|
|
@@ -62,3 +62,21 @@ Now go back up and look at the un-hardening above and do that. You probably don
|
|
|
have to reboot twice.
|
|
|
|
|
|
|
|
|
+## Patching Notes
|
|
|
+
|
|
|
+TQ patching is a little different (of course). You have to be very careful about
|
|
|
+how you patch it because TQ provides a whole set of centos RPMs, and centos is trying
|
|
|
+very hard to infect our RHEL build with their RPMs.
|
|
|
+
|
|
|
+Always read the TQ upgrade notes at https://helpcenter.threatq.com when you're upgrading
|
|
|
+TQ or when you're patching the base OS. They may change from time to time things
|
|
|
+like RPM excludes during updates.
|
|
|
+
|
|
|
+Where TQ may do an explicit exclude of a package during an upgrade, I (Duane) will
|
|
|
+versionlock it instead. And, sometimes, other versionlocks are needed as well. As
|
|
|
+of now I am versionlocking the Java runtime (because TQ packages expect a SPECIFIC patch
|
|
|
+level of Java) and the redhat-rpm-config package so that it's not replaced by a centos
|
|
|
+package
|
|
|
+
|
|
|
+ALWAYS do a `yum check-update` and make sure everything looks reasonable and that
|
|
|
+Centos packages aren't replacing their RHEL equivalents.
|
Duane Waddle