Example Patch Policy
RHEL / CentOS / ...
Constantly check security updates - yum-security
If you don't run a actively patched RHEL breed, then the yum-security plugin becomes useless. It can only report security updates that are visible in *your* upstream repositories. So if RHEL has a security patch you will not be warned about in the many months until CentOS picks up that release.
It'd be best for you to be a good citizen and have at least one RHEL subscription.
(or OEL, or...)
- Keep downtimes short by automatically downloading updates
- Run automatic backups before your update
Full Update 8 times a year, delay reboots for kernel update until downtime.
Fuzzy area: Service restarts, Consistency userland - kernel. As long as you stay within same minor release all fine.
Full Update 8 times a year
Nowadays there's even some OSS tools for patch management, i.e. some float around FUNC. The downside is that these aren't created for Enterprise enviroments and won't cover all your needs. But you can expect basic functionality like "frozen" yum repos and timed updates.
Tools for repository management:
Pulp by RedHat et (emerging technologies lab). Also have a look at the addon called Juicer.
mREPO by Dag Wiers