CentOS patches on DMZ with out access to Repo

I have a CentOS system that has no access to the internet or internal/external repo. Is there an automatic way to package the needed patches and push them out to the server for updates? I looked at BigFix custom repo, but that will still require me to punch another hole in the firewall. Thanks

By default (ie you don’t configure Custom Repos at all), one would configure the CentOS Download Plugin R2 to run on the BigFix Root Server. Use the ‘Manage Download Plug-Ins’ Dashboard to do that.

Then you can use the fixlets in the Patches for CentOS Site to patch the machines. The CentOS endpoint does not need access to Internet, the BES Root Server handles all the downloads for it.

thank you! I will look into that, I have not seen any documentation on this option.

Hope it helps, have a look at https://help.hcltechsw.com/bigfix/9.5/patch/Patch/Patch_CentOS/c_using_patch_management_for_cen.html and https://help.hcltechsw.com/bigfix/9.5/patch/Patch/Patch_CentOS/c_using_centos_dl_plug-in.html

thanks!!! Looking into it now

I am working with Frank. It looks like there is a hard requirement for the CentOS download catcher to use SHA-1 downloads only. We have Enhanced Security set on root as a requirement for TLS 1.2

Is there any workaround to allow the CentOS DL catcher to work with SHA-256 downloads?

“Note: The CentOS Plug-in R2 does not work when the Require SHA-256 Downloads option in the BigFix Administration tool is enabled. When this option is enabled, all download verification use only the SHA-256 algorithm. However, there are certain repository metadata from the vendor, which do not contain SHA-256 values for packages in the repository that are used by the plug-in.”

Also we are running v1.0.0.2 of the CentOSr2 plugin, which shows Up-To-Date in console.

This was last updated 5/31/2017.

Does anyone know if there is an update or enhancement request that could be submitted? Who would actually own this tool?

I believe the underlying problem is that the vendor repositories for CentOS themselves do not provide sha256 hashes in their repository metadata. I think your only real option there is to not require sha256 downloads in your BigFix deployment.

Under the hood, what happens with the download plugin is that the repo metadata downloads to the client, and the client uses that to determine which RPM packages to request. If the CentOS repositories themselves don’t contain the sha256 hashes, we don’t have a way to generate a download request with a sha256.

Hmm. SHA-256/TLS1.2 are required in my environment. I have enhanced security enable via BF admin so its an all or nothing deal.

Hard to believe that CentOS does not provide hashes above Sha-1. PCI required TLS1.2 2 years ago.
Thanks for the insights.
.

You can keep the TLS 1.2 transport and still allow sha1 hashes in the download requests, if you’re interested in that. I don’t know if we’ve made that clear, but those are separate options in the Enhanced Security tab of the BESAdmin Tool.

Otherwise you’d need to setup a custom repo (which has its own challenges as posted earlier), so the file downloads wouldn’t use the server/relay download path and the client grabs them directly from your repo

Sounds good. I am going to keep Enhanced Security enabled as the Cent boxes are a small percentage of the environment and look into importing into Artifactory, then pulling from there as SHA256.

Thanks for the help herding Frank