I worked with RHEL5 for the past year or so using RHN (which isn't the greatest in my opinion), and a yum repo sounds like the best solution. I don't know what you're managing all your clients with (if anything) but i'd look into puppet/CFEngine before RHN/RHN Satellite. They're both grossly expensive, and if you can get away with puppet/CFEngine everything is under your control for free. It's a bit harder to setup/manage, but in the end I think you'll be happier.
Keep in mind though that (according to my boss at least) RHEL backports all it's security fixes to previous versions, then doesn't update the version banners. This is *quite* frustrating when trying to figure out what's patched and what's not, and figuring out your attack surface area. My suggestion to you is to get a PoC for at least one of the issues then see if it's still affected. Do it with a few, and you can tell pretty clearly if this is indeed what's going on. I'm not sure WHY Red Hat does this, but we've gone through the exact same ordeal with RHEL/Nessus :(. I BELIEVE that's what's going on. I could be wrong though, so it's always best to test this kind of stuff out. If you have any other questions, feel free to ask! Ryan Sears ----- Original Message ----- From: "Michael Miller" <[email protected]> To: "PaulDotCom Security Weekly Mailing List" <[email protected]> Sent: Tuesday, November 23, 2010 1:19:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Pauldotcom] Linux offline patching If you had a host that could be used as a yum depot I would copy the patches to that host and create a local_mirror.repo file in /etc/yum.repos.d . The other option beside reading a CD/DVD is to create the repo on a portable drive. The following link gives a overview on how to create a yum repo. http://linuxtechsupport.blogspot.com/2008/06/configuring-yum-in-rhel5.html My preferred way is via the network or portable hard drive. It's allot faster than waiting for that CD/DVD drive to spin up and read. --mmiller On Tue, Nov 23, 2010 at 2:45 AM, k41zen Me <[email protected]> wrote: > I've run a Nessus patch audit on a Red Hat Enterprise 5.2 server and it tells > me there 161 missing patches. This server does not have internet connectivity. > > My question is how do I apply all of these patches offline? > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
