Comprehensive Patch Orchestration: Use zypper, yum/dnf, apt, or Landscape/Satellite to stage, test, and deploy kernel and package updates across 2 000+ Linux nodes, including HA pairs and production SAP stacks.
Threat Mitigation: Address SSH hardening (strong ciphers/Kex, two-factor auth), privilege-escalation paths (sudo, setuid, polkit), TLS/SSL weaknesses, RCE flaws, and DoS vectors; implement mitigations such as SELinux, AppArmor, and systemd sandboxing.
Baseline & Compliance: Apply and periodically audit CIS/DISA STIG baselines via Ansible, Chef, or OpenSCAP; remediate deviations and document evidence for auditors.
Tooling & Automation: Develop Bash/Python playbooks for package inventory, kernel-live-patching (kpatch/ksplice), and post-update functional checks; integrate with Jenkins/GitLab CI pipelines for continuous compliance.
Container & Cloud Security: Scan Docker/Podman images (Trivy, Clair), remediate vulnerable layers, and harden Kubernetes/OpenShift nodes; collaborate with DevOps on image-signing and runtime policies.
Collaboration & Scheduling: Liaise with SAP Basis, database, and infra teams to coordinate maintenance windows, mitigate performance impact, and optimise reboot sequencing.
Metrics & Reporting: Produce monthly scorecards on CVE closure rates, patch compliance, and kernel-panic incidents; drive root-cause analysis for any post-patch instability.
Research & Innovation: Pilot OS-trend technologies (e.g., eBPF for runtime security, immutable-OS models like Fedora CoreOS) and recommend adoption paths.