Re: [SAGE] auto patching

["Rodrick Brown" <rodrick.brown@gmail.com>]

Test patches and updates on non critical environments first.

On 11/3/06, Kenton Brede <kbrede@gmail.com> wrote:
> Background:
> We have a small set of growing Linux servers, but definitely enough
> for one person to manage.  When I started working at the university I
> decided to create some patch guidelines for myself.  I divide the
> patches into remote and local exploits and treat them differently.  I
> treat bug fixes differently than security updates.  In short if it
> isn't a remotely exploitable bug, I wait two days to patch and don't
> patch on Friday.  With these guidelines I've attempted to bridge the
> gap between blindly accepting auto updated patches and not having a
> proper test environment in place, while remaining reasonably secure.
> The machines are grouped together in RHN and with a few clicks can be
> scheduled to update.
>
> Commentary:
> I've started to think about possibly updating the machines with
> confidential information via auto update.  The idea being protection
> is worth more than availability.  Or to just go auto update for all
> the boxes, more out of the fear of having a box cracked, than having
> the box inaccessible because installing a patch breaks something.
>
> Question:
> How would you, or do you, approach patching in a similar environment?
>
> Thanks,
> Kent
>


-- 
Rodrick R. Brown
http://groups.yahoo.com/group/wallstandtech