Linux/UNIX Compliance and Patch Management with Microsoft System Center 2012 R2 Thorsten Henking - MicrosoftRuss B. Ernst - Lumension

DCIM-B342

ObjectivesUnderstand System Center’s Linux and UNIX patch management capabilitiesDeep knowledge of partner products that integrates in System Center 2012 R2Learn how to manage the compliance state of the heterogeneous datacentre with System Center 2012 R2 natively or in interaction with partner products

System Center 2012 R2 and Linux/UNIX

Linux/UNIX Management Functionality

• Monitor Linux OS health & performance

• Monitor log files• Monitor JEE app

servers• Monitor line-of-

business applications• Monitor databases

and web servers• Audit security events

Operations Manager

Monitor operations• Inventory hardware• Inventory installed

applications• Create collections

based on inventory• Distribute and install

software to Linux OS• Report on inventory

and software distribution

• Endpoint Protection (anti-virus)

Configuration Manager

Deploy software• Personalize Linux OS

instances when deploying

• Use service templates for multi-tier deployments

• Scale out using service templates

• Live migrate Linux across Hyper-V hosts

Virtual Machine Manager

Manage a private cloud

Linux/UNIX Management Functionality

• Tie together System Center components

• Runbooks interact with Linux/UNIX computers via ‘ssh’

• Execute arbitrary Linux/ UNIX shell command lines

OrchestratorAutomate IT Processes

• Live backup of Linux VMs

• Backups with file system consistency

• Restore Linux VMs (no item level restore)

Data Protection Manager

Backup VMs• Deploy Linux VM from

template into a private cloud

• Monitor VM resource usage

• UI style and concepts match Azure public cloud portal

Windows Azure PackTenant/User Portal

What about SUM*?

*Software Update Management

25% of all OpsMgr installations monitor

Linux and UNIX computers

Configuration Manager OfferingsA.Automatically download patches and patch

meta-data from a repository on the web – Microsoft Update in the case of Windows

B.Deploy patches to managed Windows computers, within maintenance windows, reporting success/failure

C.Report all-up patch compliance for managed Windows computers

Native ConfigMgr does only (B) for Linux/UNIX computers, using Software Distribution

Linux/UNIX Patching CharacteristicsEnterprise distributionsPay for software maintenanceMany dependencies between software packages

Native SUM with System Center 2012 R2

Scenario #1You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers

There is a security update for SSL available and you want to deploy this individual patch to a specific set of computers

Native install of an individual patchThorsten HenkingMicrosoft

Scenario #1 Solution Overview

Characteristic Scenario #1 – Single Patch Install

Content distribution Uses ConfigMgr content distribution infrastructure (i.e., DPs)

Servers require access only to local content repositories – no Internet access needed

Obeys ConfigMgr maintenance windows Comprehensive compliance reporting

Automatically resolves patch dependencies

Uses inventory data to target deployments

Scenario #2You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers

All servers should install all updates that are recommended by SUSE´s security advisory team

Keep your servers secure

Thorsten HenkingMicrosoft

Scenario #2 Solution Overview

Characteristic Scenario #2 – Native Updates Install

Content distributionConfigurable to use Internet repository or a separately maintained local replica

Servers require access only to local content repositories – no Internet access needed

Depends on repository configuration

Obeys ConfigMgr maintenance windows Comprehensive compliance reporting

Automatically resolves patch dependencies Uses inventory data to target deployments

Scenario #3You are the IT admin of Contoso, responsible for the security on 100 SUSE Linux Enterprise Servers

All servers should install all updates that are recommended by SUSE´s security advisory team and you want a report which updates are installed or not installed

Keep your servers secure and know what was installed.Aka ‟The fun stuff”Thorsten HenkingMicrosoft

Scenario #3 Solution Overview

Characteristic Scenario #3 – Native Install + Reporting

Content distributionConfigurable to use Internet repository or a separately maintained local replica

Servers require access only to local content repositories – no Internet access needed

Depends on repository configuration

Obeys ConfigMgr maintenance windows Comprehensive compliance reporting with custom solution

Automatically resolves patch dependencies Uses inventory data to target deployments

Extended functionality with Partner solutions

Lumension Patch Manager DataCenterIntegrated extension for Microsoft System Center Provides Linux and UNIX server patching, remediation, centralized visibility, control and reporting from a single management console.

Automated Linux/UNIX patch downloadsCentralized patch content repository and vendor license management.

Aggregated compliance reporting Complete view of compliance and security posture for Linux and UNIX operating systems

Lumension Supported Operating SystemsLinux UNIX• Red Hat Enterprise

Linux• Version 4 , 5, 6 (x86 and x64)

• SUSE Linux• Version 9 (x86)• Version 10 SP1 (x86 and x64)• Version 11 SP1 (x86 and x64)

• CentOS• CentOS 5 and 6 (x86/x64)

• Oracle Linux• Oracle Linux 5 and 6 (x86/x64)

• Solaris• Version 9 (SPARC)• Version 10 (x86 and SPARC)• Version 11 (x86 and SPARC)

• IBM AIX• AIX 5.3, 6.1, and 7.1 (POWER)

• HP-UX• HP-UX 11i v2 and 11i v3 (PA-RISC &

Itanium)

• Mac OS• Mac OS X 10.7, 10.8, and 10.9 (Intel)

Lumension Patch Content Delivery

IT

Single adminconsole

Update Metadata

Lumension Licensing

Update Remediation Binaries

Vendor License Validation

Application Server and Database• Automatic Patch

Download• Centralized

Repository• Credential

Management

Global Subscription Server (GSS)

Vendor Websites

Patch Management Workflow1. Discover

Deploy the Lumension Patch Manager Agent with the included System Center deployment package

2. AssessAssess Security Risk – view vulnerabilities and security configurations on all managed assets

3. PrioritizePrioritize threats and mitigation actions to increase the organization’s security posture

4. RemediateRemediate vulnerabilities for Datacenter Platforms; Mitigate risk with custom remediations

5. ReportComprehensive Reporting across entire enterprise network from a single console

Lumension Patch Manager DataCenterRuss B. ErnstLumension

Lumension Patch Manager DataCenterSystem requirementsRequires dedicated server for patch content mirroringRequires agent on managed server for patch detection and deploymentSeparate RBAC and collection (group) model

Future outlookSynchronize System Center collections into Lumension groupsRespect System Center maintenance windows

Additional resourceswww.lumension.com/system-center

Lumension Solution Overview Characteristic Lumension

Content distribution Lumension Server

Servers require access only to local content repositories – no Internet access needed

Obeys ConfigMgr maintenance windows Planned for future version

Comprehensive compliance reporting Automatically resolves patch dependencies Uses inventory data to target deployments

Separate inventory/group mechanism

Do you remember…

25% of all OpsMgr installations monitor

Linux and UNIX computers

SUSE Manager Integration with OpsMgrView a list of all Linux servers entitled to a selected list of critical and optional updates and patches

Get alerts for all outdated or critical updates available for Linux servers (health threshold state)

Schedule maintenance tasks to run updates on a specific Linux server or group of Linux servers

ScenarioYou are the IT admin of Contoso and the main OpsMgr administrator for Windows

Linux team has a separate management solutionDue to cost savings and complicance requirements your management wants you to patch and be responsible for these Linux computers

But you have no expertise in Linux…

SUSE Manager Integration with OpsMgrThorsten HenkingMicrosoft

SUSE Manager Solution Overview Characteristic SUSE Manager

Content distribution Local repository on SUSE Manager server

Servers require access only to local content repositories – no Internet access needed

Obeys ConfigMgr maintenance windows No (OpsMgr-based solution)

Comprehensive compliance reporting via SUSE Manager

Automatically resolves patch dependencies Uses inventory data to target deployments

Separate inventory thru SUSE Manager

Solution Comparison Characteristic

Scenario #1 – Single Patch

Install

Scenario #2 – Native Updates

Install

Scenario #3 – Native Install +

ReportingLumension SUSE

Manager

Content distribution

ConfigMgr content distribution

infrastructure (i.e., DPs)

Configurable to use Internet repository

or a separately maintained local

replica

Configurable to use Internet repository

or a separately maintained local

replica

Lumension Server

Local repository on SUSE

Manager server

Servers require access only to local content repositories – no Internet access needed

Depends on repository

configuration

Depends on repository

configuration

Obeys ConfigMgr maintenance windows Planned for

future versionNo (OpsMgr-

based solution)

Comprehensive compliance reporting Automatically resolves patch dependencies

Uses inventory data to target deployments

Separate inventory/group

mechanism

Separate inventory thru SUSE Manager

(with custom solution)

(via SUSE Manager)

Key Learnings: Best of Both WorldsReduce costLeverage your investment in existing infrastructure including software, hardware and expertise.

Save timeWindows and Linux patch management can be done from the same console rather than splitting time between silos

Minimize riskImproved efficiency in the patching and updating process translates into lower risk of failure via a missed or incorrectly applied patchPrevents Patch Management “blind spots”

DCIM-B217 How Windows Admins Manage Linux with Windows Server 2012 R2 Hyper-V and Microsoft System Center 2012 R2

Related content

DCIM-H326 Managing Linux Servers with Microsoft System Center 2012 R2 PCIT-B336 Managing Mac OS X Clients and Linux Servers Using Microsoft System Center Configuration Manager PCIT-H311 Implementing Linux Clients in Microsoft System Center 2012 R2 Configuration Manager

Find Me Later At TechExpo

Come Visit Us in the Microsoft Solutions Experience!

Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD

For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295

Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.