Ask Slashdot: System Administrator Vs Change Advisory Board

thundergeek (808819) writes "I am the sole sysadmin for nearly 50 servers (win/linux) across several contracts. Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production. Windows servers aren't always the best for informing admin exactly what is being 'patched' on the OS, and the frequency of updates will make my efficiency take a nose dive. Now I'll have to track each KB, RHSA, directives and any other 3rd party updates, submit a lengthy report outlining each patch being applied, and then sit back and wait for approval. What should I use/do to track what I will be installing? Is there already a product out there that will make my life a little less stressful on the admin side? Does anyone else have to go toe-to-toe with a CAB? How do you handle your patch approval process?"

Nonsense

[ruir]

They want bureaucracy, they make the paperwork. Tell them to track windows and distro security pages, the changes are there. I would be toasted with that kind of tape, I updated my servers in a pinch immediately after the first news of heartbleed at 3 in the morning. 0300AM right. How about dusting your resume and changing jobs? Let them play the shuffling reports game alone.

Re:Nonsense

[N1AK]

Any remotely well organised IT department will have processes for handling both emergency deployments and retrospective approval. I'm not going to be cheerleader for the concept of CAB but if you're going to make a case against it then at least make a reasonable one because hiding behind obvious nonsense like this will just make you look stupid and change averse to your employer.

Re:Nonsense

Any decent change control process should have an emergency change category and process.

Re:Nonsense

Somehow reminds me of that joke where initially there's just one worker, then layers and layers of staff are added to manage that worker, then finally the worker is fired for underperforming.

Can't find it on Google or Bing though for some reason.

Re:Nonsense

[sg_oneill]

Back when I worked as a web administrator at my local university back in the early 2000s, the admin make-work types decided to bash out a web policy , mostly to keep standards up and guard against legal liability (Admittedly we had students setting up websites on chemistry lab pcs turned webserver with novel meth recipes and all sorts of shenanigans before that). All good and fine, I asked to be on the committee as an advisor, and so I was.

Then the whole thing went off the rails, every page needed to be approved by a department head, 10,000+ pages of previously existing data had to be retrofitted with full dublin core metadata descriptions, and so on and so on for about 400 pages of rules and policy that despite my best efforts I could not stop. These people had no fucking idea.

The crown was an insane rule that every new hyperlink had to be aproved not just by a department head but by the vice chancellor himself.

And so thats what I did, and I made sure it was done good and proper. I wrote a perl script that took all new pages on the webserver network (about 50-100 new pages a day) and then whenever a hyperlink appeared it spat out a 1 page document for approval *per link* requiring the vice chancellor and a lawyer to co-sign off on. All with witnesses. All in all about 400 pages a day of paperwork for the vice chancellor and a lawyer.

The policy lasted 3 days before I was dragged into the admin building to be ordered to stop producing the reports. I went in with my union rep. I said "Sorry , no , thats the official policy as passed by the university senate and the website will need to be shut down if this isn't done.". Since the next senate meeting was two weeks away, I made sure every god damn day that stack of paperwork was done by the vice chancellor for a glorious fortnight before the senate could revoke the whole damn policy.

It was a magical and golden time to be a union protected government (Universities are mostly run by the state in australia) employee.

For some reason later that year I was passed over for a promotion though. I wonder why, lol.

Re:Nonsense

[Opportunist]

This. Ask them if they have taken care of things like this. The answer to this alone will tell you whether there is some kind of deep consideration behind it or whether some PHB had a consultant toss the cool buzzword "change advisory board" in his direction.

If it's the latter, run. Run like the wind.

Re:Nonsense

[timepilot]

Dr. Seuss: “Oh, the jobs people work at! Out west near Hawtch-Hawtch there's a Hawtch-Hawtcher bee watcher, his job is to watch. Is to keep both his eyes on the lazy town bee, a bee that is watched will work harder you see. So he watched and he watched, but in spite of his watch that bee didn't work any harder not mawtch. So then somebody said "Our old bee-watching man just isn't bee watching as hard as he can, he ought to be watched by another Hawtch-Hawtcher! The thing that we need is a bee-watcher-watcher!". Well, the bee-watcher-watcher watched the bee-watcher. He didn't watch well so another Hawtch-Hawtcher had to come in as a watch-watcher-watcher! And now all the Hawtchers who live in Hawtch-Hawtch are watching on watch watcher watchering watch, watch watching the watcher who's watching that bee. You're not a Hawtch-Watcher you're lucky you see!”

Re:Nonsense

[RabidReindeer]

They want bureaucracy, they make the paperwork. Tell them to track windows and distro security pages, the changes are there. I would be toasted with that kind of tape, I updated my servers in a pinch immediately after the first news of heartbleed at 3 in the morning. 0300AM right. How about dusting your resume and changing jobs? Let them play the shuffling reports game alone.

I've served on a change control board. Every application and system update was supposed to be bundled to make the sysadmin's job easier, include a document that outlined the nature of the change and why it was needed, the instructions on how to apply the change, and the instructions on how to recover if it didn't work.

Change committee met once a week, approved/scheduled, deferred, or rejected changes. In case of emergency, the CIO or designated proxy could approve an out-of-band change request.

We didn't attempt to micro-manage changes, just understand the business risks and rewards. Obviously, the more details you could capture the better prepared you were to understand the consequences and the ways you could recover. But when Microsoft hands you a CAB that includes patches for SSL, IE, 6 GDI bugs and Windows notepad, that's their problem, not yours.

The one thing that we didn't do (obviously!) was allow automated Windws updates. Then again, considering the damaged that some Windows Updates have done to desktop machines, I didn't even allow that on my desktop machine.

Re:Nonsense

[OzPeter]

So... the business made a stupid decision, and when they realised the error of their ways, rather than trying to reach agreement on the best way forward, you delighted in rubbing their noses in it, using processes designed to protect you to hurt your employing organization instead.

If he had said .. "OK .. sure I'll stop sending you those 400 pages of paper per day", then the policy would still have been left in place, and sometime win the future his employer could have used his inability to follow policy as an excuse to ream him over. Yes its CYA, but some employers are not above using any tool at their disposal to justify their actions.

Only by being a genuine PITA does the stupid police get removed, rather than ignored until convenient.

Re:Nonsense

[Registered+Coward+v2]

So... the business made a stupid decision, and when they realised the error of their ways, rather than trying to reach agreement on the best way forward, you delighted in rubbing their noses in it, using processes designed to protect you to hurt your employing organization instead.

If he had said .. "OK .. sure I'll stop sending you those 400 pages of paper per day", then the policy would still have been left in place, and sometime win the future his employer could have used his inability to follow policy as an excuse to ream him over. Yes its CYA, but some employers are not above using any tool at their disposal to justify their actions.

Only by being a genuine PITA does the stupid police get removed, rather than ignored until convenient.

While what you say is true, it is not necessarily the best way to deal with stupid policies. In the end, the PITA gets remembered long after the stupid policy is forgotten; all people know is someone was a PITA and eventually will be made to pay for it. You could, for example, send all links on one page and have that be signed. After a few were signed its's time to broach the "is there a better way to do this" argument. Malicious compliance with rules generally results in pissing people off and payback at some future point; it can even be fun watching the PITA get a taste of their own when the opportunity arises.

Re:Nonsense

[MachineShedFred]

It should also have a method of implementing a "standard change" - meaning a change that repeatedly happens, and has a good track record of being successful with minimal fallout. Implement a WSUS test server for having a patch test environment, and point some less critical systems at it. Should anything go wrong there, you'll then know what patches to NOT apply automatically to the critical infrastructure.

Change management and review is there to help you, not be a pain in the ass. Remember - if they sign off on your documented change, they share the responsibility should something go sideways.

Re:Nonsense

[Ash+Vince]

They want bureaucracy, they make the paperwork. Tell them to track windows and distro security pages, the changes are there.

Yep. They're the "experts". Just tell them the Microsoft KB number, that's all the information they need.

Yup, follow this advice and come across like an unhelpful douchbag.

Or, bend over backwards to help them. Provide them with a break down on every single patch (a few line summary with a link to the KB article for the full details), then give each patch a priority based on its impact and come up with different deployment routes for each one, then explain to your manager who allocates your time why patch management for the CAB board just became a full time job.

Also, if they ever reject any and you end up a dependency hell where you cannot install a critical patch because of a low impact one you rejected (you do test each patch deployment run on a dummy server don't you?) then explain why the process failed, politely, without saying thing like "I told you this was dumb years ago!".

Alternatively, if the system runs for a few months and every single patch sent to the CAB board has been approved then you can clearly demonstrate the do not really add anything and start making rational arguments to abandon the process from a sound basis while demonstrating you are an excellent team player who easily adapts.

But if you would rather come across like a non-team player who hates any interference in your system admin fiefdom then, just go with the douche bag option and watch your job get outsourced in 6 months.

In my experience the world of work is full of crap like this, times when processes that are overly bureaucratic are forced on us techies even though we clearly see them as a waste of our time. Unfortunately this is generally just stuff we have to lap up as part of our job, if you can, you generally end up earning more and with the greater long term job security that working as part of a larger company provides.

An excellent book on this sort of business related stuff is called "Who moved my cheese" and the gist of it is that you want to come across as and "enabler" rather than a "blocker". That often means trying your best to make what is clearly a stupid idea a success.

Re:Nonsense

[Ash+Vince]

The crown was an insane rule that every new hyperlink had to be aproved not just by a department head but by the vice chancellor himself.

At that point you should have just emailed everyone on the committee, and copied in the vice-chancellor with some stats on exactly how many approvals this would generate on a daily basis. Include the actual statistics for the previous 7 days so if this was generating 50 pages per day you had some clear number to back this up while still in the planning stage. That was clearly why you were put on the committee, to stop a bunch of know nothings from coming up with a stupid policy, you failed.

The way to succeed as a techie is not about being technically brilliant any more, it is about how you can talk people round to your way of thinking and use evidence to back up your points of view.

Re:Nonsense

[plover]

"Yes men", or "enablers" as you call them, are the root cause of the out-of-control bureaucracy problem.

Management wants desperately to have processes that can be followed by minimum wage desperate people. They want to believe that they're incredibly smart and insightful, and that their knowledge of their business is so absolute and perfect that a process is easily applied to every situation. The enablers then create the real problems by saying "yes, we'll make this work," when they are actually lying. The problems then get worse, because the enablers also feel that every status report must be green, otherwise their process is not as perfect as they said it was.

The transparent lies breed more processes to control the mistakes that never seem to get fixed, despite the change review board processes. Nobody ever questions the process, because they'd be seen as a blocker. Change becomes impossible, because the middle-management process owners who have been lying "yes" will lose their jobs if their process is removed.

The process explosion reaches critical mass as each failed process begets two more to control it. The business goes into a death spiral of bloat and inefficiency.

Everything is painful. The smart middle managers flee early, leaving only the enablers behind, and they refuse to see or acknowledge any problems. The loyal people have their jobs turned into paperwork and outsourcing. With luck, the board will recognize the out of control costs, and bring in a lean outsider. An organization this bad off may need to fire 50%-90% of the people. Or the board may go the wrong direction, and outsource the whole damn mess, further eroding their ability to change.

This philosophy has caused more damage to business and productivity than any other idea, ever.

Avoiding this is simple, in theory. Tell the truth, and don't be afraid to change your mind if shown evidence that you're wrong.

Re:Nonsense

[Anon-Admin]

I have worked for those companies. lol

27 page CAB form and full CAM meeting. Just to edit the /etc/login.defs and change PASS_MIN_DAYS from a 0 to a 7.

I still laugh about it to this day. A single character change and 27 pages of paperwork.

Re:Nonsense

[fair_n_hite_451]

Go directly to your Change Manager (not the CAB, but the person who is invested in the day-to-day management and running of the process).
Utter the following sentence "I wish to get regular patching of Windows Servers defined as a standard change, what do I need to do?"
Follow those instructions.

It might seem like more beauracracy for the first run through, but it'll be smooth and seamless after that. As a Change Manager for years, I can tell you that the people in that position are far more worried about project managers trying to push through craptastic updates at the last second than they are with competant domain support people. They'd love to get you off their radar just as much as you want to be off the CAB's radar.

Patching....

What we normally do is get a blanket approval if its coming from the OS provider with an understanding that patching will be done on a specific schedule.

IE. If all the patches come from Redhat there is no approval its necessary to keep them up to date for security purposes. The same is true for patches pushed out from Microsoft.

Then your only dealing with 3rd party applications. Even those the more common ones we get added to the blanket approval, ie. Adobe. This way you are only telling them you are bringing them into line with the latest set of patches provided by the OS vendor without having to list all the packages that are being updated. Then they only have to ask you if a program has or does not have a certain bug.

Re:Patching....

[rioki]

I totally agree with the above. These change review rigmarole is often done for reasons of security and operational stability. This is a laudable goal, but often the added red tape make the entire system more vulnerable when they want to decide which security fixes get applies. You need to hammer it home that each second between the time the security fix is published and the time the fix is applied the systems are vulnerable. This is because, once the security fix is published, every hacker knows about the issue too. If you have something worthwhile to protect, which is probably the reason why a change review board was established, you do not want add more time to that time window. If they need red tape, you should get a blanket agreement that you apply security fixes from vendors for critical software (OS, databases, etc.) ASAP and they get a notification of when and what patch was installed.

Re:Patching....

[N1AK]

If you have something worthwhile to protect, which is probably the reason why a change review board was established, you do not want add more time to that time window.

No, CABs often get implemented because someone is worried about the damage a borked patch/update could do and doesn't have confidence that it could be reliably fixed quickly. Most of the 'admin' in a change request is things like a process plan (which surely you already know if you're deploying an update to a critical live system) and a rollback process (which again, surely you should be considering before risking fubaring the system).

What I will say is that you should ensure that the CAB members are aware of the need to be able to handle emergency requests (meet, agree and deploy in hours) and should have some process to handle retrospective requests if a business critical update comes out and you can't wait for CAB approval. Normally the requirements for retrospective requests is that it's genuinely critical and that you send a completed request before the update. It might sound odd, but the idea is that they can use that to see if you had properly thought through the process and not just gone Rambo on it.

What helps...

[ProfessionalCookie]

ethanol.

perhaps

[dimko]

New product your comapny requires is called: junior admin? Expensive stuff but does the job.

I do this

[beezly]

I have to do this and it's no problem at all, although our change management process doesn't sound quite as onerous as yours (I suspect yours will adapt over time -- the CAB will soon get bored if they have to approve every single OS patch).

I have to do a risk analysis for each change that gets made to a system (not just patches). Sometimes this risk analysis is fairly informal, for example if the change is to add more RAM to a VM, it's very unlikely to have a significant adverse impact and is easily reversible, so low risk. Other times the risk analysis (and processes that come out of that) may take a long time and require significant co-ordination with other parts of the organisation I work in.

A good example is if we make a change to a service that impacts the look and feel of that service. It will require co-ordinating with our communications, helpdesk, training and documentation teams as well as other parts of the technical group I work in and the CAB really acts as a check to make sure all of that has happened properly.

There are still a few people in our organisation who see the CAB as a barrier to getting work done, but for me it is really a check to make sure we're delivering changes in a proper way.

I can recommend you take a look at The Phoenix Project by Gene Kim, Kevin Behr and George Spafford. http://itrevolution.com/books/... - I had quite a few "this is where I work" moments whilst reading it :)

Setup a WSUS server

[will_die]

Setup a WSUS server, you probably already have the licenses. From there you can pull the patches to it and then push it to needed servers as approved.
There are commercial products that can also this in a nicer manner but they cost money.

ask yourself *why* and do the right thing

[flinkflonk]

This is known as the change process in ITIL, and it does have a remedy. The remedy is pre-approved changes (standard changes), which should include patching the OS with patches approved by the vendor. It's meant for exactly this situation, and if your change process doesn't have them it's just a paper wall.
The ITIL change process is all about reducing risk. If there is a risk with patching your OS (there is, especially since you mention Windows, it's not that unheard of that a Windows patch makes your whole network inoperative) you have to weigh it against the risk of not patching it (meaning you leave known security holes in).
So, my advice is to get OS patches for your OSes pre-approved by the CAB, that is, when a vendor releases a set of patches you are allowed to patch your systems in the way and the order of that pre-approved change. Of course it's paper-pushing, but use it to your advantage and push some paper yourself. If a server gets compromised and you have the papers (changelog) to prove that you followed procedure, blame will be placed somewhere else. And things will be done differently from there on, since it has been proven that the procedure didn't work, and everybody wins.
Or you could go find another job (like some other posters recommended) where you are the sole *cowboy*-admin and nothing gets done properly. Your choice really.

Run away!

[arcade]

Given your description, you're the sole sysadmin. This means you're the person who should take these decision - nobody else. If the company disagrees with this, then either you've done a poor job previously, or they don't trust you to do your job for some strange reason.

Now, if it's you that have fscked up on previous occasions, then it's understandable that they want the red tape.

If you haven't, then it's time to put down the foot and say "Nope, that's my job". If they disagree with that - linkedin should be a relatively short distance away, and after you find yourself a new job - simply hand in your resignation pointing out that you have no interest in having babysitters.

As a Change Manager...

[Pete+(big-pete)]

I work in Change Management for a major telco, I chair the IT CAB, and I oversee server and client patching (amongst many other changes!). When we patch clients, we are patching up to around 30,000 real and virtual desktops - when we patch servers, they also number in the thousands.

There is no way we would allow a sysadmin to patch anything at any time without some level of oversight, an individual admin has no oversight on other patches, hardware interventions, application releases, network upgrades, business campaigns, etc that may be happening on our environment at any given moment (this isn't their job to be keeping track of all of that info). For server and client patching is as light as possible, but we still maintain a close oversight.

On the Wednesday following the second Tuesday of each month (for example), I sit down with the Windows server guys and the Windows client guys, and we review their proposals to patch - usually we have a fairly rapid timescale that we can meet to ensure that the patches are deployed (including pilot testing, etc to catch any issues before everyone's desktop is broken!), sometimes there are other major interventions that overlap, and then we need to make prioritisation decisions and decide which has priority. We have made similar agreements with the Linux teams, where they have a special process to patch, and we have close oversight on Unix patches, as upgrading these servers with a reboot can be a very big deal.

The last thing you want is an application version release of a critical ordering application happening at the same time as a system software patch, and then to have an issue afterwards - is it the application version, is it the systems patch, was there some conflict with the activties being performed at the same time? Troubleshooting gets more difficult, teams point fingers at eachother, and the whole time the business is screaming blue murder.

Of course in an Incident situation there is more flexibility to get things fixed fast, and with security issues I am keen to break open the S-CAB process to expedite a rapid approval flow to ensure that security holes are fixed as fast as possible - of course most changes are encouraged to follow the rules though, the change calendar is published, and everyone knows when the "standard" slots for deployment are, and if most people manage to schedule their changes within those windows, then it minimises potential conflict for everyone.

Change management are not your enemy, they are your friend - once you register your change with them, they have your back, they will guard from other interventions clashing with you, will stop you from inadvertently upsetting the business, and will decrease change related Incidents. However, with great power comes great responsibility, and Change Management need to find the right process for the right type of change - we cannot have a full in depth investigation into every configuration change, every patch, every bug-fix, every new server to be provisioned. A good Change Management team will guide changes to the appropriate flow, and grease the wheels for certain types of interventions - it seems that the CAB mentioned in the summary are still finding their feet a little, and I am sure they will evolve over time as they start to understand which changes are high risk, and which can be allowed to pass with a lighter touch.

-- Pete.

Re:As a Change Manager...

OP is managing 50 servers, you are managing tens of thousands of Systems - the situations are hardly comparable.

Like the OP I am the sole admin for our companies IT (60+ on prem servers, mix of WinTel and Linux, plus 10 Azure hosted servers) and I am in charge of patch management.

If a committee in the organisation came and told me they were taking responsibility for patching away from me I would either tell them to sod off OR I would hand over all the admin accounts and wish them luck.

Re:As a Change Manager...

Exactly. While I wouldn't have a problem if it was just a matter of tracking when changes were applied for audit purposes, having to document each patch is completely unreasonable. In my case, we have various regulations that require us to patch our systems within a certain period of time, which we've translated into patching once a month. If I get asked for justification for installing a particular patch, it's usually "because if I don't the auditors will ding us for not installing it." If something needs to be done off-cycle or in an emergency (e.g., OpenSSL updates for Heartbleed), those get documented and rubber-stamped by our change control process, but beyond that it's assumed that regular patches are approved.

At one point it was suggested that for compliance I was going to have to not only document and justify all patches applied, but pre-document exactly which patches were being applied on each system AND show proof that those patches and ONLY those patches were applied on each system. Given the way that RHEL releases patches (not to mention Debian and Ubuntu, that would have turned a monthly patch cycle that takes at most a day or two into a full-time job. I pushed back, pointing out that it would do nothing other than create more paperwork and take time away from my ability to do anything else, and they eventually agreed. Yes, there can be a happy medium somewhere, and it's not the same for every organization, but the fewer technical people there are doing the actual work, the less this type of bureaucracy will produce functional results...

System Administrator Vs Change Advisory Board

[wonkey_monkey]

System Administrator Vs Change Advisory Board

50 quatloos on the newcomer!

Re:They have a point

As a software developer I have multiple times had a development box screwed over by an IT department pushing unneeded drivers and patches that cause problems.

I say prove they are good or needed before you waste other peoples time.
If you just want to push any random patch that comes along then you should be forced to resolve all issues without the traditional reinstall the machine.

Er, waste people's time?

As a software developer, you have no fucking idea how difficult it is to pick and choose patches and driver updates to get pushed out to machines while also trying to maintain any sort of consistency with patch levels across the enterprise, but apparently this is something you want me to waste my time on in order to ensure you've not lost a spare second on the rare and random occurrence that you experience a problem in 1 out of 200 patches (my patching track record over 15+ years shows the frequency quite less than that)

And if you're doing patching correctly, you're mainly concerned about patches deemed "critical", so again, you're not really afforded the luxury of picking and choosing here without risk.

As a seasoned sysadmin, I have a fix for you. It's called VMs. Play till your hearts content and press the rewind (snapshot) button when find the environment screwed up (shockingly, it's not always the IT department that screws computers up...yes, I know this is breaking news)

Re:Are you still partying like its 1999, or what?

[sjames]

That's not the big leagues, that's the short bus.

yes, changes need to be documented. They should be deployed on a test server before going into production. The rest is just people who were presumably traumatized by falling out of a tree as a child seeking revenge.

Take the people in the CAB and replace them with extra admins who are bright enough to know what I said in the 2nd paragraph.

Change management can cover your ass

[Madman]

There is genuine value in a well-run change management program. Organizations need to know what is going on in their infrastructure, and plan things properly. In many industries there is a growing regulatory requirement to have change management, and auditors are looking for these things more often too. Many smaller shops are bringing in change control, so rather than handing in your badge my advice would be to deal with it and learn the lessons.
One lesson is rather than fight it, use it to your advantage. Yes, there's paperwork, however if you follow the system correctly they cannot blame you if things go wrong. What you thought of as freedom was also a risk to your own position as you had sole responsibility - change control means less freedom, but you are covered. Also, you can get budget for better management systems which will make your life easier. Put together a realistic list of what you need and get involved with setting up the change control process. If you stay silent or fight it you won't get a say.

Re:SCCM

[gl4ss]

sure, but how does that help with having to run the CAB through 102 patches?

I think go for easy solution. introduce the patches in batches for the board. ("monday updates for week 32").

the fucking board will not care after 2 weeks anyways so just do lip service for two weeks.

Re:SCCM

[Enigma2175]

Yeah, after a couple of weeks of having to run through a few hundred patches at a time (make sure you write at least a page for each patch!) they'll get the hint that this is fucking retarded and back off.

I think and your parent underestimate the ability of committees to do work that is fucking retarded. I can't count the number of fucking retarded processes at my company that people have been happily doing for years.

Re:SCCM

[afidel]

Why write anything? Include the full expanded content from the MS KB article for the update, they generally run 1-5 pages each if printed on 8.5x11/A4