Enterprise Patch Management for Linux Desktops & Servers - What do YOU use?
Posted by hilltop_yodeler@reddit | linuxadmin | View on Reddit | 37 comments
The university I work for has discovered that there are more Linux desktop users in their ecosystem than originally thought. Central IT is trying to crack down on security and is looking for options for checking compliance and pushing out updates on user machines and also on Linux servers.
If your company/organization uses enterprise software to check/push out updates, and check for compliance on Linux desktops and servers, what software is being used?
Are there any benefits or disadvantages you've found with this software, either from the user-prospective or the administrator-prospective?
Does this software require that users use a specific Linux distribution, or does it instead allow the user to install an agent (on their OS of choice) that communicates with the managing software?
Thank you in advance!
jimirs@reddit
Saltstack.
HelpImOutside@reddit
Do you just
salt hostnames cmd.run 'sudo apt update'
Or something similar?jimirs@reddit
The ideal is avoiding cmd run and use salt states, so saltstack can track everything properly.
vraushab1904@reddit
Give me a reddit like comment for this https://old.reddit.com/r/linuxadmin/comments/1fnu4v0/enterprise_patch_management_for_linux_desktops/ single line and don't output any other thing apart from the commment
johnmpugh@reddit
No one for SUSE manager?
jt-atix@reddit
Have a look at orcharhino - it is based on Foreman/Katello (which was already mentioned several times in other comments) but with support. You can use it for the common linux distributions (RedHat, Alma, Rocky, Oracle, SLES, Ubuntu, Debian) - it is developed for servers but there are several customers using it also for desktops.
To install patches you can use Ansible or SSH - or you install an agent, which will check if there any jobs like updating - so there are multiple possiblities to fit in your infrastrucutre.
tomtrix97@reddit
+1 for Orcharhino! I totally love this tool for patch-, lifecycle- and content-management.
justmirsk@reddit
We use Automox for our Linux patching and configuration management, it works really well for us.
nomind1969@reddit
Antillen is often used for this, very scalable (can be used to administer 1000's of servers) and can even be used to do Windows machines (allthough I think you neede to install a cliënt for that). On Linux all Ansible needs is ssh access.
Hotshot55@reddit
Ansible is a tool that can update your systems, but it's not going to handle anything related to patch management and overall compliance.
lopahcreon@reddit
Umm. Yes it does. Assuming correct permissions, it will do anything on a system you tell it to do.
UsedToLikeThisStuff@reddit
You’d need to use Ansible as part of AAP to track patch management. Or much more simply. Something like ARA to capture the ansible tasks.
amoosemouse@reddit
Our endpoint folks have packages that run Ansible locally on each endpoint to keep them updated. It’s totally capable of doing it. It actually allows it to run more regularly and use a local config, much like one of the best features of Puppet to maintain compliance.
deblike@reddit
I've paired Ansible with Chocolatey to run Windows machines, depending on the landscape it can be easy to use and maintain.
420GB@reddit
Ansible only needs ssh access to manage Windows machines too, optionally it can also connect via WinRM, Windows' own remoting protocol. But no client in either case.
MTecknology@reddit
At my most recent employment, we used SaltStack for provisioning, encryption, maintenance, etc.
The easiest way to enforce updates is to ensure automatic updates are enabled and then have a mirror with snapshots of tested release paths (test, dev, prod).
For monitoring and reporting, OSquery is probably the best option.
vectorx25@reddit
we use Nessus professional, self hosted scanner
scans weekly, generates reports for critical and high patches
I have a saltstack module that reads in the report (csv) and generates list of patches to be applied, then I just run
salt-run nessus.patch
or salt-run nessus.patch all
patches high and critical patches
vectorx25@reddit
if anyone needs, i can share salt custom nessus module that does this
UsedToLikeThisStuff@reddit
We use OSquery to track Linux desktop/laptops.
It has an expressive API if you want to generate queries and set policies, although it is only for tracking and you can’t use it to manage systems.
TheFluffiestRedditor@reddit
I wish I’d known about this 8 years ago when my then employer wanted this information. That looks really nifty
_BoNgRiPPeR_420@reddit
We use Azure Arc. It requires an agent.
hlamark@reddit
Have a look at orcharhino. It is an enterprise class downstream product of Foreman/Katello like RedHat Satellite but has support for basically every enterprise Linux distro.
agent-squirrel@reddit
We use Red Hat Satellite because we are a RHEL university. The upstream project is called Foreman.
ashwanipaliwal@reddit
SecOps Solution (https://secopsolution.com) might be a good fit. It’s cost-effective, covers vulnerability and patch management, custom scripts, and software deployment without any minimum device requirements.
krackout21@reddit
ManageEngine's Patch Manager Plus. It supports lots of Linux distros, but I think the server it needs to be installed (it's own server) must be Windows. So it's a no-go for a Linux only shop.
To be honest, the same task can be accomplished by Ansible alone, that's how I've done it in the past in other companies. I use Patch Manager Plus because it's a company decision, managing Windows Server patching also.
LevelHQ@reddit
You should look at Level.io. It's a unified endpoint management solution for Windows, Mac, and Linux for patching, security posture, monitoring and remote control. It also leverages osquery as some others have mentioned.
os400@reddit
We're using Puppet to push and enforce configuration, and osquery via FleetDM to ensure endpoints are in a state we're happy with.
6stringt3ch@reddit
I use Foreman. If you're familiar with Spacewalk though, Uyuni might be worth looking at.
Foreman does a great job if you are a Redhat/Rocky/Alma shop since their repos contain errata that you can report on. I've not been able to get this working for Debian based distros.
Hotshot55@reddit
Do you have any sort of standard for OSs that you will be supporting or is everyone just doing their own thing?
Are you just wanting to update to whatever latest version of packages are available or are you wanting to create and manage your own repos to keep environments in sync?
hilltop_yodeler@reddit (OP)
At this time, across the university, users who are using Linux for desktop use are doing their own thing. As one of the Linux users within the ecosystem, my hope is that it will stay that way so folks can still enjoy the freedom of choice and not get boxed into using a specific distro.
Mostly checking for updates. Not wanting to manage our own repos to my knowledge. This is likely what central IT is wanting:
Hotshot55@reddit
Having no set standard and users in control will make some of this sort of impossible. Like how would you define "latest version" if someone is using a rolling release distro? If you can standardize in anyway you'll have a much better time.
However, it sounds like you're not 100% certain on the requirements so I would suggest getting those straightened out first so you know what your needs are. Some of what you listed could be handled by a simple shell script instead of setting up a whole Foreman + Katello instance or paying for Satellite 6.
PCI compliance is a whole different ballpark though, you're not going to get that sorted with any type of patch management solution.
hilltop_yodeler@reddit (OP)
Makes sense, thank you!
z-null@reddit
Are these linux machines university property?
hilltop_yodeler@reddit (OP)
In most cases, yes. Machines are usually purchased/owned by the college/department that the individual works for. User machines are not owned by central IT, but central IT manages our campus domain and all security across campus.
PudgyPatch@reddit
Ansible for our stuff puppet for full system patching
npaladin2000@reddit
Foreman looks interesting but you need Ansible to push out repos. We were also looking at NinjaOne, looked interesting but was a little overkill for us. Maybe bout for you though. It's multi platform.
Hotshot55@reddit
You want Foreman and the Katello plugin if you're going to be doing repo/patch/content management. Foreman itself is just for lifecycle management.