A frequently asked question in the technology industry is whether one should favor appliance based solutions (hardware or virtual) or software-based solutions (which need to be installed and configured); a valid question as products in the same category often take these two different approaches. While the cost, performance, maintenance and support for these approaches are similar, the differences in security are often a source of concern.
Anything running on a host can be considered a potential security risk. If a component is not actually required then it is safer not to install it. Vulnerabilities in the many tools and utilities installed and running in a default installation of an operating system are known and exploited. The appliance approach provides a tightly controlled system in which only the essential tools and utilities are installed. These tools and utilities, including the Red Hat Enterprise Linux 6 operating system, are hardened to allow only authorized access and ensure the integrity of the system. See Appliance hardening for more information.
A considerable advantage of the appliance approach over a software solution is a known and understood system in which the interaction between components is designed and knowingly limited to that design. When patches to the Red Hat Enterprise Linux OS are released, BMC Software check to see whether they are appropriate to the appliance. Many are inappropriate due to the subset of packages used in the appliance. Where a patch is appropriate it is tested and rolled into the next available operating system upgrade, or product release; urgent updates are released as a Hot Fix.
BMC provides regular upgrades to the BMC Atrium Discovery operating system each month; each upgraded package is checked to see whether they are appropriate to the appliance. See operating system upgrades for more information.
Do not download and apply Red Hat OS patches
It is most important that OS patches released by Red Hat are not downloaded and applied to the appliance; this may result in reduced rather than enhanced security. For example, a patch may reinitialize a service, modify security configurations, or change kernel parameters, all of which may cause unexpected behavior.
Red Hat does not increment the base version of any of the packages until the whole release is incremented. Instead they continuously apply security patches. This means simpler security scanners can report false positives as they only look at the base version of the packages.
In contrast, software-based solutions are generally installed on servers that are supplied by customers. This approach has advantages as it provides the customer full control over how to implement, configure and support the solution. However it includes several aspects to consider which may impact the security of the system. Vendors often specify a minimum set of operating system packages that are required to support the software-based solutions, placing customers in the difficult position of choosing what is needed versus what is not. Not only does this allow potential security vulnerabilities, it also makes the task of hardening the system far more complicated.
Finally, the more packages there are on servers, the more security patches a company must monitor to secure these servers. Since the customer generally provides the server, the burden of monitoring security patches falls on the customers.