Apply available patches! Patches are made available for download by every(?) vendor, including RedHat, SuSE and Sun, and also by every reputable Linux and BSD distro. Apply them, particularly those which relate to remotely-exploitable vulnerabilities.
In most cases tools are available which will handle dependency-checking and which can be invoked by cron (daily).
Most Linux distributions are RPM-based or Debian-based. rpm itself can be used for patching but is not good --- better to use yum or the RPM version of apt-get. For Debian-based distros, simply use apt-get.
A patch/update for a part RPM can be applied in the usual way, for example,
rpm -Uvh apache-1.3.22-6.i386.rpm
or
rpm -Uvh openssh*
where, in the latter case, there are 5 separate RPMs to upgrade.
A simple procedure to ensure all patches have been applied is to download all updated RPMs from the appropriate Web site, e.g. from RedHat errata, then freshen (see rpm man-page):
rpm -Fvh ./*.rpm
Only those RPMs which are already installed will be updated; others will
be ignored.
Frankly, though, rpm is a crap way to patch anything (or even install a new package) since it does not handle dependency-checking. Better to use yum or the RPM version of apt-get.
Patches for RedHat can be found at RedHat's Web site. (These patches are complete, replacement rpms.) The RedHat Update service (up2date) can be used to automate the patching process, but requires registration --- other solutions exist which do not require this. (Again, yum and apt-get.)
SuSE is an RPM-based distribution, but handles patching properly via a proper patching system (contrast RedHat who simply supply updated complete packages/rpms). The patches can be downloaded and installed by use of the SuSE setup/config tool, yast2. An option is available within yast2 to download and install patches, whenever they become available, automatically.
Debian and Debian-based distributions have had apt-get and friends for years. The apt commands download and install packages and handle dependencies automatically:
It is easy to call apt-get update and apt-get upgrade from cron (daily). There is a GUI frontend for apt called Synaptic (apt-get install synaptic).
From the Web site: Yum is an automatic updater and package installer/remover for RPM systems. It automatically computes dependencies and figures out what things should occur to install packages. It makes it easier to maintain groups of machines without having to manually update each one using rpm.
Basic usage:
Use updatemanager! (This requires that your system can contact Sun hosts via HTTPS — port 443.)
Patches for Solaris can be found at sunsolve.sun.com (follow the links to Product Patches and then Recommended and Security Patches). The usual route is: download the latest patch-cluster containing all recommended and security patches, unzip the .zip file; cd into the created directory and run the installation script, ./install_cluster --- this may take a while. Then reboot --- if you do not the system may be left in an inconsistent state and not all patches will have taken effect.
The Solaris Patch Manager, downloadable from sunsolve.sun.com helps automate the process.
df -bk # Check there is sufficient space in /, /usr and
# /opt for the patches to be applied, and in /var
# for storage of old stuff so that patches can
# be rolled back if necessary.
ftp ftp.sunsolve.com # Get the latest patch recommended cluster.
cd /pub/patches
bin
get 9_Recommended.zip
quit
unzip 9_Recommended.zip # Unpack/uncompress the thing and move into the
cd 9_Recommended # newly-created directory.
su nobody # The user "nobody" needs read access to the
ls -l # new stuff for the patching to proceed --- check.
exit
./install_cluster # Or "./install_cluster -nosave" if space is
# lacking under /var.
| ...previous | up (conts) | next... |