Hello Gurus,
I have two SUSE servers that cannot be connected to the internet due to security restrictions.
There is a requirement to regularly patch servers with at the very least security patches and updates. Currently, both servers have not been updated since install. I would like to know what my options are to ensure that non internet connected servers are kept up to date with current updates and security fixes.
much appreciated
[QUOTE=dlicheri;55837]Hello Gurus,
I have two SUSE servers that cannot be connected to the internet due to security restrictions.
There is a requirement to regularly patch servers with at the very least security patches and updates. Currently, both servers have not been updated since install. I would like to know what my options are to ensure that non internet connected servers are kept up to date with current updates and security fixes.
much appreciated[/QUOTE]
Hi and welcome to the Forum 
You could look at SMT, it does mean two servers though one internal and one external;
https://www.suse.com/documentation/sles-12/book_smt/data/smt_disconnected.html
Else the other option is creating a patch cd/dvd and adding this too each system (old but still relevant AFAIK)?
https://www.suse.com/c/creating-add-products-yast/
Or download all the patches and create a custom repository, while this link is CVE specific it’s still the same for any rpms;
https://www.suse.com/support/kb/doc/?id=7015731
Hi,
in addition to Malcolm’s reference to SMT, you may also want to look into using SUSE Manager (which is a payed-for product you’d need to license, unlike SMT) if you’re running an over-all larger number of servers and/or need more support for release life-cycle control.
There are different levels of “not connected to the Internet”. I. e. if you just have these servers behind a cascading firewall and limiting their connections to “internal” systems (put permanently available), then a single SUSE Manager server should be fulfilling your requirements. (your servers all go to SUSE Manager and SUSE Manager serves what it pulled from SUSE servers, aka “upstream”).
If you have a stricter policy, barring your restricted servers from network access most of the time, you could set up a so-called “ISS” server (a SUSE Manager with according configuration), which needs to be triggered to pull its patches from an upstream SUSE Manager server. You’d place the ISS server alongside your restricted servers, these will fetch their updates form that ISS server. On occasion, you’d open up the link so that the ISS server can pull updates from the upstream SUSE Manager, then close the link again. No automatic pulling in of things, but full control. And you’re still able to maintain all basic functions (like providing your channels of tested versions, organizational configuration and so on) via the master SUSE Manager (and have those pulled by the ISS server as well).
Regards,
J
Many thanks to you both for your advice and contribution so far …
Malcolm’s proposal is the only one that looks to address the patching issue as servers have no connectivity at all (no internet access and internal network is limited to secure devices only). Additionally, disk media will have to be checked and validated before it is introduced and applied to the production environment.
The only problem I can see with implementing SMT servers is that SMT requires SUSE 12.4 (https://www.suse.com/documentation/sles-12/book_smt/data/smt_disconnected.html) and servers in internal network are running SUSE 11.4. Is there a version of SMT that will work with SUSE 11.4 ?
thx in advance …
[QUOTE=dlicheri;55898]Many thanks to you both for your advice and contribution so far …
Malcolm’s proposal is the only one that looks to address the patching issue as servers have no connectivity at all (no internet access and internal network is limited to secure devices only). Additionally, disk media will have to be checked and validated before it is introduced and applied to the production environment.
The only problem I can see with implementing SMT servers is that SMT requires SUSE 12.4 (https://www.suse.com/documentation/sles-12/book_smt/data/smt_disconnected.html) and servers in internal network are running SUSE 11.4. Is there a version of SMT that will work with SUSE 11.4 ?
thx in advance …[/QUOTE]
Hi
Yes, the one for SLE 11 SP3, see this document and there is a download link;
https://www.suse.com/support/kb/doc/?id=7016802
SMT Manual: https://www.suse.com/documentation/smt11/