Re: [SAGE] auto patching

["Kenton Brede" <kbrede@gmail.com>]

On 11/3/06, Rodrick Brown <rodrick.brown@gmail.com> wrote:
> Test patches and updates on non critical environments first.

I follow that methodology with kernel patches.  Our workstations and
the few test boxes we have are auto updated, so they get the patches
first.
Kent

> On 11/3/06, Kenton Brede <kbrede@gmail.com> wrote:
> > Background:
> > We have a small set of growing Linux servers, but definitely enough
> > for one person to manage.  When I started working at the university I
> > decided to create some patch guidelines for myself.  I divide the
> > patches into remote and local exploits and treat them differently.  I
> > treat bug fixes differently than security updates.  In short if it
> > isn't a remotely exploitable bug, I wait two days to patch and don't
> > patch on Friday.  With these guidelines I've attempted to bridge the
> > gap between blindly accepting auto updated patches and not having a
> > proper test environment in place, while remaining reasonably secure.
> > The machines are grouped together in RHN and with a few clicks can be
> > scheduled to update.
> >
> > Commentary:
> > I've started to think about possibly updating the machines with
> > confidential information via auto update.  The idea being protection
> > is worth more than availability.  Or to just go auto update for all
> > the boxes, more out of the fear of having a box cracked, than having
> > the box inaccessible because installing a patch breaks something.
> >
> > Question:
> > How would you, or do you, approach patching in a similar environment?
> >
> > Thanks,
> > Kent
> >
>
>
> --
> Rodrick R. Brown
> http://groups.yahoo.com/group/wallstandtech
>


-- 
"It may be true that the law cannot make a man love me, but it can stop him
 from lynching me, and I think that's pretty important." - Martin
Luther King Jr.