Linux - Patching Policy

Clients with servers subscribed to Managed Linux/Unix Premium Management & Monitoring will follow the following Policy and Process for OS level (Redhat, CentOS, & Ubuntu) vendor recommended patching, security patching & vulnerability protection.

The Expedient Operations Support Center (OSC) follows 3 methods for patching:

1. Security announcements and vendor alerted directed patching designed to address new and immediate security vulnerabilities. 
2. Scheduled patching on a pre-determined frequency and period 
3. Client requested patching on ad-hoc requests and time intervals All OS patching will be communicated and logged in the Expedient SMC ticketing system. A client may elect to opt out of any security patch with known impacts to services or applications with documentation with designated authorization.

New & Immediate Security Announcements

The OSC will apply vendor patches to managed operating systems for published and known OS vendor supplied security vulnerabilities. Software application patching by a third party provider is not in scope. The OSC Engineering team receives notifications from RHSA-announce and Ubuntu-security-announce sites, including additional well known security sources for announcements. On each vulnerability and security announcement, a risk assessment and review is conducted, potential impact, distribution, and complexity of the vulnerability are scored. 

Typically, vulnerabilities with CVSS score of 8, Common Vulnerability Scoring System, will require immediate patching. Published vulnerabilities and patches must be cleared by Engineering, they will be tested in an internal lab prior to general release to infrastructure and client servers. The release will occur immediately after passing the testing phase. 

An SMC ticket will be opened with each client that is affected. The ticket will detail the patches, necessary actions, request for authorization and schedule with available windows to apply and reboot/restart. Failback protection is available with virtual machine snapshots and/or OS level backups. Most OS package management systems are able to revert a patch without additional backup/restoration procedures. 

Scheduled Patching

Scheduled patching generally occurs on a recurring monthly basis, discussed and agreed during the implementation of the servers and service. The patching process is initiated automatically on a predetermined scheduled ticket. On ticket initiation, the assigned OSC engineer will review and identify all existing released patches for the specified OS and servers, communicate the recommend and required patches, request authorization to proceed, and schedule the installation at the defined maintenance window (date/time) and reboots/restarts if necessary. 

Client Requested Patching

A client may request a defined list of patching, not covered under known security or vulnerability patches to the OS by opening an SMC ticket at any time. The OSC will review the requested patches, document the change, and schedule a time to install and reboot/restart the server.

Linux/Unix Security Mailing Sites

NOTE: These are links to external websites and are not maintained by Expedient.

• https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
• https://listman.redhat.com/mailman/listinfo/rhsa-announce