Patch Management

By: Richard Glaser - Revised: 2006-07-18 devin

Introduction

A brief (and unfinished) overview of patch management and its features.


What Is Patch Management?

If you haven't worked with Windows, you probably haven't heard or might not understand the term "Patch management". Patch management is the process & tools that accurately identify which patches are missing on each system, provide an easy means to deploy patches and provide administrative reports tracking patch status across multiple machines.

In Mac OS X, the term "Patch Management" is correlates to managing & distributing software updates, usually this is accomplished using Apple's Software Update, but this mechanism is limited and not very robust or flexible, but there are many other tools that help solve some of the pieces of the puzzle.

Ideally, Apple will offer a full-featured patch management system that supports Apple OS & software, third-party software, and unix software that can be managed with tools like Fink and DarwinPorts. Next, Apple needs to implement some type of mechanism for modifications to the operating system like installing an update or new software, its initial setup and running the software.

This could be accomplished if the OS had built-in support for a tripwire. Tripwire establishes a baseline ’snapshot’ of the file system, recording file system properties such as owner, permissions, modify time, and content hashes. This information is stored in a secured database. When an integrity check is run, it gathers the same information on the monitored file system and looks for any differences. Any deviations are written to a report file and based on a policy. Use this same concept, the differences could be installation of updates, new software, etc.

Patch Management usually supports the following features:

Software Audit
The process of inventorying and reporting software & versions installed on clients.

Monitoring & Assessing
Gathering information about available updates and researching if they are critical enough to deploy based on bug and/or security fixes.

Tracking & Initial Setup
The process of reviewing updates, tracking installation and initial setup.

Software Audit

Currently in Mac OS X you have multiple options for gathering an inventory of software installed on clients either locally or remotely. First, there is Apple Software Update Preference Pane, which only works locally and only supports Apple-only OS & software updates. Second, there is Apple's System Profiler, which again works only locally, but can audit Apple and third-party software. For remote auditing you have options like Apple Remote Access, that currently does support software reports, but can be done through other means like search client. And for those using KeyServer for licensing management and metering, it offers support called KeyAuditor to create client software reports. Lastly, there is a Cocoa application that ties into the popular www.versiontracker.com web site, that support local audit of software including Apple & third-party, Mac OS X & Mac OS 9 software.

Software Update
Software Update is Apple's built-in mechanism for auditing software on the local client. It depends on files stored in /Library/Receipts, and can cause problems or inaccurate software updates, if the the receipts are removed, moved or somehow become corrupted.


In addition to a GUI, there is a command-line version called "softwareupdate". It offers most the functionality, of the Preference Pane.

System Profiler
Software Update is Apple's built-in mechanism for auditing software on the local client. It depends on files stored in /Library/Receipts, and can cause problems or inaccurate software updates, if the the receipts are removed, moved or somehow become corrupted.