|
Hello, I have recently been tasked with figuring out how to patch our Ubuntu servers both in QA and production. I am pretty familiar with WSUS and MS's very nice tiered patching system with auto approval for certain classifications of patch, etc. but do not know of a smooth way to handle it in Ubuntu. Does anyone have any suggestions for patch management in a linux server environment at or above 100 servers? Currently my working plan is to use admins to monitor for vulnerabilities, and then patch our systems using a tool called Chef (http://opscode.com) which allows you to create separate environments for QA and production. Chef would deploy patches we approve from an internal apt repository that we'd have to setup: 1. We create and monitor RSS feeds for security vulnerabilities to some top security sites. We also subscribe to email notifications for our vendors. 2. A vulnerability/patch is reported 3. We download and install this patch on a test system(s) and wait a period of time 4. We add this patch to an environment like QA and then wait a period of time 5. If successful we can then push to any other environment we choose Is this reasonable? Are there better ways to handle Ubuntu server patching in production? I appreciate any and all feedback. Edit: I should also mention that the benefit of using chef for this is that as long as the chef server can assign its roles to the node server, we'll know that they are patched. It won't replace good ol' reporting and auditing but it would be better than nothing. Defghanistan fucked around with this message at 18:47 on May 5, 2011 |
# ¿ May 5, 2011 18:42 |
|
|
# ¿ Apr 25, 2024 23:31 |