Linux Patching

nina

If you currently patch your Linux managed devices... then this poll is for YOU.

We would also love to know:

- Which distros do you patch? How often?

- Do you patch manually or automatically?

- Do you use built-in commands or any third party tools?

- Do you patch all updates/critical/software?

- How do you track the success/failure of the installation?

dyoder

I patch on a set schedule

I almost exclusively patch Debian and Ubuntu. I run patches once a month, or unless there's an urgent CVE that surfaces outside my patch schedule.

I currently patch manually because Atera cannot patch automatically - this is annoying because about 10% of my total endpoints are Linux servers.

I use built-in commands packaged in a script. I used to use Webmin, but did away with that to minimize resource utilization, attack surface area, and unnecessary dependencies.

I typically patch everything. I'm proficient enough in most Debian Linux distributions to fix problems with updating. But for some packages, like PHP or a database, I'll version lock those so they only receive security updates, but not major versions which can introduce unwanted changes and/or incompatibility.

I track success individually on each endpoint and test service functionality post-update. I also rely on apt logs and querying systemctl to show me errors.

I do have a problem with Atera's Linux agent, and it prevents me from installing it on any production Linux servers. Atera's Linux agent has several dependencies - namely the .NET framework. This is a large package that introduces unwanted packages on managed Linux servers and increases resource utilization. Since most of the servers I manage are low cost cloud instances, this means resource contention is high and anything that consumes resources is very much unwanted. I understand Atera's desire to keep a similar codebase, but Linux is not Windows, and there's no need to install Windows dependencies on Linux to manage things in the Linux space. If Atera's Linux agent gets a rewrite in a native language that can be deployed with no (or very limited) dependencies, I would be willing to try it again - but as it is now I'd rather not use it.

nina

Thank you everyone for your input!

nina

Hi Community! Quick update: Linux patching is now live!