The bread and butter of Landscape is security compliance – keeping your systems securely up to date with minimum effort, and remedy any unintended side-effects an update may have. Helping your CIO prove this was done timely is a neat additional capability that can save the IT team the need to scrub logs to create reports.
“Help me keep my Ubuntu systems compliant with the latest security updates” is a common request I hear from frustrated System Administrators. Landscape was designed with compliance in mind from the start, but since I have explained and demonstrated this countless times to many customers in person, I thought I’d share the benefits of managing updates through Landscape with a larger audience.
The “freshness” of Ubuntu, this wonderful ability to find any and all software, in the latest version, always readily packaged for your favorite distribution, comes with a constant stream of updates that need to be managed.
To start, let’s first approach this using a reactive method and finish with a proactive approach that will keep our systems compliant going forward.
In Landscape, select the “COMPUTERS” tab.
Under Select Computers choose “All” as shown below. In my case, I have 5 servers but you could have any number of physical servers, desktops, virtual machines or cloud guests under management in your account.
Select the “Packages” tab on the right:
In the Summary section of my example, I have “3 computers with security updates to install” link. You could have hundreds, thousands or even tens of thousands of managed systems – the strength of Landscape’s interface is how it makes it as simple to manage a thousand systems as it is to manage one.
Landscape lets you easily distinguish between security updates, and feature updates and bug fixes – so if you desire to reduce the amount of changes you push to your systems, or to schedule a different maintenance event for less urgent updates, this is easily done.
Select the link to get a complete list of security fixes and select “All upgrades.” This will toggle the install selection of all the security updates listed – Landscape lets you select a different behavior for each of the security updates listed, from the same overview screen. One could, for example, select to uninstall cups altogether if the vulnerable systems do not support any actual printing. This is done through the three buttons on the left.
The selected action is reflected in the color change:
Scroll to the bottom of the screen and select Apply Changes. You can apply the updates right away or select a future date and time. As an aside, I strongly recommend using Landscape’s system tagging feature for rolling updates and avoiding regressions, by grouping similar systems together based on their workloads
At this point all our systems will have the latest Ubuntu security updates installed shortly.
Now let’s examine how to keep systems current proactively by using Landscape’s package profiles feature. From the Landscape tab, select Profiles.
In the next window, select Upgrade Profiles.
Click on “Add update profile” and enter in the required fields. The title of this profile is “Ubuntu Security Updates” but you could name your profile whatever you want. We have checked the “only security updates” box so this profile won’t apply feature updates or bugfixes, and requested the packages be applied on all systems at 2am every Sunday. Click the Save button and it will take effect.
Profiles are editable, and you can combine profiles with Landscape’s system tags for granular control of the update process. A common example is using different scheduled update profiles for roaming devices: you could mandate after-hours updates for the laptops of your sales team to enforce your security policy, yet make sure that no lingering Landscape tasks interfere with their work hours if the systems were offline or powered off overnight.
Sometimes, an update does not go exactly as planned. Packages are hardly ever defective on their own, but sometimes an update may be having an unintended side effect on your workload, and you need to roll back the patch you just installed to continue operating until a more complete or fully functional solution can be devised.
Landscape makes this remarkably easy. Searching for and selecting the offending package is done in the packages tab, and expanding the details section will show what managed devices have the package installed, and what versions it can be reverted to. Once you are ready to commit, the downgrade process is just as streamlined as the upgrade.
Many of our customers have Compliance or Governance requirements: they need to prove to an oversight body, either internally to their company or externally to a certification authority, that systems were kept secure. The most common example of this is the PCI DSS rule requiring security updates be rolled out within 30 days of release.
You can help your CIO fulfill these requirements effortlessly, by providing her with a CSV or a chart showing the current state of update of your infrastructure, generated using Landscape’s reporting functionality:
Even when no security audits have to be met, folks are pretty happy when you show a high percentage of systems are securely patched and you can justify the groups of systems that have yet to be covered. Auditing is awesome, as it generates CSV data and charts without requiring you to spend any cycles sifting through logs gathering details.