First, minimize the system when you build it. If you only install what you need, instead of everything including the kitchen sink, you have a *much* smaller security profile to deal with. Less exposure means less stress and pressure to update when a vulnerability comes out.
Second, disable all unnecessary services that must be installed, but don't need to be running. Third, restrict access to all services that must be running as much as possible (loopback interfaces, tcp_wrappers, ipf rules, etc). Fourth, use Flash Archives with Jumpstart (and JASS) judiciously. Make a flar of your minimized, hardened, documented, standard system to use for installing new systems. Make a flar of a running system before performing any patches or upgrades. This is the key to your sanity and your ability to recover from a catastrophic failure. Fifth, use Live Upgrade - either on a second BE on the rootdisk mirrors, or on an additional disk. Sixth, NEVER break your mirrors without first making a flar. It is simply not worth the risk. Seventh, use PCA and quit messing with the ridiculously slow "install_cluster", or worse yet, individual patch installs. Configure it to run through cron every week for a report of what's missing and to download the patches to your central patch repository. Then make a flar, patch the ABE using Live Upgrade during the week and reboot to the ABE during the outage window and test. If everything looks good, create a new flar, remove the old BE and create a new ABE. fpsm On Thu, Jan 8, 2009 at 7:43 PM, Kory Wheatley <[email protected]> wrote: > I would like to know other system admins patch strategy for installing > Solaris 10 Patches. Typically, we install the Sun Alert Security Patches on > our test systems then try to roll them out within 30 days of the patch coming > out. We only do recommended patches when needed by software on the system or > if required as a dependency patch > > Also do you break your mirror to install the patches on one disk and test > than sync back up (either using Solaris Volume Manager or a hardware mirror)? > Do you only do this for Kernel patches and Solaris 10 Update patches? It > would seem time consuming breaking the mirror to install all security > patches, but I don't know what others are doing. We recently don't use this > method. > > I would just like to get a feel if other System Admins are aggressive in > installing the security patches as soon as they come out? Versus why break > it if it runs. > -- > This message posted from opensolaris.org > _______________________________________________ > security-discuss mailing list > [email protected] > _______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
