Open prashant-prodigal opened 1 year ago
stmcginnis
commented
1 year ago Hi Prashant. Bottlerocket nodes cannot be patched, so I'm not sure if there is a good way to report patch status to SSM patch manager.
Can you provide a little more detail of what you would expect to see here?
arnaldo2792
commented
1 year ago Bottlerocket nodes cannot be patched
There are in-place upgrades so technically hosts can be patched (just a clarification)
Bottlerocket deployed on EKS should report patch compliance to AWS SSM Patch Manager.
I wonder if the control host container should send some information about the host, and SSM Patch manager knows if the version running needs patches? @jpculp do you know how the SSM agent sends "patch statuses" to SSM's backend?
jpculp
commented
1 year ago There are in-place upgrades so technically hosts can be patched (just a clarification)
Not to split hairs, but I'm not sure I would consider an in-place upgrade a patch as its an all or nothing operation versus "address this one specific CVE".
@jpculp do you know how the SSM agent sends "patch statuses" to SSM's backend?
Patch scanning/applying seems to be the same SSM document and if you did get it to run it would end up patching and comparing the baseline of the control container rather than Bottlerocket itself. I would recommend AWS Inspector as an alternative to Patch Manager.
prashant-prodigal
commented
1 year ago @jpculp Patching Bottlerocket here means patching the "bottlerocket nodes" right? as this is OS which is running on the nodes and we are patching the OS with latest updates.
So, there are compliance requirement which says the nodes must be patched at least once a month and Bottlerocket nodes does not report Patch compliance to SSM Patch manager. How do we ensure or (make the auditors believe) that Bottlerocket nodes are being patched regularly. Where can we see the status of patches.
stmcginnis
commented
1 year ago nodes must be patched at least once a month
This seems to be the point of confusion. Bottlerocket nodes are not - and cannot be - patched. That is not how Bottlerocket works.
There are upgrades that can be done to bring a Bottlerocket node to the latest release. Those happen approximately every 6 weeks, though it does vary a bit. But there is no patching of an existing node.
jpculp
commented
1 year ago @prashant-prodigal Is the "patching once a month" an internal policy, or is there a specific benchmark you are trying to remain compliant with?
While you wouldn't be able to run Patch Manager, you might be able to leverage State Manager by composing an SSM document that checks apiclient update check.
You can also leverage something like the bottlerocket-update-operator to ensure your hosts are constantly checking for available updates.
All of that said, AWS Inspector is a fantastic tool for making sure you aren't vulnerable at a package level. If you were to launch an old version of Bottlerocket, Inspector would report all the GHSAs against that host, as well as what version of Bottlerocket you need to be to address them.
Feature Request: Bottlerocket deployed on EKS should report patch compliance to AWS SSM Patch Manager. It currently shows "Not Reported" in SSM Patch Manager