I've recently built a Nagios server using Slackware 12.1 and thought I was in good shape by disabling remote root, turning off services not being used etc but we have a security consultant in the office who ran a preliminary scan and said my server has a lot of vulnerabilities due to old versions of software such as PHP.

I'm trying to figure out how to use rsync to keep the system patched but have been unable to figure the whole process out despite what I have read.

It seems that I need to find a mirror (not sure where to look), run rsync pointed at that mirror, and then point it at a directory of files I want to update. But what if I want to patch/update the entire system?

So in short, my questions are: where do I find a rsync mirror, and can I just runt he command: 'rsync mirror.com /' to update the whole system?

Thank you in advance.

Have you looked at slackpkg?

If you want manual control, check Eric's (Alien Bob) web site. He has an rsync shell script that maintains a mirror of patched files. The script will not automatically install the patches.

For automatic installation, as mentioned, look into slackpkg, which is stored in the Slackware tree extra branch.

If you're running a server do you need to update every package that is available for 12.1? I go to the Slackware 12.1 site and manually download, install the updates that I need.

slackpkg is not automatic unless you set it that way.

Here is my suggestion for you if you want the best of convenience and absolute control.

Use slackpkg. Set a cron entry to slackpkg update every day some time when server usage is low. All update does is check if there is an update by downloading the Changelog. If there is an update have a notice mailed to root and whoever is the main admin. This person can check the Changelog (or just have the list of upgrade-able packages in the email) and then either run slackpkg upgrade-all (if they know all upgrades won't interrupt server) or slackpkg download package1 package2 .... Then they can be manually installed via installpkg.

Yes, you can just subscribe to the security mailing list or the Slackware security RSS feed, but sometimes have a tool to check the Changelog for you gives you the quickest results in case the mailing list/RSS feed is behind. The mailing list is sometimes a couple of days behind the Changelog.

If you don't like slackpkg, then sure check out the rsync script. slackpkg has more uses, however, such as listing all non-stock packages. Don't worry it is a small program, too, so you won't be introducing bloat to your server.

Ask your "security consultant" to show you some code to exploit these holes in php, or at the very least, point you to a CVE entry showing the problem. Are you even using php for anything?

I'd like to see a list of all the "vulnerabilities" he finds on a fully patched 12.1 system.

Based on the fact that there's a "security consultant" in house there, yes, he does.

Sure. I guess my point was does he need to update "everything" (like x windows) if he's not running a graphical environment? But, he should of course follow the advice of his consultant:-)

If there is something which he doesn't need, then logically it shouldn't even be installed. If a particular service is not going to be used on a server, there is absolutely no reason you should leave it installed, let alone running.

Not only is it needlessly taking up system resources, it can generate false alarms like the topic creator may be seeing; where software that isn't even being used is now being considered a liability because it hasn't been maintained.

Though in this case, I would also be interested in seeing what software is so viciously out-of-date on an updated Slackware 12.1 install. I am not aware of any serious exploits that have not been addressed through a security update, so I don't see how he can find "a lot" of vulnerabilities.

I think he has not been keeping it updated, so he is looking for something to help him in that aspect. I run Slackware on 3 different machines at home, and I find myself forgetting to install security updates on one or two of the systems. I believe he is just looking for an automated way to do this, especially since he disabled remote root login.

Sorry I wasn't more clear. And thank you for all the great responses.

Although I've been using linux on and off for a few years, I'm still very much a rookie. I set up this server and just ran it as-is, unpatched. Whatever comes off of the 12.1 disc is what I've been running for the past month. So it is certainly not up-to-date. I've turned off what I don't need or use, but being a Nagios server, I need apache, php, mysql (in the future).

Bassmadrigal hit the nail on the head, I am just looking for a way to keep my system patched with the latest security updates and will be looking into slackpkg.

Thanks again everyone!

Yeah, for those purposes, slackpkg is a great choice. It should be safe even to script it as a cron job if you'd like (although you'll have to modify your slackpkg.conf or use command line switches to make it run non-interactively). Basically, you'll want to do this:
Neither the "install-new" nor "upgrade-all" switch will install anything that's not currently installed (for example, if you don't have perl installed, this won't cause it to be installed). The only exception to that is in the rare case that a package is added to the official repository *after* the stable release. The only recent occurrence of this was in either 11.0 or 12.0 (I don't recall which from memory) when a gaim/pidgin update required the addition of mozilla's standalone nss in order to function properly. The "install-new" switch will keep a similar future scenario from biting you in the tail.

Be careful with your entries in the blacklist file if you are thinking of using slackpkg in an automated fashion. Of particular concern are any glibc or kernel updates or any packages that include configuration files (eg cups, ssh, sshd).
Personally I would not recommend automated updates. I like slackpkg because at the end of updating it searches for any *.new files within /etc and offers options as to what you would like to do.
The extra effort to run slackpkg manually may be well repaid if you do not have to unpick an unintended update.