The Best Way to Patch Linux OS
Linux is generally considered a more reliable OS to apply updates to, but not patching will expose your environment just like any other operating system.
Installing individual updates for Linux is relatively easy, and requires only you to know the name of the update you want to install.
The following process takes a little bit of time due to the use of the command line scripts, we recommend you learn the basics of “bash” (Bourne Again Shell) which is the Unix shell as it will greatly help the understanding of the process.
Robert Brown, Director of Services for Verismic said, “If you ever visit a Patch Tuesday article you will often find a lot of comments about using Linux as a preferred operating system, because of its reliability and lack thereof updates. This is often a huge misconception in the Linux community, as each Linux OS is different and some of the examples below show updates which are needed only a week after the servers were last fully patched.”
Both experts and the community are correct that the updates are more reliable with almost no Blue / Black Screen of Death (BSOD), but that doesn’t mean Linux doesn’t need to be updated.
- Establish a secure SSH remote console to the server, e.g. Putty or Telnet
- Run the following command line: apt list –upgradable | grep “\-security”
IMPORTANT: Understanding the resultant screen shot above is essential, as each line records details of the package name, the version it upgrades to and the version installed. For example, the screen shot includes the following:
apparmor/xenial-updates,xenial-security 2.10.95-0ubuntu2.11 amd64 [upgradable from: 2.10.95-0ubuntu2.10]
Red: Name of package
Green: Name of upgraded package
Purple: Installed version of package
Where is the Severity and Update Description?
If you are used to Microsoft Windows Update (WSUS), you will notice the output of the script only produces the name of the missing update package. In fact, unless you search for the package name on the specific Linux OS website you will never know what are more important than others, or what the package is actually fixing. Many industry experts believe this knowledge is essential when choosing which to prioritize, especially since many don’t have the time to install packages which are actually not security-related or are very low in severity.
On the other hand, how would a Linux administrator know which package fixes a zero-day vulnerability or were absolutely essential to apply? I am sure you need a solution for that? Have a think about that and let’s continue with the install process:
- Identify the update(s) you wish to install (copy and paste is really useful)
- Run the following command line: sudo apt-get install <package name>=<version> For example, sudo apt-get install apparmor=2.10.95-0ubuntu2.11
IMPORTANT: Because you are making changes to the system, your account must have SUDO security privileges e.g. supervisor. Also pay attention to the spaces above as the command line needs to be exact in order to pass correctly to the Unix shell.
If you wish to install many updates at the same time, use a comma and paste the next update onto the line.
If you want to update a package to the latest version and not necessarily the version which has been detected, you can omit the version, however this is not recommend or considered best practice due to the testing of specific versions of packages on your servers.
For example: sudo apt-get install apparmor
By default, all Linux packages are installed without a reboot.
If you have not updated Linux before, we hope this helps you get started. The primarily objective of this article is to raise the awareness of the need to patch Linux. Linux is generally considered a more reliable OS to apply updates to, but even so, the lack of patching will expose your environment just like any other operating system.
Patching Linux OS with Cloud Management Suite
Cloud Management Suite has many automation benefits to the manual patching methodology above. Via the discovery process, all Linux devices can be detected and inventoried. Our Patch Manager displays the packages missing just like the scripts above, only we include additional information which is important to IT managers like the description, the vendor severity and the independent CVSS score which we understand to be the cutting edge of vulnerability severity assessment.
Identifying zero-day updates is made easy with the color coding of the interface, and the scheduler used to deploy the updated packages allowed flexible timing and reboot behavior to be set with ease. Enable your Linux Administrator to utilize their resources more efficiently by allowing them to automate and report on the patching of your Linux environment.