Webserver patching strategy

UnixGuy

This is a general question, OS-independent.

If you run a webserver, I have a few questions:

1) With security in mind, how often do you upgrade patches of both the OS and the webserver?

2) How often do you upgrade the OS release?

3) Do you test the patches in a test environment before you apply them?

4) do you upgrade ALL the available patches or just a subset?


I'd like to see how you guys manage webservers, and what it is the standard being followed. It can be different from OS to OS, but I want a general idea.

Currently, I patch my servers every 6-3 months, and I use a recommended set by the vendor. However, this doesn't seem the best idea for a webserver!

jibbajabba

Windows

1) Personal server : Every Tuesday, Corporate : once / twice per year, Old job : Last week of the month after 10pm
2) never unless resource contention requires it (i.e. Standard to Enterprise to allow more RAM)
3) Nope, backups are taken prior patch runs
4) yes

Linux

1) Old job : Last week of the month after 10pm, personal server : runs update per cron job and exlucdes kernel - kernel: whenever I feel like it
2) never, CentOS updates its revisions automatically anyway (5.3 / 5.4 and so on)
3) nope
4) yes

As for specifically webserver : On Windows - no change to usual upgrade procedure. On Linux; LAMP is installed via source and will not be touched via package management. PHP / Apache / MySQL are usually not updated unless required for whatever reason - These components are dangerous to upgrade (depending on code base) as features are usually removed / stopped working etc.