Bsd updating all ports
This, I realize, is a fairly excessive un-BSD way to do things. Do you run a portaudit/portversion -- check output then update (make deinstall ...etc) after careful consideration? I see myself cvsupping the ports tree, running the "out of date" script, then just upgrading critical ports --- but leaving the kernel/binaries alone and just upgrading every six months.Do you patch/recompile/rebuild kernel, binaries --- why?Obviously build and test your install procedure on separate hardware (or VM) before doing it on your production machines.Fortunately for us, we have redundant hosts for many things and can therefore roll out with minimal downtime of services.You can track changes from the cvs logs and check if you've gotten specific updates in (and these days there's less of a reason to) you'll just need to find some other way to track what updates you want. Build STABLE releases from the above When security updates are published, we evaluate the actual security issue with the profile of machines with that version of the OS/vulnerability.You could mail a list of changes that freebsd-update wants to make to yourself and keep an eye on the security errata page. Follow the relevant mailing lists - I watch the daily digests, as well as the general direction shown on the Tech and Misc mailing lists. Follow Unix related security announcement websites/mailing lists. If the vulnerability is relevant that we go through the "same version upgrade procedure." It's more difficult to keep track of security updates for ports/packages, but if it's critical enough to be on our infrastructure then it's important enough to keep track off in a similar manner to BASE.Open BSD ~ Will follow the mailing list and use the package tools ( pkg_info and pkg_add -u ) where deemed critical.
Recommend a book if you know of one that covers it! Bubnoff Conclusions ~ Thanks to everyone who took the time to answer this post.What's a conservative approach for critical services ( reasonably critical -- this ain't no bank or hospital ) on BSD boxes?Are you using a similar approach on your Linux boxes?This is for use by automated scripts and orchestration tools.Please do not run freebsd-update fetch from crontab or similar using this flag, see: freebsd-update cron way to do this is to use a configuration management tool like Puppet or radmind to deploy your changes.
For our firewalls, all the data is in the configuration and log files.