Linux/UNIX Compliance and Patch Management with Microsoft System Center 2012 R2 Thorsten Henking - MicrosoftRuss B. Ernst - Lumension
DCIM-B342
ObjectivesUnderstand System Center’s Linux and UNIX patch management capabilitiesDeep knowledge of partner products that integrates in System Center 2012 R2Learn how to manage the compliance state of the heterogeneous datacentre with System Center 2012 R2 natively or in interaction with partner products
Linux/UNIX Management Functionality
• Monitor Linux OS health & performance
• Monitor log files• Monitor JEE app
servers• Monitor line-of-
business applications• Monitor databases
and web servers• Audit security events
Operations Manager
Monitor operations• Inventory hardware• Inventory installed
applications• Create collections
based on inventory• Distribute and install
software to Linux OS• Report on inventory
and software distribution
• Endpoint Protection (anti-virus)
Configuration Manager
Deploy software• Personalize Linux OS
instances when deploying
• Use service templates for multi-tier deployments
• Scale out using service templates
• Live migrate Linux across Hyper-V hosts
Virtual Machine Manager
Manage a private cloud
Linux/UNIX Management Functionality
• Tie together System Center components
• Runbooks interact with Linux/UNIX computers via ‘ssh’
• Execute arbitrary Linux/ UNIX shell command lines
OrchestratorAutomate IT Processes
• Live backup of Linux VMs
• Backups with file system consistency
• Restore Linux VMs (no item level restore)
Data Protection Manager
Backup VMs• Deploy Linux VM from
template into a private cloud
• Monitor VM resource usage
• UI style and concepts match Azure public cloud portal
Windows Azure PackTenant/User Portal
Configuration Manager OfferingsA.Automatically download patches and patch
meta-data from a repository on the web – Microsoft Update in the case of Windows
B.Deploy patches to managed Windows computers, within maintenance windows, reporting success/failure
C.Report all-up patch compliance for managed Windows computers
Native ConfigMgr does only (B) for Linux/UNIX computers, using Software Distribution
Linux/UNIX Patching CharacteristicsEnterprise distributionsPay for software maintenanceMany dependencies between software packages
Scenario #1You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers
There is a security update for SSL available and you want to deploy this individual patch to a specific set of computers
Scenario #1 Solution Overview
Characteristic Scenario #1 – Single Patch Install
Content distribution Uses ConfigMgr content distribution infrastructure (i.e., DPs)
Servers require access only to local content repositories – no Internet access needed
Obeys ConfigMgr maintenance windows Comprehensive compliance reporting
Automatically resolves patch dependencies
Uses inventory data to target deployments
Scenario #2You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers
All servers should install all updates that are recommended by SUSE´s security advisory team
Scenario #2 Solution Overview
Characteristic Scenario #2 – Native Updates Install
Content distributionConfigurable to use Internet repository or a separately maintained local replica
Servers require access only to local content repositories – no Internet access needed
Depends on repository configuration
Obeys ConfigMgr maintenance windows Comprehensive compliance reporting
Automatically resolves patch dependencies Uses inventory data to target deployments
Scenario #3You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers
All servers should install all updates that are recommended by SUSE´s security advisory team and you want a report which updates are installed or not installed
Scenario #3 Solution Overview
Characteristic Scenario #3 – Native Install + Reporting
Content distributionConfigurable to use Internet repository or a separately maintained local replica
Servers require access only to local content repositories – no Internet access needed
Depends on repository configuration
Obeys ConfigMgr maintenance windows Comprehensive compliance reporting with custom solution
Automatically resolves patch dependencies Uses inventory data to target deployments
Lumension Patch Manager DataCenterIntegrated extension for Microsoft System Center Provides Linux and UNIX server patching, remediation, centralized visibility, control and reporting from a single management console.
Automated Linux/UNIX patch downloadsCentralized patch content repository and vendor license management.
Aggregated compliance reporting Complete view of compliance and security posture for Linux and UNIX operating systems
Lumension Supported Operating SystemsLinux UNIX• Red Hat Enterprise
Linux• Version 4 , 5, 6 (x86 and x64)
• SUSE Linux• Version 9 (x86)• Version 10 SP1 (x86 and x64)• Version 11 SP1 (x86 and x64)
• CentOS• CentOS 5 and 6 (x86/x64)
• Oracle Linux• Oracle Linux 5 and 6 (x86/x64)
• Solaris• Version 9 (SPARC)• Version 10 (x86 and SPARC)• Version 11 (x86 and SPARC)
• IBM AIX• AIX 5.3, 6.1, and 7.1 (POWER)
• HP-UX• HP-UX 11i v2 and 11i v3 (PA-RISC &
Itanium)
• Mac OS• Mac OS X 10.7, 10.8, and 10.9 (Intel)
Lumension Patch Content Delivery
IT
Single adminconsole
Update Metadata
Lumension Licensing
Update Remediation Binaries
Vendor License Validation
Application Server and Database• Automatic Patch
Download• Centralized
Repository• Credential
Management
Global Subscription Server (GSS)
Vendor Websites
Patch Management Workflow1. Discover
Deploy the Lumension Patch Manager Agent with the included System Center deployment package
2. AssessAssess Security Risk – view vulnerabilities and security configurations on all managed assets
3. PrioritizePrioritize threats and mitigation actions to increase the organization’s security posture
4. RemediateRemediate vulnerabilities for Datacenter Platforms; Mitigate risk with custom remediations
5. ReportComprehensive Reporting across entire enterprise network from a single console
Lumension Patch Manager DataCenterSystem requirementsRequires dedicated server for patch content mirroringRequires agent on managed server for patch detection and deploymentSeparate RBAC and collection (group) model
Future outlookSynchronize System Center collections into Lumension groupsRespect System Center maintenance windows
Additional resourceswww.lumension.com/system-center
Lumension Solution Overview Characteristic Lumension
Content distribution Lumension Server
Servers require access only to local content repositories – no Internet access needed
Obeys ConfigMgr maintenance windows Planned for future version
Comprehensive compliance reporting Automatically resolves patch dependencies Uses inventory data to target deployments
Separate inventory/group mechanism
SUSE Manager Integration with OpsMgrView a list of all Linux servers entitled to a selected list of critical and optional updates and patches
Get alerts for all outdated or critical updates available for Linux servers (health threshold state)
Schedule maintenance tasks to run updates on a specific Linux server or group of Linux servers
ScenarioYou are the IT admin of Contoso and the main OpsMgr administrator for Windows
Linux team has a separate management solutionDue to cost savings and complicance requirements your management wants you to patch and be responsible for these Linux computers
But you have no expertise in Linux…
SUSE Manager Solution Overview Characteristic SUSE Manager
Content distribution Local repository on SUSE Manager server
Servers require access only to local content repositories – no Internet access needed
Obeys ConfigMgr maintenance windows No (OpsMgr-based solution)
Comprehensive compliance reporting via SUSE Manager
Automatically resolves patch dependencies Uses inventory data to target deployments
Separate inventory thru SUSE Manager
Solution Comparison Characteristic
Scenario #1 – Single Patch
Install
Scenario #2 – Native Updates
Install
Scenario #3 – Native Install +
ReportingLumension SUSE
Manager
Content distribution
ConfigMgr content distribution
infrastructure (i.e., DPs)
Configurable to use Internet repository
or a separately maintained local
replica
Configurable to use Internet repository
or a separately maintained local
replica
Lumension Server
Local repository on SUSE
Manager server
Servers require access only to local content repositories – no Internet access needed
Depends on repository
configuration
Depends on repository
configuration
Obeys ConfigMgr maintenance windows Planned for
future versionNo (OpsMgr-
based solution)
Comprehensive compliance reporting Automatically resolves patch dependencies
Uses inventory data to target deployments
Separate inventory/group
mechanism
Separate inventory thru SUSE Manager
(with custom solution)
(via SUSE Manager)
Key Learnings: Best of Both WorldsReduce costLeverage your investment in existing infrastructure including software, hardware and expertise.
Save timeWindows and Linux patch management can be done from the same console rather than splitting time between silos
Minimize riskImproved efficiency in the patching and updating process translates into lower risk of failure via a missed or incorrectly applied patchPrevents Patch Management “blind spots”
DCIM-B217 How Windows Admins Manage Linux with Windows Server 2012 R2 Hyper-V and Microsoft System Center 2012 R2
Related content
DCIM-H326 Managing Linux Servers with Microsoft System Center 2012 R2 PCIT-B336 Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager PCIT-H311 Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager
Find Me Later At TechExpo
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.