Thursday, March 14, 2013

OSG article on their use of Pakiti to manage patching

An important part of operating a trustworthy cyberinfrastructure software stack is managing security patches for that software. Kevin Hill of the OSG Security team wrote an article in the February OSG Newsletter on OSG's use of Pakiti. Kevin's article follows (republished with permission).

Introducing Patiki

Pakiti is a Web-based application you can set up for your site that summarizes the patching status of machines at your site. Pakiti also knows about security specific updates, and can show which systems need security updates vs. other software updates, as well as link to the relevant CVEs to easily see which vulnerabilities apply to your systems and how critical these vulnerabilities are. CVE (Common Vulnerabilities and Exposure) is a dictionary of publicly known information security vulnerabilities and exposures kept by mitre.org. Pakiti does not install any updates itself.

Pakiti was developed at CERN, and is now available in the OSG v3 software release. The OSG security team has been running a central Pakiti server to monitor a few different hosts at various sites, and now any OSG site can set up their own Pakiti server without making their sites’ vulnerability information available off site. The Pakiti client that is installed on monitored systems is a simple bash script that should not interfere with normal operations. The data sent to your site's Pakiti server is essentially the output of 'rpm -qa', as well as the operating system release version.

The Pakiti homepage is http://pakiti.sourceforge.net. OSG-specific installation instructions are available at: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/PakitiInstallation

~Kevin Hill, OSG Security Team