Patching Linux Servers in the Enterprise

Do you do it? Is the process automated? What updates do you apply?So recently a discussion came of patching some Linux servers in the enterprise with some Unix administrators. Their stance was “we don’t patch our servers, unless there is a reason to upgrade the version for application compatibility”.I found this compelling as many of the updates pushed out are related to vulnerabilities which have been released. Which brought the question back to me, where I answered with “Yes, I patch”. dallas tree service . I was then asked how I patched. So here it is:Yes, I do patch. But not all packagesYes, I have the process automatedI apply patches quarterly (Feb, May, August and November).Currently I have setup 4 different install groups (test group, which are non impact server, which are typically used for administrative reasons, low priority server, medium priority server and high priority servers).The patches are downloaded on the 1st of the month indicated above. handyman atlanta . These are pulled via mrepo (currently I’m in a RHEL shop). In my mrepo pulling script, I log what’s pulled down and updated and email that to myself, and stash it on my admin server for publishing via html page for application owners.The test group installs these updates as they are released, and this includes all packages (kernel, httpd (apache), tomcat etc etc). chiropractors . I log what was updated on the server along with some very basic tests (ie ping success etc), I then stash that log for audit reasons and change control processes.The next groups install on the 2nd, 3rd and 4th Saturday’s of the month.This is achieved with the following crontab:

the script installupdates.cron has the following:If you need a little more explanation on how it works, please feel free to ask.On the Low – High servers, I do not update httpd, tomcat, kernel, bind etc automatically and those are scheduled to be done manually.Also, since these are rpm’s after the installation is done, I check to see if any config files were changed and moved due (ie search for rpm.new etc). If it is, I’ll replace the newly written file with the previous config file.There is obviously much much MUCH more to this automated process. But wanted to know what you guys do for your patching, and wanted to know how you tackled it. I wanted to write much more detailed entry, but had some stuff come up. I’ll try to elaborate much more, with more of the detailed scripting too.