Linux: Recommendations, Requirements, and FAQs

Agent 41

To properly uninstall the Agent after the update to Agent 41:

sudo dpkg -r amagent
sudo dpkg --purge amagent

Environmental

In order to avoid contention with other patching mechanisms and allow Automox to fully manage patching, we recommend disabling tools such as GNOME Software Updater and PackageKit.

(These are similar to Windows Update and macOS Software Update.)

To disable in RedHat/CentOS:

systemctl status packagekit 
systemctl stop packagekit
systemctl mask packagekit
yum remove PackageKit

To disable in Ubuntu/Debian:

/etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "0";

Firewall

Ensure that Devices are permitted to make outbound connections to the appropriate repositories, such as:

deb.debian.org
*.archive.ubuntu.com
security.ubuntu.com
vault.centos.org
cdn.redhat.com

What method does Automox use to apply Linux patches?

The Automox Agent will use either yum or apt, depending on the Linux distribution, to perform the appropriate package actions.

 

Staging of Patches

For Customers that have either a narrow maintenance window for Patching, or want to maintain consistent patch versions between different environments (i.e. dev/test, staging/ production), we recommend pre-fetching the patches locally before (e.g. the night before) the scheduled patching window.

For RHEL/CentOS:

sudo yum install --downloadonly

For Ubuntu/Debian:

sudo apt-get upgrade --download-only

 

How does Automox detect which Packages have pending updates for Linux Devices?

Due to the inherent complexity of identifying updatable packages across multiple operating systems, it is not uncommon to question how exactly Automox accomplishes this. In a nutshell, Automox utilizes the built-in package management systems of each operating system to identify which packages are installed, and which ones are available to update.

 

To identify pending patches on the Linux operating system, Automox issues a unique command to a target device depending on the version of Linux that is being run. Because there are often multiple methods of identifying updatable packages—and different methods can produce different pending patch counts—the methodology and commands used to determine pending patches for each operating system have been outlined here.

 

For Amazon Linux

repoquery --pkgnarrow=updates -a 

For Ubuntu / Debian

aptitude search ~U 

For Fedora

dnf check-update 

For SUSE Linux Enterprise Server (SLES)

zypper list-updates -t package 

For Red Hat Enterprise Linux (RHEL) / CentOS

repoquery --plugins --pkgnarrow=updates -a 

 

‘Reboot Required’ Device Status:

To determine if a Linux host needs rebooting:

For Red Hat Enterprise Linux (RHEL) / CentOS

sudo needs-restarting -r

For Ubuntu / Debian:

sudo cat /var/run/reboot-required.pkgs

If the file exists, a reboot is required.

 

NOTE:

The ‘Enable automatic reboot after updates are installed’ feature in Patch Policies does not currently work for Linux Devices. In the Automox Console, rebooting a Device can only be done via clicking ‘Reboot Device’ in the Device Page or via a Worklet.

 

Which packages require a reboot after being updated?
Some examples are…

dbus
*-firmware-*
glibc
gnutls
kernel-*
hal
openssl-libs
systemd
udev

Automox understands that reboots do come at a cost to system uptime.

However, to ensure a system’s overall functionality, stability, and security, it is our recommendation to reboot the Device, especially after having patched/updated any of these aforementioned packages.

 

Was this article helpful?
0 out of 0 found this helpful