Skip to main content

Understanding Patching on Linux

Understanding Patching on Linux



WHAT IS A PATCH?
A patch is a piece of software code that will be inserted into the existing program in the system. This is an imidate fix to existing software before a minor release is planned. A patch is a kind of temporary and quick fix to existing software.

WHAT IS A PATCH LOOKS LIKE?
Suppose you have some xyz.c file within your Linux kernel which requires a patch, the patch is just the difference between the existing line of code in that file and extra lines which we will add to this file. It is just a diff of lines of code which is added to an existing file.

Enterprise-level Approach

On Red-Hat based systems we use the yum package manager as the preferred method to install and update packages.



Patching is generally motivated by system security. Remember that IT security, in general, has three aspects:

  1. Confidentiality - wrong people must not get access to certain things (at least password files and other authentication infrastructure; possibly entire systems and the information in them).
  2. Integrity - the information processed must not be damaged in the process, neither by bugs nor by malice.
  3. Availability - the systems and the information in them must be available for use by the right people; that's why they exist in the first place.

Another stage in the patching we do is a yum clean all and yum repo list so that when new patches are published through a content view, the cached information doesn't "get in the way" of a new set of patches, while not the rule, there are enough "exceptions" where this is an issue enough to warrant doing this in that environment. 

The important point to understand in Patching

Patching helps in keeping the machines in an enterprise updated with security fixes and critical bug fixes, especially in a data center or a server farm.

  • Set up Linux RPM Repository based in Unbreakable Linux Network (ULN) channels.
  • Download Advisories (Erratas) from ULN.
  • Set up Linux Patching Group to update a group of Linux hosts and collect compliance information.
  • Allow non-compliant packages to be patched.
  • Rollback/Uninstall packages from the host.
  • Manage RPM repositories and channels (clone channels, copy packages from one channel into another, delete channels).
  • Add RPMs to custom channels.
  • Manage Configuration file channels (create/delete channels, upload files, copy files from one channel into another)

Patching Best Practices

The SysAdmin, Audit, Network, and Security (SANS) organization lays out best practices for patch management. These best practices give administrators guidance on how to implement a corporate policy that documents, audits, and assesses risk across the organization to determine when and how patches should be deployed. 

Best practices are:

  • Know your environment. Before you know what needs to be patched, you need an audited list of all Linux systems on the network.
  • Assign risk levels to each server. Risk levels tell administrators which servers are most important and should be prioritized. All systems should be patched, but targeting the most important servers will lower the risk of them being compromised while testing and other patching is underway.
  • Consolidate patch management software into one solution. Automation tools are beneficial, but too many different tools making changes to the environment can lead to errors and possible race conditions. 
  • Review vendor patch announcements regularly. Automation tools will download updates automatically, but administrators should still be aware when new patches are available, especially critical ones.
  • Mitigate risks of patch failures. It’s not uncommon for administrators to halt updates due to an issue with exceptions. When this happens, servers should be locked down to avoid exploit potential.
  • Always test patches in staging first. A staging environment should replicate production, so patches can be tested and lower the risk of downtime.
  • Patch systems as quickly as possible. The longer a server is unpatched, the bigger the risk of compromise due to a known vulnerability.
  • Use automation tools. Automation tools take a lot of the overhead from administrators and automatically deploy patches when they are available.


How Often Should Patching Be Performed?

Installing anything on a production server should be done after thorough testing. In a large enterprise environment, it’s possible for new updates to be available every day, which means constant testing and deployment. Manually checking for new patches every day is tedious and requires unnecessary overhead when patch management automation is available.

To add to the overhead, patches should be deployed only after being tested in a staging environment. Staging environments should be a replica of production to ensure that it’s a 1:1 match during testing or errors could cause downtime in production. Even though testing is important, a good rule of thumb is to apply patches within 30 days of vendors making them available. 

For security patches, it’s critical that administrators test and deploy them as soon as possible. Zero-day vulnerabilities are a real threat to organizations and their digital assets. When zero-day vulnerabilities are announced, threat actors quickly create exploits to take advantage of unpatched systems. Several recent data breaches were the result of exploits on unpatched systems. To lower the risk of a data breach, organizations should rapidly deploy security patches as soon as they are available.

What is Linux Patch Management Strategies?

Unlike closed-source operating systems like Windows, Linux patching can be a bit more unpredictable and complex. Open-source has its advantages, but one disadvantage is running an operating system with several possible changes made by various contributors. Just one incompatible change could affect your entire organization.

To alleviate some of the overhead and hassles of poor patch management, here are a few strategies and best practices to incorporate into your procedures:

  1. Create a patch management policy. This policy should include every step including quality assurance (QA) testing, frequency of patching, any rollback procedures, and who must sign off on operating system changes.
  2. Use scanning tools that find vulnerabilities. Whether it’s public-facing servers or internal hosts running corporate applications, vulnerability scans will find unpatched systems to avoid common exploits.
  3. Use reporting to identify failed patches. How do you know that a patch installation was successful? A good patch management solution has a central dashboard that displays reports on successful and failed patch installations so administrators can review and manually patch the system if necessary.
  4. Deploy patches as soon as testing is complete. Testing is important before deployment, but as soon as testing provides a green light for deployment, patches should be installed across the entire environment.
  5. Document changes to the environment. Usually, documentation is done in the form of change control where authorized employees sign off on updates to the environment. This step is important when reviewing downtime and performing root cause analysis. It’s also important for auditing and compliance reasons.

How to Patch Your Linux Systems Manually?

Even with patch automation, manual updates are occasionally necessary. After a failed update, administrators may need to manually patch the system. Manual updates might be necessary in a testing environment. The commands to update Linux depend on your distribution, but here are the commands for some common distributions.

For Debian-based distributions (e.g. Debian, Ubuntu, Mint), the following commands will let you view available patches and update packages and the operating system:

sudo apt-get update

sudo apt-get upgrade 

sudo apt-get dist-upgrade

 

For Red Hat Linux distributions (e.g. RedHat, CentOS, Oracle), the following commands check for updates and patches the system:

yum check-update

yum update

Roll Back a patch in RHEL/OEL/Centos

Step 1: Boot from the old kernel.
[root@funebs122 ~]#uptime

Step 2: Now run the yum history command to view a history of previous yum activities.

[root@funebs122 ~]# yum history 

View more information about this transaction by typing yum history info <id>

[root@funebs122 ~]# yum history info 7

Step 3: Now, we will roll back this transaction via the yum history undo command.

yum history undo 7

Step 4: Reboot your system


If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more

How to make flash work on IE or Edge with IE Compatibility

How to make flash work on IE or Edge with IE Compatibility With flash been ended from 1-Jan-2021, many applications using flash have stopped working the way they were built (like OEM, OBIEE, etc). The option you have to upgrade.  This method will give a workaround in IE or Edge in IE compatibility mode without upgrading. 1. Verify you have installed flash.ocx on your desktop. Typically, flash.ocx file is located in C:\Windows\System32\Macromed\Flash or C:\Windows\SysWOW64\Macromed\Flash according to your laptop OS system. 2. Edit mms.cfg from the location as a System Administrator In the case of the 64bit system, it might have mms.cfg under C:\Windows\SysWOW64\Macromed\Flash 3. Add below options into mms.cfg file. Note: AllowListUrlPattern list is an example. The URLs need to be replaced to your hosts those have Flash pages. SilentAutoUpdateEnable=0 AutoUpdateDisable=1 EOLUninstallDisable=1 EnableAllowList=1 AllowListUrlPattern=http://www.google.com/ AllowListUrlPattern=http://goo...
Post a Comment
Read more