Automated & audit-proof documentation of installed operating system and software versions

Motivation

Recording version information of operating systems, software products and frameworks in use is a fundamental building block for the stable, secure, efficient and audit-proof operation of IT and application systems.

For enterprise customers with hundreds or thousands of hosts, the recording and documentation of the versions of the products used can only be automated. With the detected and changing version information, the following use cases can be implemented automatically in an enterprise company:

• Enterprise architecture: Verification of compliance with the specifications defined in the IT master plan.
• IT security: Detection of deployed product versions with known IT vulnerabilities, unintentionally installed products for system hardening or used products that have reached the end of their service life and for which support and maintenance is no longer available.
• IT operations: Identify changed versions of products in use in the IT landscape that could be the cause of an existing or impending problem.
• Change management: Check whether a change ticket exists for the version change and whether it is a planned change. Otherwise, it is an unplanned change.
• Cost allocation: Detect the execution of an update service and bill the owner for it.

Technical solution

A practical implementation example is demonstrated using the Versio.io solution. Versio.io is a change detection and post-processing platform (see www.versio.io).

For the technical implementation, a Versio.io OneImporter must be installed on each host. This agent performs version queries fully automatically and at configurable intervals.

The OneImporter sends the data with the software products and versions to the Versio.io platform. The platform determines whether changes have occurred, saves the change and executes post-processing triggered by the change.

It is possible to include all software products installed manually or with the package manager in the version query. For this purpose, Versio.io provides an extensive knowledge database for the version query of known software products. This can be expanded to include customer-specific and unknown products.

A practical example

The following example shows an operating system of a host with the detected versions of the software products installed on the host. These can be manual or package manager-based installations.

The lower box with the timestamp "17 minutes ago" shows the status of the software versions initially detected with the Versio.io OneImporter. Subsequently, an operating system update was carried out by the author. In the cyclically executed version detection by the OneImporter, all changed versions were automatically recorded and documented after the update. This can be seen in the box below with the time stamp "8 minutes ago".

Based on these detected changes of the software versions, a fully automated post-processing in Versio.io can now take place (see quotation marks in motivation section).

Summary

What can we learn from the detection of software versions and their changes described in the article:

• The continuous determination of the version of software products in use is relevant for the stability and security of enterprise companies.
• For reasons of efficiency and error-proneness of manual collection, version determination should be automated.
• The ability to assess and post-process changing software versions enables the feasibility of many IT use cases. Automation is also indispensable here due to the mass of data to be processed and the error-proneness of manual execution.
• The auditor of the next certification will be very pleased with the detailed recording of version information and its changes for the software products used.