I have been asked to look at Puppet for Patch Management. This occurs every few years when they want a comparison of other products out there for patch management. BigFix is great in my opinion but I still get the questions.
Has anyone looked into Puppet and done a comparison? Searching google I have not found a comparison to BigFix.
Thanks in advanced
I can’t say we’ve done a comparison, but we are in the process of dumping Puppet for BigFix, primarily for BigFix’s patch management. This is on Linux. RHEL and Ubuntu. On the server side, we used Ansible for years and still do. Manage and patch a few hundred servers. But then we were tasked to handle compliance of a couple thousand Linux clients, including patching. Ansible didn’t work because in many instances the target clients were off-line. Ansible would time out and the systems never got patched.
We looked around for something that would have the clients check-in when they were on-line. We looked at Puppet/Chef/Salt and went with Puppet. Puppet was fine with handling the compliance and systems checking in, but we didn’t really have any insight to what was being done. And it’s not a patch management tool. The assumption with Puppet seems to be that you have a gold image and “patching” is bringing everything up to that gold image. Like defining your own fixlets to “upgrade” everything. We tried setting up a job to run yum update/apt-get dist-upgrade but all we got in feedback from Puppet was that the job ran. Nothing on whether it actually patched or not.
We are in the process of doing or first time patching with Big Fix. So far so good. The action reports show me which systems completed and which failed. I can use the WebUI to check on vulnerabilities or look at Fixlets that are still relevant. Puppet doesn’t have any of this or if it does, it’s in the pay for version which 2 years ago was priced at $100/client. That’s the trouble with Linux, most vendors assume Linux is on a server. The Windows Client and Mac teams laughed at me when their Endpoint Management software is only $5-$9 per system. Bigfix fit into the price range also.
We use BigFIx and I think it is the best solution that I have worked with. Because we own puppet enterprise and patch management is included I am told to look into it. Thank you for your input. I will have some question for them during their presentation.
If you aren’t talking with your TA about this, I’d highly recommend you should. They can show you why BigFix is better specifically to your environment. @DanPaquette ?
we do use puppet to trigger the script to patch the server depend on maintenance schedule of the server or we can stop it if we don’t want patch the host due to xyz reason. But behind the scene all the repo are in satellite for patching. One thing is lacking is CVE information, I am not sure if puppet has that or not.
Once the server patched security team needs to scan the host if xyz vulnerabilities is cleared or not. That process is messy, we spend hours to clear the 1000’s of server(s) from security scans.
I think bigfix fits perfect where security can see server is patched and cleared from xyz CVE. One interface will give every thing, No need to use secondary tool to scan the host. No need for satellite server . Bigfx can pull the patches directly from redhat site and apply patches and clear the CVE.