-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
beinm@ummhc.org wrote:
I'm just curious to hear how people in the field have been handling patch
management with critical servers. Have you setup maintenance windows? If, so
how did you manage the down time? What have people been doing if the device
or server has an approved FDA configuration? Are you using thing like WSUS?
Matthew,
I work for IBM's GSD and I support two hospitals in Manhattan and for
*nix servers patch management is handled at two levels. One: we have a
change management process where all changes have to be presented at a
meeting and approved, especially patching.
Patching is done through a series of automated scripts that pick from a
library of patches based on what is applicable to the environment and
the software installed on the system.
At another layer patching is first done on non-critical and development
systems prior to being applied to the production environment so any
issues with the patching can be caught and dealt with either by not
applying the patch at all in production (for instance bad patches from
Sun) or working with the applicable vendor to resolve the issues.
Once a battery of patching is slated for application to the production
environment the requisite change records are opened and presented at the
change meetings for the hospitals and dates set.
At both hospitals critical production systems have "mated pairs" of
servers. While these are not strictly speaking clusters or HA pairs for
logical purposes they can be considered so. Because we have this we can
schedule the patching so that only one half of a pair are affected at a
time. In other words we will patch one of the servers in a pair one day
wait a day or two and patch the other. This gives us additional
insurance from "bad patches" in that for a couple of historical cases we
have found issues with patches that didn't show up in our development
testing but did "under load."
As far as FDA affected systems go, we haven't had to deal with that
under the *nix environment yet but we'll cross that bridge if we ever
come to it.
- --
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Peter L. Berghold Peter@Berghold.Net
"Those who fail to learn from history are condemned to repeat it."
AIM: redcowdawg Yahoo IM: blue_cowdawg ICQ: 11455958
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org
iD8DBQFEX1oDUM9/01RIhaARAv5gAJ9uwsT8bgp3X56h80uzMNrxDqFNOwCglCZR
2a2A3orfSiuhu4KjGI8IY+g=
=/GtE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
---------------------------------------------------------------------------
