Transcription
LINUX PATCH MANAGEMENT: WITH SECURITYASSESSMENT FEATURESSoranut Midtrapanon, Gary WillsSchool of Electronics and Computer Science, University of Southampton{sm6n17, gbw}@soton.ac.ukKeywords:Patch Management, Linux, Software Inventory, CVE Scanning, Security, Puppet, McollectiveAbstract:The lack of patch management has been identified as the main reason for many ransomware attacks. The costof patch management is still an obstacle for many small and medium-size businesses. There are many opensource, free of charge, patch management systems but these require many pre-configuration steps makingthem complicated to use. Hence, this paper presents a patch management system that is cost-effective but alsoefficient in terms of set-up time. We have written the system in Python with Puppet and Mcollective to aidthe configuration steps. An additional feature of this system is the ability to assess the security of the systembeing patched, using CVE scanning.1INTRODUCTIONPatch management is the process of timely updatingof existing systems with software patches to plugknown security vulnerabilities or to improve serviceperformance (Souppaya, and Scarfone, 2013). It isrecommended that security patches be appliedwithin 14 days of being issued. However, this is notenforced and this has led to an increase in ransoms(Adamov, and Carlsson, 2017) (Rajput, 2017). Forexample by leveraging the EternalBlue exploit, wellknown ransomware WannaCry was able to infectmany systems worldwide (Mansfield-Devine, 2017).The National Health Service (NHS) in the UK wasa victim of this ransomware, even though theEternalBlue patch was released months beforehand,many of the unpatched NHS systems were subject toransomware encryption which resulted in many of thenetworks being shut down, this would not havehappened had an effective patch management systembeen in place (Ehrenfeld, 2017) (Hoeksma, 2017).Ransomware affects many systems not onlyWindows based systems, in 2017 the EREBUSransomware infected the outdated kernels and webapplication stack of Linux based systems (O’Brien,2017) (McAfee, 2017).Even though having good patch management is aknown method for basic security hygiene in order toreduce cyber-attacks; it is still a neglected area formany non-IT specialist companies. This is especiallythe case in small and medium-sized enterprises(SMEs), where the cost of setting up and maintaininga patch management system can be prohibitive(Mansfield-Devine, 2016) (Renaud, 2016) (Goucher.2016).This paper presents an approach that enable SMEsto address the issues of cost and maintenance of apatch management system, for multiple Linux-basedservers.2BACK GROUND LITERATUREA patch management system allows systemadministrators to install updates on their managedsystems (Gerace, and Cavusoglu, 2009), (Rankin,2017). The patch management lifecycle involvesacquiring information about the patch fromsoftware vendors; identify critical patches,performing patch installations and verifying results(Dadzie, 2005). In addition, aspects such asassessing potential security risks on managedsystems, collecting an inventory of the software onthe platform and hardware used, pre-assessment ofpatches prior to being installed, and prioritizing theorder in which patches are installed (Mell et al,2005). They also give two mechanisms for patchmanagement. The manual patching method: In this methodsystem administrators are req uired to performall patch management related tasks manually. Thisincludes monitoring newly released patches,running scripts, logging changes and performingspate analysis of their system.1
Automated patching: System administratorsutilize software to perform most if not all patchmanagement tasks automatically.The automated approaches are more efficient thanmanual methods of patch management. In addition,the automated p a t c h i n g method is recommendedby the National Institute of Standards and Technology(NIST) (Mell et al, 2005), as it allows patching alarge number of systems within the recommendedtime and importantly reduce the risk of human error(Dey et al, 2016]. Several other standards also point outthe need for good patch management. For example, it isa compulsory component for compliance for PCISecurity Standards and NIST SP 800-53 (Souppaya,and Scarfone, 2013) and is part of the UK’s CyberEssentials scheme to mitigate cyber-attack incidents inSMEs (Mansfield-Devine, 2016).Moreover, it has been established by US-CERTthat by maintaining managed systems so that theyremain up-to-date, that 85% of all cyber threats can beavoided (US-CERT, 2015). Therefore, when patchmanagement procedures are implemented correctly,numerous system patches can be managed in a timelymanner (Arora et al, 2006).2.1Automated patch managementsoftware architecturePatch management software provides an effectivemethod for patching systems automatically. Thesoftware has the ability to keep all managed systemsup to date by applying patches promptly. ClientServer architecture for patch management enablesusers to manage all systems and view reportsthrough a central management console. The patchesare held on patch management servers, and thepatches are installed on client machines (which canbe other servers).Generally, there are three methods for identifyingand installing the patch required on client machines.A tool may use one or more of these techniquestogether to patch a client machine (Souppaya, andScarfone, 2013), each of these approaches can besummarized as follows:1. Agent-based patch management: In this approach,an agent is installed on each of the managed clients.A different agent is required for each type of platform.The agent undertakes the tasks required forpatching: getting the patch information, installingthe patch, and verifying successful completion ofthe task. The agent required administrativeprivileges on all machines.2. Agentless patch management: A remote serverregularly scans the servers under its control andcarries out the necessary patch management if itfinds out of date applications/software. Hence,there is no need to install an agent on the client.However, this does increase the network traffic(increase bandwidth), and only works on a localnetwork, as remote scanning can be blocked.3. Passive Network Monitoring: Similar to agentlessscanning technique, where the patch managementserver(s) scan the internal networks, but they canalso identify unmanaged and unpatched systemsbut do not patch them automatically. Thelimitations are that they can only work onunencrypted networks and version detectableapplications.Agent-based approaches is the preferred methodover agentless approaches as it has fewer limitations,but importantly can be made to work on mostinstallations. While the passive approach is used toextend features of existing systems.2.2Technical challenges and issuesThere are several challenges and issues arising fromapplying patch management approaches.1. System downtime: In some circumstances, it isnecessary to stop or restart software services whenpatches are being applied or after applyingpatches. This could have consequences fororganizations fulfilling Service Level Agreements(SLAs) (Le, et al., 2014). However, there arepatching approaches that can be applied to livesystems to achieve zero downtime; for example,Oracle’s Kspicei, RedHat’s Kpatchii, and SUSE’sKgraftiii (Kashyap, et al, 2016). Moreover, thesetechniques also support verification, which isundertaken immediately after the patches havebeen installed without stopping or restarting theservice.2. Failures and side effects due to installedpatches: Installing a patch can also introduce newerrors such as inconsistency in systemconfigurations, permission issues, software bugsand new vulnerabilities (Okhravi, and Nicol,2008). Organizations normally have to restore tothe safe fall-back state and then wait for a manualupdate to be issued (Le, et al, 2014) (Kashyap, etal, 2016). Hence, before installing a patch, systemadministrators may perform manual testing first(Gerace, and Cavusoglu, 2009).3. Multiple architectures and platforms: Thereare many operating systems and networkarchitectures used by industry and commerce thatrequire specific procedures or commands wheninstalling patches. Many of the commercialpackages do cater for this and work well in ere are still occasions when the systemadministrators need to perform manual patchingtasks (Souppaya, and Scarfone, 2013).2
3EXISTING APPROACHESSection 2 outlined the approaches that could beundertaken for patch management systems. Thissection focuses on identifying existing systems andthe gaps that led to our design.3.1Why Linux?Linux is still the most popular system on which tohost web-based applications. Unfortunately, it is alsothe one on which it is most likely to also find the mostportion of out of date software. In addition, there arealso a number of L i n u x hacking tools available toremotely exploit unpatched systems, (Delasko, andChen, 2018). Microsoft has developed WindowsServer Update Services (WSUS) to support theupdating of patches on Windows-based systems. Thisis deployed in such a way that the system is updatedregardless of the user choices (Palumbo, 2015).3.2Commercial ToolsThere exist many commercial automated patchmanagement tools. The most commonly used arethose that use a centralized system that is controlledvia a web-based or desktop application. Some willalso assess third-party applications. Our analysisfocuses on security and customizable features asshown in Table 1. It is important to pretest all thirdparty patches prior to deployment on a system, evenif the patch has been developed especially for thesystem (customized patch), it should go through asystem of verification first, as any patch couldintroduce new vulnerabilities (Okhravi, and Nicol,2008). System administrators like to control andverify the process of patch management, hence it nterfaces(APIs)supportingoriginations to integrate the patch management toolsinto their systems and processes. Additionally,organizations like to buy one tool for multipleplatforms (Mansfield-Devine, 2016). The pricesshown are only for guidance.Table 1 Shows that patch management tools withmulti-platform support are now important, this differsfrom previous surveys (Seo, et al., 2005) (Seo, et al.,2006). Notably that only about half of the vendorsprovide pre-built and pre-testing third-partyapplication patches, they mainly mitigate this byoffering software catalogues of verified updates thatcan be installed. Very few vendors provide amechanism for a security verification process of custompatches before they are applied, they also do notprovide patching-related APIs and the cost is basedon a subscription model per managed device whichcan become a prohibitive cost for SMEs (MansfieldDevine, 2016).3.3Non-commercial softwareThe three common open-source tools for patchmanagement on Linux installations are vFenseiv, FAILinux Projectv, and Spacewalkvi. vFense is astandalone patch management tool, while the othersare automated tools design for system configurationthat has the ability to update software. All three toolsuse an agent-based approach. This survey (Table 2)aims to show the tools’ main feature, the number ofsteps required to configure the setup of the system,and whether or not the tool is currently support.Table 2 shows that1. All the tools require numerous steps tocomplete the setup and initial configuration.Also, vFense involves the administrator tobuild the client agent from scratch.2. The tools use the Common Vulnerabilities andExposures (CVE) descriptions to analyzesecurity vulnerabilities.3. Only provided by Spacewalk provides anyform of software inventory and an essentialfeature for patch management.4. Typically system administrative staff access isvia a web-based user.5. With any open-source project, there is a riskthat the project is deprecated and receives nofurther developer community support.Spacewalk provides suitable patching relatedfeatures, has good support from the community, andtakes a moderate number of steps to complete theconfiguration, but does not support Ubuntu.A common problem for the systems that havedeployed the agent-based patching technique, is thatthey are complex to use, and require many steps toconfigure the systems. Therefore, our system plugsthese gaps creating a Linux based patch managementtool that is cost-effective, supports all of the currentLinux distributions, and is customizable and easy toconfigure.4ARCHITECTUREAn orchestration tool allows us to control andconcurrently manage multiple servers. Yet many ofthe existing open-source tools that have goodcommunity support and are intended asconfiguration management tools that allows systemadministrators to create configuration files that canthen be distributed the managed servers. Many ofthem also come with plug-ins that provideorchestration functionality.3
Table 1 Commercial patch management softwarePatch management softwareMultiThird CustomAPIplatform party patch add-onpretestedIBM BigfixviiYes patchNoYesYesIvanti PatchviiiYesNoNoYesixRedHat SatelliteNoNoYesYesSolarWinds Patch Manager xNoYesNoNoxiFlexera Corporate Software InspectorYesYesNoNoKaseya VSAxiiYesNoNoNo 2.05 per client 32.29 per serverN/AGFI LanGuardxiiiManageEngine Patch Manager Plus xivYesYesNoYesNoNoYesNo 6.67 - 17 er node 493/ 650 per 100 nodesZENworks Patch Management xvYesYesNoNoN/ACMS Patch Manager xviBMC BladeLogic Server AutomationxviiYesYesYesNoNoNoNoYesFrom 50 per monthN/AYesYesNoNo 8,000 per 100 nodesKACE xviiiToolsFunctionalityTable 2 Open Source patch management softwarevFenseFAI Linux ProjectAn open-sourceAn automated configurationapplication. Main purpose management that can installis to install patches and patches and perform relatedperform related taskstasksPricing per yearN/A 2,745 per 250 nodesFrom 2,194 per 100 nodesN/ASpacewalkAn open-source Linux.Management system thatcan install patches andperform related tasksNoYesInventory ofapplicationsNoNoYesFeaturesYesWeb –based UserinterfaceDistribution to allLinux distribution?Ease of UseCVE VulnerabilityscansSteps required toLarge (Require numerous Moderate to lowConfiguresteps)(difficulty)Currently supported? NoYesLast update was in 2016Yes(But deprecated)YesThese files contain the specified configurations andsettings for the managed systems. The tool will alsomonitor any changes to the configuration of themanaged servers and apply updates automatically.Hence, we can take such tools and adapt them tomeet our requirements for patch management. Wechoose to use the open source version of Puppet forour configuration management tools (Walberg,2008). It addition, Puppet has good communitysupport. However, the open-source version does notcome with a web user interface so have weimplemented these to allow users to administer andmanage the patching process. An additional benefitNo(terminal user interface)YesYesNo(Red Hat only)ModerateYesof Puppet is the native implementation of a serverorchestration tool called Mcollective, which can beused to undertake tasks on all Linux distributions(Rankin, 2017). In addition, Mcollective iscustomizable allowing for custom plugins to performautomated tasks. Mcollective uses the PuppetCertificate Authority (Puppet CA) to support securecommunication features over TLS/SSL. Mcollective,obtains a certificate from Puppet CA for eachspecified administrator on a Puppet master server.Mcollective uses the certificated to construct a securechannel through which only the authorizedadministrator can control the Puppet agents installed4
on managed servers, see Figure 2.Table 3: Development tools and astrxxvDescriptionA Python message queue library toreal-time tasks in the background.A Python thread pool concurrentmanagement library, to enable us torun Celery on WindowsA Django Python library forstoring all Celery task resultswhich can be queried to display taskstatuses.A message queue for handling Pythonbackground, controlled by Celery.A SSH connection Python library. Itis the necessary for use to establish anSSH connection to a Puppet masterserver, and to run commands andauthentication method for the Publickey.It is a responsive web user interfaceframework. We use this in theimplementation of the user interfaceto set its looks and feels.A JavaScript library for displayingnotifications to the users. We usethis to patching task notifications.The system architecture design is shown in Figure1. The main system is implemented using the Django(Python) web-framework and a web user interfacefront-end. The core process communicates with theembedded database system (SQLite3) as this nativelysupports Django. Authorized users can access thesystem via a web browser.In order to undertake the task of patchmanagement, the core system connects andcommunicates with the managed systems using acombination of Puppet and Mcollective functionsthrough an SSH connection. Each communicationtask is executed as a background task (Celery)combined with a central message queue (RabbitMQ),this enables the administrator to continue with otheractivities without needing to wait for the initial task tofinish.The process of establishing an SSH connection isthat an authenticity verification takes place on theserver, it confirms that the server’s public key matchesthe expected user’s public key. In order to ensure asuccessful connection to the managed server, acorresponding SSH passphrase is required. We use theMcollective and its native plugins to execute Linuxbased commands, which retrieves all the informationfrom the connected systems. SSH connections to thePuppet master server uses the public keyauthentication found in the Fabric Python library. Wehave manually tested all these commands with variousLinux systems to verify these commands work in oursystem and give the expected results.As we use Puppet to undertake the host discoverytask by connecting to our managed servers, and thensimultaneously uses Mcollective to run the Linuxcommands on the managed server, it is therefore,necessary to ensure that a Puppet environment is setup first. At the core of the system, we process Djangoviews, which handles the requests. It also renders userinterfaces from template/static files and undertakesthe database operations.Table 3 shows the tools and libraries used in oursystem for the Django web-based development andthe Python background task implementation. Therewere a number of methods for implementing the CVEscanning of the managed servers. The first was to usea locally hosted CVE database, but this would haveresulted in an extremely large size database, whichwould be hard to maintain, so we decided to use aPublic CVE API. We did try using the unstructuredword search facilities with the API but obtained toomany false positive results. We settled on the CVEAPI provided by RedHat which allowed us to searchby package names and versions. However, it is limitedand does is not supported Ubuntu, for which we usedthe word search.5TESTING AND EVALUATIONSThis section presents the testing and evaluationof the patch management system. The testingshowed all implemented functionalities work asexpected. While the evaluations compared oursystem with current patch management systems.5.1Testing processesWe conducted unit tests and full systemintegration tests. We used a white box approach toverify the internal processes and logic of thesystem (Pressman. 2010).Unit testing allowed us to ensure that thefunctions we developed were as designed; we usedthe automatic test facilities that comes withDjango, this also come with automatic testing ofviews and user interface functionality. Wedeveloped 96 test cases for testing both views andinternal functions; this gave us the ability toconduct regression testing and to use a test-drivenapproach to development.We had designed the system so that the patchmanagement core functions could be automaticallytested separately from the system integration. Theintegration tests were undertaken using manualoperations, using a Vagrant-based Puppet testingenvironment. A Test Pyramid method (Cohn,2010) was integrated into the testing in order toreduce the total number of test cases required.Hence, the unit-test case cannot be reused.Therefore, the integrations testing was undertakenwithout having to know the internal logic(Pressman, 2010).5
Figure 1: System architectureFigure 2: Overview of how Puppet and Mcollective works together6
5.1EvaluationIn this section, we present the evaluation of theproject in terms of the features, customizability andcost. The main aim of this project was to develop anefficient Linux patch management system thatwould fit the budget of an SMESection 3 identified a number of commercialsystems with indicative costs. Our system can providethe necessary patching functionality and securityassessment. This will substantially reduce the cost toan SME as they are saving in terms of investmentcosts (as our system is open source).In section 3 we identified Spacewalk as the bestopen-source patching tool available to date.Therefore, we compared the patching features of oursystem and Spacewalk, see Table 4.As can be seen from Table 4, our system has twomain advantages over Spacewalk. The first is that wesupport all Linux distributions. We have achieved thisby utilizing the Puppet/Mcollective. Secondly, byusing Puppet we can connect to and discover allmanaged systems, also by using Mcollective to runcommands simultaneously, we have reduced thenumber of steps required in the configuration process.In addition, our system is designed for futuredevelopment, by enabling more features to add bycustomizing and extending new plugins.Table 4 Comparison of open-source system features6FeatureOur system SpacewalkWeb –based UserinterfaceCVE Vulnerability scansAll Linux distributionsSteps required toConfigure SOur patch management system has beenimplemented and the evaluation shows that it is acost-effective and usable open-source tool.Our patch management tools fill the gaps found inthe current patch management software, it providesvital patching capabilities on Linux systems withsecurity assessment features which support theretrieval of essential details and CVE informationfrom managed systems for further analysis.The advantage of using Puppet and Mcollective tointegrate into the core is that we have significantlyreduced the number of steps required in the initialconfiguration process as we are able to support to allLinux distributions with customizability andextensibility. Furthermore, we provide a user-friendlyinterface that allows anyone to interact with the patchmanagement system without the need to be an expertat understanding Linux commands.Moreover, by being open-source it is anaffordable patch management tools, it can be used toincrease security awareness by the use of the CVEscanning and the necessity of keeping systems up-todate, especially to SMEs on a limited budget.Future work is in developing further the use ofCVE scanning with public APIs. We are looking intobetter ways to scan and analyses CVEs. For example,machine learning coupled with Neuro-linguisticprogramming can improve the interpretation of theCVE descriptions and improve the effectiveness ofthe CVE scan. This could lead to efficientlydiscovering known vulnerabilities in a system.7LIST OF REFERENCESAdamov, A. and Carlsson, A. (2017) 'The state ofransomware. Trends and mitigation techniques', 2017IEEE East-West Design and Test Symposium (EWDTS).Sept. 29 2017-Oct. 2 2017. pp. 1-8.Arora, A., Caulkins, J.P. and Telang, R. (2006) 'ResearchNote—Sell First, Fix Later: Impact of Patching onSoftware Quality', Management Science, 52(3), pp.465-471.Cohn, M. (2010) Succeeding with agile: softwaredevelopment using Scrum. Pearson Education.Dadzie, J. (2005) 'Understanding Software Patching', ACMQueue - Patching and Deployment, 3(2), pp. 24-30.Delasko, S. and Chen, W. (2018) 'Operating Systems ofChoice for Professional Hackers', ICCWS 2018 13thInternational Conference on Cyber Warfare andSecurity. Academic Conferences and publishinglimited, p. 159.Dey, D., Lahiri, A. and Zhang, G. (2015) 'Optimal Policiesfor Security Patch Management', INFORMS J. onComputing, 27(3), pp. 462-477.Ehrenfeld, J.M. (2017) 'WannaCry, Cybersecurity andHealth Information Technology: A Time to Act',Journal of Medical Systems, 41(7), p. 104.Gerace, T. and Cavusoglu, H. (2009) 'The critical elementsof the patch management process', Commun. ACM,52(8), pp. 117-121.Goucher, W. (2011) 'Do SMEs have the right attitudeto security?', Computer Fraud and Security, 2011(7),pp. 18-20.Hoeksma, J. (2017) 'NHS cyberattack may prove to be avaluable wake up call', BMJ, 357.Kashyap, S. et al. (2016) 'Instant OS Updates viaUserspace Checkpoint-and-Restart',USENIX Annual7
Technical Conference. pp. 605-619.D Le, J Xiao, H Huang, H Wang (2014) 'Shadow patching:Minimizing maintenance windows in a virtualizedenterprise environment', 10th International Conferenceon Network and Service Management (CNSM) andWorkshop. 17-21 Nov. 2014. pp. 169-174.Mansfield-Devine, S. (2016) 'Securing small and mediumsize businesses', Network Security, 2016(7), pp. 14-20.Mansfield-Devine, S. (2017) 'Ransomware: the mostpopular form of attack', Computer Fraud and Security,2017(10), pp. 15-20.McAfee (2017) Malware and Threat Reports: ThreatAdvisory - Ransomware-Erebus (PD27141). McAfee,CA, USA: McAfee Labs Knowledge Center.Mell, P., Bergeron, T. and Henning, D. (2005) 'Creatinga patch and vulnerability management program', NISTSpecial Publication, 800, p. 40.O’Brien, D. (2017) Internet Security Threat Report (ISTR)Ransomware 2017: An ISTR SpecialReport. SymantecCorporation, Mountain View, CA, USA.Okhravi, H. and Nicol, D. (2008) 'Evaluation of patchmanagement strategies', International Journal ofComputational Intelligence: Theory and Practice, 3(2),pp. 109-117.Palumbo, T. (2015) 'Patch Management: The Importance ofImplementing Central Patch Management and OurExperiences Doing So', Proceedings of the 2015 ACMAnnual Conference on SIGUCCS. St. Petersburg,Florida, USA. 2815561: ACM, pp. 105-108.Pressman, R.S. (2010) Software engineering: apractitioner's approach. 7th edn.: Palgrave Macmillan.Rajput, T.S. (2017) 'Evolving Threat Agents: Ransomwareand their Variants', International Journal of redhat.com/articles/2475321iii https://www.suse.com/documentation/sles12/book sle admin/data/cha kgraft.htmliv https://github.com/vFense/vFensev https://fai-project.orgvi https://spacewalkproject.github.iovii fixviii https://www.ivanti.comix tex https://www.solarwinds.com/patch-managerxi revulnerability-management/corporate-software- inspectorxii mentxiii iiApplications, 164(7), pp. 28-34.Rankin, K. (2017) 'Hack and /: sysadmin 101: patchmanagement', Linux Journal, 2017(279),p. 5.Rankin, K. (2017) 'Hack and /: Orchestration withMCollective, Part II', Linux Journal2017(273), p. 5Renaud, K. (2016) 'How smaller businesses struggle withsecurity advice', Computer Fraud and Security,2016(8), pp. 10-18.Seo, J.-T. Choi D-S, Park E-K, Shon T-S, Moon J. (2005)'Patch Management System for Multi-platformEnvironment', Parallel and Distributed Computing:Applications and Technologies. PDCAT 2004. Berlin,Heidelberg. Springer Berlin Heidelberg, pp. 654-661.Seo, J.-T. Kim Y-J, Park E-K, Lee S-W, Shon K, Moon J.(2006) 'Design and Implementation of a PatchManagementSystemtoRemove SecurityVulnerability in Multi-platforms', Fuzzy Systems andKnowledge Discovery.FSKD 2006. Berlin, Heidelberg.Springer Berlin Heidelberg, pp. 716-724.Souppaya, M. and Scarfone, K. (2013) 'Guide toenterprise patch management technologies', NISTSpecial Publication, 800, p. 40.US-CERT (United States Computer Emergency ReadinessTeam) (2015) Top 30 Targeted High RiskVulnerabilities (TA15–119A). Washington, TA15-119A (Accessed: 29 June2018).Walberg, S. (2008) 'Automate system administration taskswith puppet', Linux J., 2008(176),p. 5.8END NOTESmanagement-for-operating-systemsxiv wledge-base/overview.htmlxv managementxvi https://www.cloudmanagementsuite.comxvii utomation.htmlxviii ent-appliance/patch-management- security.aspxxix http://www.celeryproject.orgxx http://eventlet.netxxi https://pypi.org/project/django celery resultsxxii https://www.rabbitmq.comxxiii https://www.fabfile.orgxxiv https://getbootstrap.comxxv https://github.com/CodeSeven/toastr8
of patch management is still an obstacle for many small and medium-size businesses. There are many open source, free of charge, patch management systems but these require many pre-configuration steps making them complicated to use. Hence, this paper presents a patch management system that is cost-effective but also efficient in terms of set-up .
