Agent 41
To properly uninstall the Agent after the update to Agent 41:
sudo dpkg -r amagent
sudo dpkg --purge amagent
Environmental
In order to avoid contention with other patching mechanisms and allow Automox to fully manage patching, we recommend disabling tools such as GNOME Software Updater and PackageKit.
(These are similar to Windows Update and macOS Software Update.)
To disable in RedHat/CentOS:
systemctl status packagekit
systemctl stop packagekit
systemctl mask packagekit
yum remove PackageKit
To disable in Ubuntu/Debian:
/etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "0";
Firewall
Ensure that Devices are permitted to make outbound connections to the appropriate repositories, such as:
deb.debian.org
*.archive.ubuntu.com
security.ubuntu.com
vault.centos.org
cdn.redhat.com
What method does Automox use to apply Linux patches?
The Automox Agent will use either yum or apt, depending on the Linux distribution, to perform the appropriate package actions.
Staging of Patches
For Customers that have either a narrow maintenance window for Patching, or want to maintain consistent patch versions between different environments (i.e. dev/test, staging/ production), we recommend pre-fetching the patches locally before (e.g. the night before) the scheduled patching window.
For RHEL/CentOS:
sudo yum install --downloadonly
For Ubuntu/Debian:
sudo apt-get upgrade --download-only
How does Automox detect which Packages have pending updates for Linux Devices?
Due to the inherent complexity of identifying updatable packages across multiple operating systems, it is not uncommon to question how exactly Automox accomplishes this. In a nutshell, Automox utilizes the built-in package management systems of each operating system to identify which packages are installed, and which ones are available to update.
To identify pending patches on the Linux operating system, Automox issues a unique command to a target device depending on the version of Linux that is being run. Because there are often multiple methods of identifying updatable packages—and different methods can produce different pending patch counts—the methodology and commands used to determine pending patches for each operating system have been outlined here.
For Amazon Linux
repoquery --pkgnarrow=updates -a
For Ubuntu / Debian
aptitude search ~U
For Fedora
dnf check-update
For SUSE Linux Enterprise Server (SLES)
zypper list-updates -t package
For Red Hat Enterprise Linux (RHEL) / CentOS
repoquery --plugins --pkgnarrow=updates -a
‘Reboot Required’ Device Status:
To determine if a Linux host needs rebooting:
For Red Hat Enterprise Linux (RHEL) / CentOS
sudo needs-restarting -r
For Ubuntu / Debian:
sudo cat /var/run/reboot-required.pkgs
If the file exists, a reboot is required.
NOTE:
The ‘Enable automatic reboot after updates are installed’ feature in Patch Policies does not currently work for Linux Devices. In the Automox Console, rebooting a Device can only be done via clicking ‘Reboot Device’ in the Device Page or via a Worklet.
Which packages require a reboot after being updated?
Some examples are…
dbus
*-firmware-*
glibc
gnutls
kernel-*
hal
openssl-libs
systemd
udev
Automox understands that reboots do come at a cost to system uptime.
However, to ensure a system’s overall functionality, stability, and security, it is our recommendation to reboot the Device, especially after having patched/updated any of these aforementioned packages.