IT managers can and should demand cleaner code, and technology vendors can and should meet that demand. Vendors should also pay much closer attention to the effects—especially over time—of patches they release to reduce the possibility of collateral damage. But thats not going to happen tomorrow.
Meanwhile, IT administrators have at their disposal several tools—some new, some not so new—that can augment the system management utilities that track and install operating system and application patches.
eWeek Labs evaluated some of these tools and concentrated on their ability to streamline the overall patch process. We focus here on operating system tools, but the successful use of any patching system relies heavily on disciplined and consistent use.
In addition, we know its tough, given the increasing number of patches released daily, but IT departments must test—as thoroughly as humanly possible—for problems a patch might cause. They must also assess—as shrewdly as humanly possible—whether a patch is needed. It is these duties that are unlikely to be automated any time soon.
The best advice for system administrators—no matter what operating system they watch over—is to have a change management policy in place: Document the basic steps of applying a patch and the circumstances under which patches are deployed.
Its also a good idea to consider the patching courses offered by operating system vendors. Applying patches is far from an exact science, so make sure any class youre considering will be led by someone with practical experience.
System administrators should keep in mind that being able to uninstall a patch is almost as important as being able to install it. When evaluating a patch management system, administrators should pay close attention to the rollback features of the tools.
hewlett-packard co.s hp-ux oper- ting system has extensive patch management capabilities, including software “depots.” Depots store downloaded patches and can be used to streamline the distribution and installation of updates and system patches.
HP-UX systems also use a tool called security_patch_check. When run, the utility creates a report that shows recommended patches that have not already been installed. Furthermore, this is the only utility weve seen that specifically checks for recalled security patches, a relatively rare event but a handy addition to the standard features.
HP Education Services offers a two-day course on patch maintenance. The course covers sourcing and applying patches and provides best practices for maintaining systems. (For more information, go to www.hp.com/education/courses/h8339s.html.)
ibms advisor helps customers deter-mine how frequently they should update their iSeries and AS/400 systems. A testament to the reliability of these operating systems is that the choices for update terms are monthly, quarterly or even yearly—a far cry from the daily patch checks many Windows administrators are performing.
IBMs Fixdist tool for downloading patches on AIX systems can be configured to download patches from a central server and place them in a more accessible location in the network.
SMIT (system management interface tool), meanwhile, is an extensive utility that enables administrators to control the patch distribution process. The utility is used for many other system administration tasks, but an important function of SMIT is to log changes that are made to the system.
A documentation trail is not only a good way to cover your bases but is also an essential management tool for understanding what other patches may be needed down the road.
a command-line utility made avail- able for free by Microsoft Corp., HFNetChk, does a generally good job of identifying the Windows version and the installed patches on the system. It then checks a database stored at Microsoft and returns a list of recommended patches to the system.
Based on our experience in the Labs and in talking with system administrators who have used the product, its clear that even with patching tools in place, careful oversight is needed.
For example, HFNetChk at times has returned indeterminate readings as to which patches were and were not installed on our servers. Keep in mind that patch tools are software, too, and, as such, are also imperfect.
Shavlik Technologies (which authored HFNetChk), Configuresoft Inc., Gravity Storm Software, PatchLink Corp. and St. Bernard Software, among others, also provide service pack and hot-fix management tools for Windows operating systems.
At the most basic level, these tools work in the same way as HFNetChk and Sun Microsystems Inc.s new Patch Manager: They report the current patch level and available patches and offer a means to download and deploy patches. However, these third-party products also provide a plethora of additional features, including a record-keeping capability that logs changes made to servers and tools that ease the deployment of patches to groups of machines.
patching is so fundamental an it concern that Suns Solaris System Administration I course includes a chapter on managing software patches. In fact, some might say that mastering patchadd and patchrm—for adding and removing patches, respectively—is as important a skill to Solaris administration as addition and subtraction are to math.
The release of Solaris 9 this month marks the first time the operating system will include a patching utility, called Patch Manager. eWeek Labs has not had a chance to put the utility through its paces, but Patch Manager should make it easier for Solaris administrators to keep track of what patches are installed and which systems still need additional work. Patch Manager will also automate the process of locating security and software patches.
An interesting aspect of Patch Manager is that the update information is stored on the local machine. According to sources at Sun, this model allows information to be queried from multiple sources.
This makes sense with systems that store change information in a central database because changes are often made while systems are disconnected from the network. Unless administrators have superhuman discipline, logging changes made to a system is often the last—and one of the most easily overlooked—items on a checklist that often starts, “Get XYZ security patch installed ASAP.”
Patch Manager works much like Windows HFNetChk. This is a big improvement over patchadd, which adds patches to the operating system but doesnt check for new ones. After the report of recommended patches is returned to the administrator, Patch Manager can securely download the patches to the system for implementation.
This sophisticated approach to patch management allows managers to select which fixes to install and schedule when the patches should be applied.
Senior Analyst Cameron Sturdevant is at [email protected]