Overview
The general patch management process at Berkeley Lab is designed to handle a large heterogeneous computer environment, continuous arrival and departure of computer systems (due to visitors and students), and decentralization of system administration. This page describes how we enforce critical patches.
We define critical patches as those that prevent anonymous, remote-executable vulnerabilities that allow root compromise (or equivalent). Critical patch enforcement is the process of identifying a set of critical patches, identifying computers missing the patches, and isolating systems missing the patch.
Process
Berkeley Lab enforces critical patches as follows:
- Identify the set of critical patches.
- Probe hosts daily to determine if required patches are installed.
- If required patches are not installed, notify user with information regarding the patch, a download location for the patch, and a deadline to install the patch.
- If the system is not patched by the deadline, isolate it from the network and redirect to a website that shows the reason for the isolation, provides the patch, and gives instructions for removing the system from isolation.
Prioritization
We meet weekly to discuss additions to the list of critical patches based on severity of the vulnerability and risk of exploitation.
