Red Hat Enterprise Linux (RHEL) Security Patching for IBM PureData System for Analytics appliances

IBM delivers patches (including security fixes) for Red Hat Enterprise Linux (RHEL) based on the Red Hat Enterprise Linux Life Cycle policy. As stated in the Red Hat policy, fixes are not provided for all vulnerabilities on all RHEL versions, which means that IBM cannot deliver security fixes for some RHEL issues.

When security and other related updates are available from Red Hat, IBM delivers those updates in software packages that can be downloaded and applied to the appliances. IBM also publishes Security Bulletins with additional information for security related updates.  Customers should subscribe to My Notifications to be notified of important IBM PureData System for Analytics support alerts.  

An overview of the RHEL process on PureData System for Analytics appliances:

Each appliance is manufactured with a default version of RHEL, referred to as a factory RHEL release. IBM periodically provides incremental upgrades to the next RHEL point release level. Existing appliances can be upgraded to the new point release using upgrade kits available in the IBM Netezza Host Management software package. Manufacturing deploys new point releases as their factory release.

Before April 2016, when security and other software fixes were provided by Red Hat, IBM verified and delivered those updates using two options: as monthly patch update kits in the IBM Host Management software packages, and for certain models of appliances, as part of an optional weekly IBM yum server subscription service. These options are changing to new processes that support all appliances.

Starting in April 2016, when security and other fixes are provided by Red Hat, IBM will verify and deliver those updates using the following two methods:

• Option 1: For all appliances that meet the required software release levels, appliances can enter into in the RHEL security patch program. On a monthly basis, IBM will deliver a cumulative RHEL update with all IBM validated Red Hat fixes and security updates. These updates will be delivered in the IBM PureData System for Analytics (PDA) OS Security release available on IBM Fix Central. This delivery method is suitable for sites where remote connectivity is allowed or sites where the appliance is updated with physical media installed directly through local terminal access.

• Option 2: For appliances that are not yet able to meet the required RHEL security patch program levels, the IBM Host Management Release software can be used to install critical RHEL updates as determined by IBM's Product Security and Incident Reporting Team (PSIRT). IBM Host Management release disk 4 (RHEL 5 security vulnerabilities) and disk 5 (RHEL 6 security vulnerabilities) contain only critical security fixes. Both are available on Fix Central, and can be applied to any factory RHEL level. Security fix availability is communicated to IBM customers through Security Bulletins posted on IBM’s website and through the My Notifications alerts.

With the new options, please note the following changes:

• In the prior process, the monthly RHEL patches were delivered as part of the IBM Netezza Host Management monthly updates on disk 6 (RHEL 5) and disk 7 (RHEL 6). The Host Management software no longer contains those monthly patch updates. They are now part of the IBM PDA OS Security release.
• The previous weekly subscription service is deprecated. Use the new options for IBM Host Management updates or the IBM PDA OS Security release going forward. Both of these options support all appliance models.

Best Practices regarding the Linux OS upgrade program:
The IBM Host Management and IBM PDA OS Security releases are posted to Fix Central for customers to download as needed. It is good practice to download the bundle before the scheduled upgrade time of service to allow for prompt start times.

Regardless of the option selected, customers should:

• Contact IBM PureData Support to upgrade Linux on their appliance to the latest version recommended by IBM PureData Support prior to requesting any Linux security patches.
• Not install any additional RPMs on an IBM PureData System for Analytics appliance. Only RPMs made available by IBM should be installed. If additional software or drivers have been installed, it is recommended that the customer notify IBM PureData Support ahead of time as the software could be affected by the Linux patching process.
• Understand that if there are issues after applying Linux updates it may be necessary to downgrade any and all Linux patches applied to regain a stable Linux environment.
• Not install the Netezza Performance Portal or Web Admin applications on the appliance because the yum service interferes with these applications.

 

Related Topics:

Red Hat Enterprise Linux (RHEL) Security Program Requirements for IBM PureData System for Analytics appliances (April 2016 and later)

Frequently asked questions about IBM PureData System for Analytics Red Hat security patches and upgrade prerequisites

IBM PureData System for Analytics Host Platform (HPF) upgrade of DRBD from version HPF 5.5

Red Hat operating system requirements for IBM PureData System for Analytics enhanced cryptography enablement