I know the SLA for when IBM releases Microsoft fixlets into the BES Console is 24 hours. Is the same true for Non-Windows OS patches (specifically, Oracle Linux) ?
Here’s how I understand the SLA for BigFix patch content. The standard SLA for OS and other “critical” or “mandatory” content coming from vendors on supported platform options is 48 hours.
So if Microsoft or RedHat or SuSE releases a critical or mandatory OS patch, then the appropriate BigFix patch site and applicable content would be updated within 48 hours of the vendor release of said patch. The same is true when said vendor updates an already published patch.
For the non critical/mandatory patches, the SLA is 7 days or more depending on the patch classification, etc.
If you identify a critical/mandatory OS patch that’s missing from its respective patch site once the 48 hour SLA has lapsed a SEV2 PMR to IBM BigFix L2 is warranted.
Is there a doc that IBM can publish that makes this official (if one doesn’t already exist) ?
Opening a PMR on this… Here’s an example of a critial OEL 7 errata that was released on Jan 20th 2017, but it is still not in the the “Patches for Oracle Linux 7” site.
ELSA-2017-0180
https://linux.oracle.com/errata/ELSA-2017-0180.html
@cstoneba, I’d definitely recommend the PMR route when BigFix patch content isn’t available 2 business days after a critical/mandatory patch has been released by a supported vendor and OS.
Thank you for this post. We have never committed to any kind of SLAs (Service Level Agreement) on the content release. Saying that, we do have turn-around targets for the content and they vary based on the category, severity and market demand and they are followed strictly by BigFix engineering team. Also we have observed that several times, vendors may release a content announcement but the actual link to the content is added after some days which makes it difficult for BigFix to release fixlets. We cannot anticipate delay in releasing content caused due to changes on the vendor side, any irregularities in content release from vendor side or any other unforeseen circumstances.
Here is the information on the turn-around targets:
For all flavors of Linux OS & some flavors of Unix (AIX, Solaris), we provide content within 5 business days.. For Microsoft OS and applications, the content is available anywhere between 24 hrs to 7 business days depending on the category and severity of the patch.
All Security updates and zero day advisories are released within 24 hours.
For OSX, we release content within 3 to 5 business days.
For HP-UX, we release content within 10 business days.
We are continuously evolving the framework to release content and have been quite successful in releasing content within the turn around target. For e.g. over the last 6 months, majority of the Microsoft content has been released within 6 to 8 hrs and there has been continuous improvement in the release cadence for other OS & applications. Please feel free to reach out to us if your business requirements are evolving around the patching cycle and if there is a need for additional improvement in the release cadence.
Hi, i understand that turn around time is based on demand, but a Critical patch for Linux with up to a 5 day release cycle seems too long when our security is telling us to deploy it asap. It might mean that we have to drop using OEL fixlets and just point to local yum repos and tell yum to sync against those.
But regardless, it’s been more than 5 days and still no ELSA-2017-0180. We’ll see what comes out the PMR.
thanks
Thanks for the feedback. Fixlet for ELSA-2017-0180 is published.
Hi, i see ELSA-2017-0180 now. But ELSA-2017-0062 showed up at the same time and that was released by the vendor on Jan 16th (11 days ago). Well beyond the 5 business day turnaround listed above…
As I mentioned before there are several reasons we cannot exactly anticipate delays in the availability of the content. We strongly adhere to the above turn-around targets and that is evident from the content we release regularly. Saying that, we will see what caused the delay for the above patch. Thanks for bringing it to our attention.
Hi @cstoneba, ELSA-2017-0062 - Oracle Linux bind security update - Oracle Linux 7 x86_64 is found in the Patches for Oracle Linux 7 site under fixlet ID 17006201. It looks like it was released on 17th Jan. Are you unable to see it?
Hi, yes, I can see it in that site. Even though the fixlet has a “Release Date” of Jan 17th, it wasn’t in the site until Jan 27th, when site version 57 was released.
The “release date” of the fixlet is apparently when the vendor releases it, not when the fixlet is created.
There also appears to be no notifications for when the “Patches for Oracle Linux *” sites are updated. No mailing list and nothing posted on the IBM site.