Guide to Linux Patch Management
This article overviews Linux patch management best practices, scheduling and prioritizing options, and how to handle the most common issues that arise while patching the Linux distros.
What Is Patching in Linux?
Patching serves as a way to update Linux systems, and keep them secure. As new vulnerabilities are recognized, software developers release fixes, available via update. It’s imperative that these patches are applied to your system regularly to keep your data secured, and to minimize the risk of malicious impact.
Patches are released for performance purposes as well. Over time, developers add features, streamline processes inside the OS and enhance compatibility between the OS and the software. Updated software is posted to repositories, available for patching. Installing these patches will help to keep your system performing at its best and running efficiently.
How to Patch via RPM
The most effective way to install patches is via RPM or RPM Package Manager. RPM is a free package management system available to all Linux distributions. The most important advantage of patching via RPM is that these packages are verified for integrity using GPG and MD5 checksums. RPMs are most often hosted by central databases on the internet, referred to as RPM repositories.
Red Hat Enterprise Linux and Fedora-based Distribution Patching
The default RPM package manager for Red Hat and Fedora-based systems is yum (Yellowdog Updater, Modified).
To update the entire operating system, the following command can be used:
- yum update
To run an update on a specific package, use this command:
- yum update <package-name>
This one is used to entirely remove a package in case it’s damaged, and the patch was not released yet:
- yum remove <package-name>
Debian-Based Distribution Patching
Debian-based Linux distributions, such as Ubuntu, use APT as the default package manager. APT, or the Advanced Package Tool, uses the apt-get command to install, remove, and update packages.
To run an update on the entire system, use these commands:
- apt-get update - Syncs packages with sources. Verifies the right files will be installed
- apt-get upgrade - Downloads and installs updates across all software packages.
To update a current package to the latest version, or install one that is not released yet, the following command can be used:
- apt-get install <package-name>
To remove an installed package, use the following command:
- apt-get remove <package-name>
Again, undesirable packages should be removed with this command until they are confirmed.
Linux Patching Best Practices
Among best practices for Linux patching, there are patch scheduling, prioritization, regular updates, and obtaining patches from trustworthy sources.
The best method to apply these practices is to have a set Standard of Procedures for patching, the written down tested step-by-step instructions on how to apply patches to your Linux. Here’s an overview of each of the best patching practices.
Schedule Your Patches Appropriately
You should have a set schedule of how often patches are looked for and run. If there is no schedule at all - critical updates may be missed, and important updates may be forgotten entirely. Additionally, checking for and installing patches every day can be a waste of bandwidth, time, and resources.
A good idea is to set up a weekly review of patches. However, if urgent issues arise, install these patches immediately to protect your systems.
Separate Critical Patches from Performance-Based Updates
Security-related patches should be deployed immediately, however, other types should be reviewed prior to implementation. General software and system updates, as with any other piece of software, can have bugs and other issues. Waiting on the general public to stress-test this software a bit before you install it on your own system is a good idea.
A general rule would be to wait up to one month after non-essential software has been released before installing patches.
Update from RPM Repositories
To make sure that patches you install are obtained from trustworthy sources, apply those listed in RPM repositories. Software packages listed in reputable repositories can be trusted, and downloads are verified using MD5 checksums.
Set Up Notification Processes
Notifications can be scheduled so that when important security-related patches are released to the public, you know right away. The sooner you know that patches have been released, the sooner you can apply them to your system.
Red Hat offers an email subscription for security issue notification. Subscribe to their mailing list to get timely alerts.
The Debian-based Ubuntu distribution uses an RSS feed to send users security notices.
If you use third-party software, make sure that you’ve set up alerts as well.
Common Issues with Patches
Bugs are inevitable, despite the software being tested regularly before an official release. Here are things that can be done about a buggy update:
- Review and test non-essential updates several times prior to releasing them
- Plan regular backups to roll back in case the patch causes any undesirable effects.
- If you are able to figure out which patch is causing your issues, you can try uninstalling the specific software package and installing a fresh copy.
Patches That Affect System Productivity
To ensure business continuity, consider running significant updates after business hours or during the weekends. It might be time-consuming, but these efforts will pay off.
Be sure to be available as the system is put back to work again following a patch application. If bugs or software changes are going to affect productivity, you should be prepared to respond immediately.
Major Software Changes
To be prepared for major changes, system administrators should read through the release notes before applying patches. If the release notes indicate major changes, administrators should wait to apply this patch at a time that will have the softest impact. Additionally, a little internet research may reveal more information on software changes and an explanation on how to use the newest software.
Updated Software that Uses More Resources
When a software patch adds new features, an increased load is eventually put on server resources. Eventually, over time, you may see a system slow-down.
Here are some ways to combat running out or resources:
- Upgrade resources that can trigger a slow-down.
- Over time, all systems need to be upgraded. Have an upgrade plan in place ahead of time for when the day comes.
- Consider virtualization. Computing resource management is a lot easier and more configurable when your servers are virtualized.
No matter how you combat it - it’s best to be prepared - no one should be caught by surprise by running out of resources.
Every Linux system administrator makes decisions about software patches weekly, if not more often. Administrators need to be knowledgeable about the best practices and common pitfalls of Linux patching. Having a Standard of Procedures for how to handle the patching process is essential for each Linux system.
These procedures should include scheduling patches appropriately and understanding their priority. Notifications should be in place for when urgent patches are released. On top of all this, system administrators need to know for sure that patches are coming from reputable sources.
Plans need to be in place for how to handle update issues, such as buggy patches and ones that cause confusion due to changes in the interface. Patches should be applied at times that don’t affect business production. Finally - plans should be in place for when patched software requires more resources than your system can provide.
System administrators who have a Standard of Procedures in place to take on these items will be prepared to control each scenario that comes their way!