Question:
This might be a “noob” question, apologies in advance:
I’m looking for advice on how to manage Zero-Day vulnerability strategies with Katello.
Situation: Our environment patches development every month and production with last month’s development packages (so that Production always gets the last set of tested packages that were tested for a month in dev). Katello makes this easy by creating a “dev” and “prod” stream on top of Library.
For normal patch promotion this works, however for a zero-day vulnerability we need to patch this becomes problematic: a single patch in a single product in a single content view forces promotion of everything else in that content view (and thus that composite view) up the chain (as far as I understand it which could be completely wrong).
Simplistic “problem” example: Pretend that since our last patching cycle (last month), OpenSSH has been upgraded to a new version. “Library” would contain versions “Latest”, “Latest - 1” and “Latest - 2” in it…“Latest” would only exist in library till our next promotion, OpenSSH in the “Develop” Lifecycle Environment would be on Latest - 1 (Waiting for Next Patch Cycle to go to Latest) and in Prod would be Latest - 2 (Waiting on next patch cycle to go to Latest - 1).
Let’s assume, however, that OpenJDK comes up with a zero day vulnerability that must be patched in our environment immediately and that OpenJDK’s packages are in the same content view as OpenSSH.
What we’re struggling with is that right now to promote the patched version of OpenJDK to a place where both Dev and Prod have access to it we are promoting the content view that also includes OpenSSH. But since OpenSSH has been updated since last dev patching cycle we are now pushing an untested version of OpenSSH into production…both dev and prod get OpenSSH Latest instead of OpenSSH - 1 or -2 which are the “tested” versions.
Can individual packages be promoted through environments without other packages? Does Katello have some kind of documentation around a 0 day promotion strategy or how to setup your content views and composite views to facilitate 0-day promotions?
Any advice for us on how to structure our content/composite views to allow good zero-day promotions without forcing a bunch of servers to update to a bunch of untested packages? Anyone have a success story they want to share?
Foreman and Proxy versions:
Foreman 3.1.1
Katello 4.3.0
Foreman and Proxy plugin versions:
foreman-tasks: 5.3.0
foreman_remote_execution: 5.0.1
foreman_virt_who_configure: 0.5.8
katello: 4.3.0
Distribution and version:
RHEL8