On Fri, Jan 9, 2009 at 12:43 AM, Kory Wheatley <[email protected]> wrote: > I would like to know other system admins patch strategy for installing > Solaris 10 Patches. Typically, we install the Sun Alert Security Patches on > our test systems then try to roll them out within 30 days of the patch coming > out. We only do recommended patches when needed by software on the system or > if required as a dependency patch > > Also do you break your mirror to install the patches on one disk and test > than sync back up (either using Solaris Volume Manager or a hardware mirror)? > Do you only do this for Kernel patches and Solaris 10 Update patches? It > would seem time consuming breaking the mirror to install all security > patches, but I don't know what others are doing. We recently don't use this > method.
I would *never* break a mirror. Either for backups or patches. Mirroring disks is done for a reason, and risking hosing your entire system isn't justified. If you want to play safe, Live Upgrade is the way to go. (I've never had problems just applying the patches to a running system.) > I would just like to get a feel if other System Admins are aggressive in > installing the security patches as soon as they come out? Versus why break > it if it runs. The first question: is the problem in software that's used, or can be used to attack the system? If there's a problem in telnetd and telnetd is turned off, then there's nothing to be gained by patching it *now*. And obscure security problems in some of the desktop components would be important to fix on a desktop machine than on a server where a desktop is only used once every couple of years to run some weird installer. Then I look at the README files associated with patches and try to work out whether the problem's likely to apply to me. Sometimes problems are generic; often they only manifest themselves under specific circumstances. Then you consider whether systems are generally well-protected or relatively vulnerable. It's all about control. If you know exactly what's run and by whom then you can make much better judgments about whether a patch is necessary. (As a rule, servers and clients run different workloads; and heavily controlled servers have far fewer problems than general purpose interactive machines.) So basically I'm fairly conservative in applying security patches now. But when I ran systems that were fully exposed to the internet and on which we gave shell accounts to anyone who was capable of filling in all the boxes on the form - then the patches would go in before you could blink. (But even then the check of 'can this affect me?' was applied.) -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ _______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
