-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > > I'm just curious to hear how people in the field have been handling patch > management with critical servers. Have you setup maintenance windows? If, so > how did you manage the down time? What have people been doing if the device > or server has an approved FDA configuration? Are you using thing like WSUS? > >
Matthew, I work for IBM's GSD and I support two hospitals in Manhattan and for *nix servers patch management is handled at two levels. One: we have a change management process where all changes have to be presented at a meeting and approved, especially patching. Patching is done through a series of automated scripts that pick from a library of patches based on what is applicable to the environment and the software installed on the system. At another layer patching is first done on non-critical and development systems prior to being applied to the production environment so any issues with the patching can be caught and dealt with either by not applying the patch at all in production (for instance bad patches from Sun) or working with the applicable vendor to resolve the issues. Once a battery of patching is slated for application to the production environment the requisite change records are opened and presented at the change meetings for the hospitals and dates set. At both hospitals critical production systems have "mated pairs" of servers. While these are not strictly speaking clusters or HA pairs for logical purposes they can be considered so. Because we have this we can schedule the patching so that only one half of a pair are affected at a time. In other words we will patch one of the servers in a pair one day wait a day or two and patch the other. This gives us additional insurance from "bad patches" in that for a couple of historical cases we have found issues with patches that didn't show up in our development testing but did "under load." As far as FDA affected systems go, we haven't had to deal with that under the *nix environment yet but we'll cross that bridge if we ever come to it. - -- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Peter L. Berghold [EMAIL PROTECTED] "Those who fail to learn from history are condemned to repeat it." AIM: redcowdawg Yahoo IM: blue_cowdawg ICQ: 11455958 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFEX1oDUM9/01RIhaARAv5gAJ9uwsT8bgp3X56h80uzMNrxDqFNOwCglCZR 2a2A3orfSiuhu4KjGI8IY+g= =/GtE -----END PGP SIGNATURE-----
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
