Determining Patches Needed without an Internet Connection

Latest response


I just installed a 6.1 system and was looking for guidance on determining what patches it might need. The only caveat is that the system is not and will not ever be connected to the Internet.


I am guessing I would do a rpm -qa to gather up all installed packages but where can I go to check and see if there are updates needed for any of these packages?


Thanks in advance for your help.


Depending on the size of your RedHat deployment (i.e., number of hosts), this would by a typical use-case for deploying Satellite servers.

My apologies for not fully describing the environment before.


This is one stand alone RH sever on a network with one Windows machine. This setup is running the video surveillance cameras at a car wash. As things work right now the Windows system has propitiatory software for the cameras that captures the images and videos. The RH system was added on so the video and images can be stored and reviewed on the RH system.


As of right now this network is air gaped from another network that has Internet access. Though it would take a significant amount of effort from a cabling stand point to get these networks connected. The fear of the owner is that an employee will run a long network cable when he is not around and connect these two networks. I have been tasked with finding the solution to protect this server and the Windows server (as much as possible) in case this does happen. The solution that I have to come up with cannot connect the networks together.


Thanks for you input!

On one of the Internet-connected systems, install a host-based virtualization solution (VMware Workstation, VirtualBox, etc.). Provision a small VM that has the same RPM loadout as your private-net's |RedHat host. Then use that VM to download updated RPMs and stage to sneakernet-able media. Transport that media to your private-net's RedHat host and update it (making sure you've also applied the same RPMs to your download box - gotta keep them in sync).


Given your security concerns, I trust that you've secured the RedHat host from physical access? Bridging that "air gap" is one of the least of your worries if you've failed to adequately secure the private-net's RedHat (and Windows) hosts from physical access. You'll want to make sure, at minimum, you've password-protected BIOS, your GRUB and disabled passwordless login to single user. Probably also want to disable any USB ports and the ability to boot from CDROM, as well. Simply put, short of those types of steps, if I have physical access to your box, a moderately-clueful person can own it rather quickly.

If you only have one (1) system, then RHN Satellite Server makes little sense.


What I would recommend is ...

  • Install another system on the side with Internet access
  • Register that system with RHN
  • Use the yum tools do download the RHN channel regularly
  • Use createrepo to create a YUM repo
  • Put the YUM repo to media (e.g., external HD)
  • Setup the airgap system to access that YUM repo on the media

-- Bryan


P.S.  What is the "protect the Windows system" comment?  Protect from what?  The Windows system has an Internet connection.  What is the problem with having Linux on the same network?  I'm utterly confused here.