QualvoSec is a robust open-source (based on GPLv3) security patch management tool designed for unattended upgrades on a variety of systems, encompassing mainstream Linux distributions (like Debian, Ubuntu, Garden Linux, RedHat, CentOS, RockyLinux etc.) and BSD-based systems like FreeBSD. This tool empowers operators to exercise control over client systems' patch integration, offering flexibility in managing updates, particularly for crucial components like kernels or glibc.
They key features of QualvoSec consists of:
* Not running as root
* Only specific commands allowed by sudo
* Clients pulling information from server
* Server provides only a static manifest
* Holding the patch windows of clients
* No remote code executions
* A potential compromised server could not be able to execute code on clients
* Health monitoring endpoint on clients
* Minimalistic design
* Admin tool for creating, deleting and looking up of client patch windows
* Fully written in Python3
* Integrated packaging support by CMake
* CMake/CPack created .deb and .rpm files
* Support for Linux, BSD
* Support for AMD64, ARM64 and RISC-V hardware architecture
Unlike bloated solutions like Spacewalk or Landscape, this framework of QualvoSec is characterized by its minimalistic design, ensuring simplicity and ease of use. It operates entirely in Python, utilizing only a handful of imports to streamline the user experience. This simplicity makes QualvoSec accessible even to users with limited programming knowledge.
To ensure secure communication, QualvoSec employs a web server that establishes regular TLS connections. This encryption protocol enhances the overall security of the patch management process, safeguarding sensitive data and communication channels. With QualvoSec, users can confidently manage and implement security patches on a diverse range of systems, benefitting from its user-friendly interface and robust security features.
QualvoSec operates on a pull-based model, where client systems proactively poll the server at regular intervals to retrieve information about their designated security patch windows from the server's metadata. This approach not only ensures a more controlled and efficient update process but also helps prevent unnecessary strain on the server by avoiding constant metadata requests. To optimize performance, QualvoSec intelligently caches metadata, minimizing redundant queries and enhancing overall responsiveness.
For additional validation and monitoring capabilities, QualvoSec includes a dedicated health endpoint. This endpoint serves as a reliable tool for monitoring systems, providing insights into the operational status of the software. System administrators can leverage this health endpoint to ensure the proper functioning of QualvoSec and promptly address any potential issues, enhancing the overall reliability and resilience of the security patch management process.
In essence, QualvoSec's pull-based architecture, coupled with metadata caching and a health endpoint, exemplifies its commitment to operational efficiency and system health. This combination not only streamlines the patch management workflow but also empowers administrators with tools to monitor and maintain the robustness of the system.
Resources
All packages for different hardware architectures can be found here.
* Source: QualvoSec (GitHub)
* HowTo: Howto Install QualvoSec Security Patch Management on Debian and Ubuntu
* Package: Debian (amd64)
* Package: Ubuntu (amd64)
* Package: RedHat (amd64)
* More Packages: cdn.gyptazy.ch