Conceptually, applying patches should be simple. Identify the systems that are vulnerable and patch them! In practice, however, things are rarely that straightforward. Your fleet might conceivably have thousands of vulnerabilities needing to be patched, but not all of them are high priority or even relevant. You might not know whether patching systems will break critical business applications. On top of this, you only have a small team of system administrators responsible for tens of thousands of systems. You started with a patching problem, and what you actually have is a risk management problem. And risks are not absolute. Fortunately, the Chef Automate platform can help you identify unpatched systems, prioritize them by severity, remediate them by integrating Chef Infra with best-of-breed patch databases like WSUS, and help your team visualize graphically your progress towards improving patch compliance.
Managing the risks of patching
To start patching your software effectively, it’s important to understand exactly what risks are involved, and have a plan to ensure that patches are applied safely and efficiently across your estate. The risks involved with software patching can be broadly grouped into three distinct categories:
- The Risk of Unpatched Systems: Where is software is out of date, and what patches are available for update?
- The Risk of Applying Patches: Will updating software negatively impact my applications?
- The Risk of Incomplete Visibility: Have my patches been applied to every system that requires them?
With Infra you have the tools to ensure you can evaluate all three of these risks, and start applying patches with confidence across your estate. First, there’s the risk of not patching. This is what drives us to implement patching workflows, so that our environments are protected from vulnerabilities and outdated software. However, it’s balanced by the opposing risk of applying patches. Whether you’re updating system libraries on a production webserver, or installing new printer drivers on your home computer, each update can come with unexpected consequences. Software updates must be evaluated, lest they impact the operation of your applications, and that takes care and planning. Finally, there remains the risk of incomplete visibility into your estate. Particularly as environments grow, organizations have more and more systems that need to be patched, and the only thing worse than not being able to apply a patch is not being able to validate whether the patch was successfully consumed by your entire fleet. While daunting, these challenges are not insurmountable! With Infra you have the ability to determine where patches are required, safely apply updates in pre-production environments before promoting, and maintain visibility in the status of every server, VM, and service you’re responsible for at any time.
With InSpec, you can:
Identify Unpatched Systems. Built-in InSpec profiles defining patching baselines for Linux and Windows can be used to scan your environments and learn which software packages are out of date with the push of a button.
Practice Continuous Compliance. InSpec can scan systems ad-hoc for real-time feedback, or continuously so that you always know when new patches are available, or if configuration changes have impacted your overall compliance.
Scan Any System, in Any Environment. Environments managed by Infra can use the audit cookbook to ensure InSpec scans run whenever Infra does. InSpec can also scan systems agentlessly over SSH or WinRM, ensuring you can evaluate any system at any time.
With Infra, you can:
Integrate with Patching Tools. With resources for integrating with RedHat Subscription Manager (RHSM) or Windows Server Update Service (WSUS), you can configure and manage package repositories quickly and consistently.
Apply Updates to Environments. Infra’s easy-to-learn language can be used to ensure consistent update schedules across environments, enforce configuration state to harden system security, and install one-off or critical patches as emerging vulnerabilities necessitate.
Eliminate Drift & Duplication. Infra is designed to run regularly, and only takes action if systems differ from their desired state. What’s more, Infra code is dynamic, and can take role, platform, or environment specific action without requiring processes be re-written for each permutation.
With Habitat, you can:
Validate Software Versions. Habitat artifacts can be run on traditional servers or natively exported to containers. Either way, running Habitat applications have their dependencies dynamically linked, and can be queried via a Supervisor API to determine exactly what versions of libraries are running in each application or microservice.
Manage Diverse Requirements. On traditional systems, updates to core libraries, like glibc, can be difficult when different components of your application have differing requirements. Rather than letting the weakest link in your application stack define your patch level, each component packaged with habitat has their dependencies isolated, allowing updates to be applied everywhere they can be consumed.
Automate Application Builds. Habitat allows automatic dependent rebuilds of applications. This means that if an upstream dependency is updated, Habitat can automatically generate new artifacts for any contingent applications. Any non-impacting updates can then be quickly and easily promoted, and updates requiring development work can be identified and prioritized accordingly.
Automate’s dashboards provide aggregated and filterable insights into your environments’ current state, as well as a full history of change over time with trend graphs and historical audit and configuration reports. Automate integrates with Infra’s open-source tools so that your patching scans and remediations are all tracked and audited through the Automate UI.
Automate also comes pre-loaded with with the dev-sec Patching Baseline InSpec Profiles, and supports in-GUI agentless scanning, making determining your current patch level easier than ever. Also included are security benchmarks based on industry standards like CIS and DISA STIGs to ensure systems can be prioritized for hardening as well as patching, and are the first step to ensuring formal regulatory compliance.
With Automate, you can ensure continuous visibility into whether and where systems need patching, and combined with InSpec and Infra, you can make sure that those systems stay patched regardless of how often you deploy new content or environments. Automate provides everything you need to ensure you can deploy with unparalleled speed and efficiency all without increasing the risk to the environments you manage.