A frequently asked question in the technology industry is whether one should favor appliance based solutions (hardware or virtual) or software-based solutions (which need to be installed and configured); a valid question as products in the same category often take these two different approaches. While the cost, performance, maintenance and support for these approaches are similar, the differences in security are often a source of concern.
Anything running on a host can be considered a potential security risk. If a component is not actually required then it is safer not to install it. Vulnerabilities in the many tools and utilities installed and running in a default installation of an OS are known and exploited. The appliance approach provides a tightly controlled system in which only the essential tools and utilities are installed. These tools and utilities, including the CentOS 6 operating system, are hardened to allow only authorized access and ensure the integrity of the system. See Appliance hardening for more information.
A considerable advantage of the appliance approach over a software solution is a known and understood system in which the interaction between components is designed and knowingly limited to that design. When patches to the RHEL OS are released, BMC Software check to see whether they are appropriate to the appliance. Many are inappropriate due to the subset of packages used in the appliance. Where a patch is appropriate it is tested and rolled into the next available OS upgrade, or product release; urgent updates are released as a Hot Fix.
Do not download and apply CentOS patches
It is most important that OS patches released by CentOS are not downloaded and applied to the appliance; this might result in reduced rather than enhanced security. For example, a patch might reinitialize a service, modify security configurations, or change kernel parameters, all of which can cause unexpected behavior.
CentOS does not increment the base version of any of the packages until the whole release is incremented. Instead they continuously apply security patches. This means simpler security scanners can report false positives as they only look at the base version of the packages.
In contrast, software-based solutions are generally installed on servers that are supplied by customers. This approach has advantages as it provides the customer full control over how to implement, configure and support the solution. However it includes several aspects to consider which can impact the security of the system. Vendors often specify a minimum set of OS packages that are required to support the software-based solutions, placing customers in the difficult position of choosing what is needed versus what is not. Not only does this allow potential security vulnerabilities, it also makes the task of hardening the system far more complicated.
Finally, the more packages there are on servers, the more security patches a company must monitor to secure these servers. Since the customer generally provides the server, the burden of monitoring security patches falls on the customers.