Linux Patching

I almost exclusively patch Debian and Ubuntu. I run patches once a month, or unless there's an urgent CVE that surfaces outside my patch schedule.

I currently patch manually because Atera cannot patch automatically - this is annoying because about 10% of my total endpoints are Linux servers.

I use built-in commands packaged in a script. I used to use Webmin, but did away with that to minimize resource utilization, attack surface area, and unnecessary dependencies.

I typically patch everything. I'm proficient enough in most Debian Linux distributions to fix problems with updating. But for some packages, like PHP or a database, I'll version lock those so they only receive security updates, but not major versions which can introduce unwanted changes and/or incompatibility.

I track success individually on each endpoint and test service functionality post-update. I also rely on apt logs and querying systemctl to show me errors.

I do have a problem with Atera's Linux agent, and it prevents me from installing it on any production Linux servers. Atera's Linux agent has several dependencies - namely the .NET framework. This is a large package that introduces unwanted packages on managed Linux servers and increases resource utilization. Since most of the servers I manage are low cost cloud instances, this means resource contention is high and anything that consumes resources is very much unwanted. I understand Atera's desire to keep a similar codebase, but Linux is not Windows, and there's no need to install Windows dependencies on Linux to manage things in the Linux space. If Atera's Linux agent gets a rewrite in a native language that can be deployed with no (or very limited) dependencies, I would be willing to try it again - but as it is now I'd rather not use it.