Not keeping your machine up-to-date with the most recent patches available can compromise the security of your whole infrastructure. Your infrastructure is only as secure as it's weakest link.
Most vendors allow retrieval of patches over the web. CERT and CIAC also have information about security patches, including links to vendor patches when applicable.
But my vendor releases way too many patches for me to keep up with!
Then you need to be putting together a proposal for your higher powers to justify hiring another person to do patches (and maybe some other security-related things you need to do). Vendors release patches for reasons other than making our lives miserable. What good is it to run any sort of intrusion detection software if your machines aren't patched, anyway? (Honeypots not included here.)
The powers-that-be won't let me take my machines down for the amount of time it will take to patch them. What can I do about this?
You need to convince them that an ounce of prevention is worth it. Do you have some sort of maintenance window built-in? Apply the patches during that window. Not the most optimum, but it'll work. SANS Network Security Roadmap Poster has some good advice for integrating security. Their Intrusion Detection FAQ has a question about justifying IDS. Combine those items and apply them as necessary to your site and machines. Weigh the cost of taking the machine down for an hour early one morning to install patches to the cost of having to recover from a compromise. Present these in a professional manner to your higher powers. If you have the authority, set up a "live-test" of a compromise and recovery.
Not all patches require downtime or reboots. It depends on the nature of the patch. Most times patches can be installed with no inconvenience to your users.
In today's world, word of exploits travels much faster than word (or admittance) of patches ever will. It behooves all of us concerned about security to keep our machines as up-to-date as possible. It's the only way we can try to stay a step ahead.
What if the patch breaks my system?
Well, hopefully you made backups before installing any patches. This is a must if you are installing any type of kernel patches. It's an extreme case when installing patches trashes things so much that you have to restore from backups, but it's worth it to take the extra time to ensure you can recover. Besides, you should have a very regular and robust backup program in place already in case of hardware failure or recovering from a compromise.
Most vendors allow for backing out their patches. With Solaris you can use the patchrm program. With Tru64 you would run their dupatch program and choose the delete option. In order for these to work, however, the patches need to be installed properly to allow backing out. By default Solaris backs up the files to be patched -- patchrm -d will not save the files. You can specify a different directory rather than the default /var/sadm by invoking patchrm -B PATHNAME where PATHNAME is an absolute path name. Tru64 asks during the patch installation if patches should be made reversible and gives you the option to change where they are kept. If at all possible, install patches in such a way that they can be backed out.
There are some instances where a new patch will not be installed properly unless the old patch is backed out. I cannot repeat often enough that it is a very good idea to install your patches in such a way that you are able to back them out if needed, and you should back up your system before installing patches.
-----------------
Laurie Zirkle
