Introduction to Linux Patch Management

Patch management is essential for keeping your Linux systems secure and stable
. A patch is a piece of software used to update, fix, or improve a program by addressing
security vulnerabilities, bugs , or performance enhancements.

Types of Patches

1. Security Patches : Protect against vulnerabilities.

2. Bug Fix Patches : Fix known software bugs.

3. Feature Patches : Add new features or enhancements.

4. Kernel Patches : Direct updates to the Linux kernel.

Steps for Linux Patch Management

1. Update Package Repositories

o Ensure repositories are up-to-date by refreshing package indexes.

2. Check for Available Patches

o Use the package manager of your Linux distro to find patches.

3. Install Patches

o Apply patches either manually or via automation tools.

4. Reboot if Necessary

o Kernel updates often require a reboot to take e ect.

5. Verify the Patch

o Ensure the patch is applied correctly using verification commands.

Commands for Patch Management

Red Hat / CentOS / Fedora

1. # Check for available updates

2. yum check-update
3.
4. # Install all available updates
5. yum update
6.
7. # Install only security patches 🔒
8. yum --security update
9.

For newer systems:

1. dnf check-update
2. dnf update
3.

Debian / Ubuntu

1. # Update package list 📋

2. sudo apt update
3.
4. # List available updates 📈
5. sudo apt list --upgradable
6.
7. # Install all available updates 📦
8. sudo apt upgrade
9.
10. # Install only security updates 🔐
11. sudo unattended-upgrade
12.

To apply kernel patches:

1. sudo apt install linux-generic

2. reboot
3.

Applying Patches Manually When patching source code, you may use the patch command:

Original File (example.txt)

1. Hello, World!
2. This is a sample file.
3.

Patch File (example.patch)

1. --- example.txt 2024-09-24 10:00:00.000000000 +0530

2. +++ example.txt 2024-09-24 10:05:00.000000000 +0530
3. @@ -1,2 +1,2 @@
4. Hello, World!
5. -This is a sample file.
6. +This is an updated sample file.
7.

Applying the Patch

Save the patch content to a file named example.patch and run the following command
in your terminal:

1. patch < example.patch

2.

Best Practices for Linux Patching

1. Backup Before Patching : Always back up critical systems before applying

patches.

2. Test Patches in a Staging Environment : Verify patches in a test environment

before applying them to production.

3. Use Automation : Leverage automation tools like Ansible for seamless patch
deployment.

4. Monitor Patch Releases : Stay informed about the latest patches, especially
critical security updates.

5. Reboot When Required : Ensure you reboot when a patch a ects the kernel for
it to take e ect.

Let's dive into real-time examples of Linux Patch Management using commands and
scenarios. I've added emojis to make the process clearer and engaging!

Example 1: Update and Install Security Patches on Ubuntu

You're managing a production server running on Ubuntu. A new security vulnerability

is discovered, and you need to apply security patches urgently.

Scenario: Security patches are released, and you want to update your system to ensure
the server is protected from potential attacks.
Steps:

1. Update the Package List :

1. sudo apt update

2.
This command fetches the latest list of available patches from the package repositories.

2. Install Only Security Updates :

1. sudo unattended-upgrade
2.
This ensures that only security updates are applied, leaving the system running stable with
essential security fixes.

3. Verify the Installed Updates :

1. sudo apt list --upgradable

2.
This command will confirm whether any further updates are available or if the system is
fully patched.

Example 2: Manually Patching a Web Application on CentOS

You have a custom web application running on CentOS, and the development team
releases a patch to fix a security bug in the source code.

Scenario: The development team provides you with a patch file app_fix.patch. You need to
apply this patch to the codebase.

Steps:

1. Transfer the Patch File to the Server :

o You can use scp to copy the patch file to the server.

1. scp app_fix.patch user@centos-server:/path/to/codebase/

2.

2. Navigate to the Code Directory :

1. cd /path/to/codebase/
2.

3. Apply the Patch :

1. patch < app_fix.patch

2.
The patch command reads the changes in the app_fix.patch file and applies them to the
target source files.

4. Verify the Patch : After applying the patch, test the application to confirm the
bug has been resolved and everything works as expected.

Example 3: Automatic Patching on Multiple Servers Using Ansible

You're managing a fleet of 50 Linux servers in a data center. Manually patching each
server is time-consuming, so you decide to use Ansible to automate the process.

Scenario: Schedule automatic patching across all servers once a week. The task is to
ensure all systems receive updates and security patches.

Steps:

1. Create an Ansible Playbook (called patch.yml):

1. ---
2. - hosts: all
3. become: true
4. tasks:
5. - name: Update repositories
6. apt:
7. update_cache: yes
8.
9. - name: Upgrade all packages
10. apt:
11. upgrade: dist
12.

2. Run the Playbook to Patch All Servers :

1. ansible-playbook -i inventory patch.yml

2.
This command applies the patch to all servers listed in your inventory file. The apt module
handles the package updates and upgrades.

3. Schedule the Playbook to Run Automatically :

o Use cron to schedule the patching process every Sunday at 2 AM:

1. crontab -e
2.
Add the following line:

1. 0 2 * * 7 ansible-playbook -i /path/to/inventory /path/to/patch.yml

2.
This sets up automated patching across all your servers, ensuring they're always up-to-
date.

Example 4: Apply Kernel Patches and Reboot (Red Hat/CentOS)

A new kernel vulnerability has been identified, and your Red Hat servers require an
immediate kernel patch to prevent attacks.

Scenario: The patch involves updating the kernel, which will require a system reboot to
take e ect.

Steps:

1. Check for Kernel Updates :

1. yum check-update
2.

2. Install the Kernel Patch :

1. yum update kernel

2.

3. Reboot the Server :

1. reboot
2.

4. Verify the Kernel Update : After the reboot, check the installed kernel version to
ensure the patch was applied:

1. uname -r
2.
This command will display the kernel version currently running on the system.

Example 5: Patching SUSE Linux Enterprise Server (SLES)

You are responsible for maintaining a SUSE Linux Enterprise Server (SLES) used for
critical applications at your company. Regular updates are required to keep it secure.

Scenario: The system needs security patches to be applied while avoiding any
unnecessary updates.

Steps:

1. Refresh the Repositories :

1. zypper refresh
2.

2. Install Only Security Patches :

1. zypper patch --category security

2.
This command will apply only security-related patches without a ecting other parts of the
system.

3. Verify Updates : You can list the installed patches to confirm that they were
applied successfully:

1. zypper patches
2.

Example 6: Backup and Test Before Patching

You are preparing to apply a major patch on a database server , and you want to ensure
minimal downtime and safeguard data integrity.

Scenario: Back up the system and test the patch in a staging environment before
deploying it to production.

Steps:

1. Backup the Database :

1. pg_dumpall > backup.sql

2.
This command creates a full backup of the PostgreSQL database.

2. Test in a Staging Environment :

o Deploy the backup on a test server and apply the patch to confirm everything
works as expected.

3. Apply the Patch in Production : Once verified, proceed with patching the
production server
WhatsApp Group:- https://chat.whatsapp.com/Ii2xKz9vuW93AWt07m4AYj

Telegram:- https://t.me/ExplorewithAshok

LinkedIn: https://www.linkedin.com/in/ashok-sana

Instagram:- https://instagram.com/explorewithashok?igshid=OGQ5ZDc2ODk2ZA==

Linktree:- https://linktr.ee/ashoksana