modal (so it can't be bypassed to access the OS, perhaps without some hardware hacking). If it's non-networked, or only networked locally to some other system on-site, but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities, such as "if the user presses Ctrl+Alt+Del, they can access the desktop" (or something equally based on the concept of user input -> system access). That would be an example of a software-based security exploit on airgapped equipment.

swap drives

[John+Bresnahan]

I worked on an airplane-based system, and we had removable hard drives which we swapped any time we had to update the software. This way, each upgrade also restored the system to a pristine condition.

I've also done this with CD-ROMs. One nice thing about booting and running from a CD-ROM is that it's impossible for it to be "hacked" (short of creating a new version and sneaking it in to the physical machine).

MBSA + WSUS CAB File

[ItsPaPPy]

Microsoft has a product called Microsoft Baseline Security Analyzer, when you combine it with the WSUS CAB file, it will output an XML file of all patches installed and (more importantly) not installed on your machine.

With some small scripting (VBS, Powershell, etc), you parse the XML and find the needed patches in a patch repository.

Then you can remotely push all of that out via PS-Remoting or PSExec, and your offline/air-gapped network can stay patched.

Re:Download while offline?

[TsuruchiBrian]

The webserver could be offline as well (i.e. intranet).

Just use git bundle

[complete+loony]

git bundle create <file> <git-rev-list-args>