[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SAGE] auto patching
- To: sage-members@sage.org
- Subject: [SAGE] auto patching
- From: "Kenton Brede" <kbrede@gmail.com>
- Date: Fri, 3 Nov 2006 08:01:59 -0600
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ek37KQqUb2oHus2gPguwMHm/oA5CbPmXQLxJAmPDQhtb6OhuD0CK1mC6Wb1pCcSoqtSnEazFgEZJzfFUY9lL57mkvrY/40LLa0bruV2AqxEpIFxwzyW0tgJC0JvTe1zV9j27c87r+oIQThDQrhBm72iDZ+ar+q3MUdX1ZxjqeDs=
- Sender: owner-sage-members@usenix.org
Background:
We have a small set of growing Linux servers, but definitely enough
for one person to manage. When I started working at the university I
decided to create some patch guidelines for myself. I divide the
patches into remote and local exploits and treat them differently. I
treat bug fixes differently than security updates. In short if it
isn't a remotely exploitable bug, I wait two days to patch and don't
patch on Friday. With these guidelines I've attempted to bridge the
gap between blindly accepting auto updated patches and not having a
proper test environment in place, while remaining reasonably secure.
The machines are grouped together in RHN and with a few clicks can be
scheduled to update.
Commentary:
I've started to think about possibly updating the machines with
confidential information via auto update. The idea being protection
is worth more than availability. Or to just go auto update for all
the boxes, more out of the fear of having a box cracked, than having
the box inaccessible because installing a patch breaks something.
Question:
How would you, or do you, approach patching in a similar environment?
Thanks,
Kent