So...what exactly do you use (I use Patchlink ) and how do you test your patches before deploying them? how compliant would you say you are?
Printable View
So...what exactly do you use (I use Patchlink ) and how do you test your patches before deploying them? how compliant would you say you are?
is that really from Romans? pretty cool!:))
Microsofts SUS.... It's brilliant....
I don't have public facing servers that have "abnormal" stuff on them so I apply the patches automatically and deal with any issues I might get by uninstalling the patch.... I have yet to have an issue that requires a patch to be uninstalled.
I use YAST.
I also use SUS. Although... it is lacking in MANY places. The ability to create groups and choose which groups you want the patches to go to. Once you approve an update... every machine that checks in with it will grab anything that is approved for that platform. (short of upgrading IE versions)Quote:
Originally posted here by Tiger Shark
Microsofts SUS.... It's brilliant....
I don't have public facing servers that have "abnormal" stuff on them so I apply the patches automatically and deal with any issues I might get by uninstalling the patch.... I have yet to have an issue that requires a patch to be uninstalled.
If you want to have several groups, you need to run multiple SUS servers and point them to the correct servers. If I'm wrong, please tell me... cause I've read the docs... not much to it.
Reporting... what reporting?! I'm using some perl scripts to analyze the www log and extract the data I need. Then I use m$ baseline security analyzer to compare it with the sus server... which is nothing spectacular....
IMO- a half assed "solution"... but I can't complain I guess.
Other than that... it is pretty nice. Does the job and it doesn't cost extra.
I'm really hoping that they do WUS better... (they are changing from SUS to WUS)...
Phish:
Fair comments....
But I run multiple SUS servers so it never occurred to me that it might be a problem.
But then I want my boxes to apply the patches anyway.... I'd rather be downed by a messed up patch that I can uninstall than being cracked and having to reimage the drive and start again.... It's a toss-up really.... I prefer uninstalling the patch.... but it hasn't happened.... yet...
I dread think what "Whuss" is from M$.... :eek:
In some cases, you have no choice to uninstall the patch. You have to reimage anyway.
I gave a coworker sp2, and the patches since sp2, along with the latest office xp sp and recent patches...
She called in early the next morning in a panic. She applied sp2 and all the patches, and etc.
Upon one of the reboots...
lsass.exe object not found.....
Not good... Tried the recovery but it seems that the registry was hosed and it wouldn't do any good... she didn't have system restore turned on and no backups. since it was her home machine... there was also no image...
I took another HD out, installed the OS, along with the service packs, patches, etc. then mounted her other drive as slave so she could get her data back....
Hopefully I won't be doing that at work... one box is ok every now and again... but I simply don't have the resources to deal with hundreds....
Seems I always run into these things with coworkers that *should* know better....
People _should_ always know better......
And this is why we have jobs..... This is a good thing.... ;)
WhatUhScrewup
hi, do you use Yast to patch your standalone machine or are you patching networked workstations?Quote:
I can do either. YAST runs on both a GUI and Ncurses based text mode, so I can use SSH to use it in a secure manner to patch a lot of workstation / servers, or just one on the machine I'm working on.
So, you update them on a per machine basis? What if you have 1000 machines to update? (which I know you don't....) You going to ssh into all of them one by one?Quote:
Originally posted here by gore
I can do either. YAST runs on both a GUI and Ncurses based text mode, so I can use SSH to use it in a secure manner to patch a lot of workstation / servers, or just one on the machine I'm working on.
Why not just use something like YUM and have it update nightly? Or, can yast do the same thing?
I forget... it's been a while since I killed my SuSE box.
If I had 1000 machines to do this with, I'd tell my boss it would be to risky to do this in normal working hours, and he, being management, wouldn't know any better because Management only know Windows, so this would seem normal to him, and then I'd come in and yes, do them one by one, at about 3 AM, for double time and a half overtime.
In the mean time, I have 5 machines, and I could script this if I wanted, or tell YAST to just download all security updates by itself and install them, or to download ALL patches and install them as they come out, which you can do too.
Thant's how you work for your bOss? good strategy...
What's happening with Red Hat? they send me huge amount package updates. Any big security breach? havent had time to check out. I may not spend much time on Gentoo like I planed since you guys mentioned a lot of updates.
I use SUS also and I'm happy of it. :)
You guys are wussy! ;)
http://www.kenthamilton.net/humor/admin-horror.html
i use SUS....thats all they wanted to pay!