Keeping Linux servers patched is one of the most effective security measures you can implement. Yet many organizations struggle with it. This guide covers everything you need to know about Linux patch management, from basic concepts to automated workflows.
Why Patching Matters
Unpatched systems are the #1 attack vector in successful breaches. When a CVE is published, attackers immediately begin scanning the internet for vulnerable systems. The window between CVE disclosure and active exploitation is shrinking every year—sometimes measured in hours, not days.
Understanding Linux Package Updates
Linux distributions handle security patches differently:
Debian/Ubuntu (APT)
Debian-based distributions use the APT package manager. Security updates are delivered through dedicated security repositories.
# Update package lists
sudo apt update
# List available security updates
sudo apt list --upgradable 2>/dev/null | grep -i security
# Apply all security updates
sudo apt upgrade -y
# Apply only security updates (Ubuntu)
sudo unattended-upgrades --dry-runRHEL/CentOS/Rocky (DNF/YUM)
# Check for security updates
sudo dnf check-update --security
# Apply security updates only
sudo dnf update --security -y
# List CVEs fixed by available updates
sudo dnf updateinfo list cvesBuilding a Patch Management Process
Step 1: Inventory Your Systems
You can't patch what you don't know about. Maintain an up-to-date inventory of all servers, their OS versions, and installed packages. Tools like FixTheCVE's agentless scanner can automate this.
Step 2: Monitor for New CVEs
Subscribe to security advisories for your specific distributions and software. Better yet, use automated CVE monitoring that maps vulnerabilities to your actual installed packages.
Step 3: Prioritize by Risk
Not every CVE needs immediate attention. Prioritize based on:
- CVSS Score: Focus on Critical (9.0+) and High (7.0-8.9) first
- EPSS Score: The Exploit Prediction Scoring System estimates the probability of exploitation in the next 30 days
- CISA KEV: If it's on the Known Exploited Vulnerabilities catalog, patch immediately
- Your exposure: Internet-facing services are higher priority than internal-only systems
Step 4: Test Before Deploying
For production systems, always test patches in a staging environment first. Key things to verify:
- Services start correctly after reboot
- Application functionality is unaffected
- No dependency conflicts introduced
- Performance hasn't degraded
Step 5: Deploy and Verify
Apply patches during maintenance windows for production systems. After patching:
# Verify package was updated
dpkg -l | grep package-name
# Check if reboot is required (Ubuntu/Debian)
cat /var/run/reboot-required 2>/dev/null
# Verify services are running
systemctl status your-serviceAutomating Patch Management
Unattended Upgrades (Ubuntu/Debian)
# Install
sudo apt install unattended-upgrades
# Configure
sudo dpkg-reconfigure unattended-upgrades
# Edit settings
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesKey settings to configure:
- Enable security updates only (recommended for production)
- Set automatic reboot time if needed
- Configure email notifications for applied patches
DNF Automatic (RHEL/Rocky/Alma)
# Install
sudo dnf install dnf-automatic
# Configure
sudo nano /etc/dnf/automatic.conf
# Enable and start
sudo systemctl enable --now dnf-automatic-install.timerCommon Pitfalls to Avoid
- Patching without testing: Even security patches can break applications. Always test first.
- Ignoring kernel updates: Kernel CVEs are often the most critical. Use live patching solutions like KernelCare if downtime is a concern.
- Forgetting about third-party software: Packages installed outside your distro's repos (pip, npm, manual installs) won't be covered by system updates.
- No rollback plan: Always have a way to roll back if a patch causes issues. Snapshots, backups, or configuration management tools are essential.
Recommended Patch Cadence
| Severity | Patch Timeline | Notes |
|---|---|---|
| Critical (CVSS 9.0+) | Within 24-72 hours | Especially if actively exploited |
| High (CVSS 7.0-8.9) | Within 1 week | Prioritize internet-facing systems |
| Medium (CVSS 4.0-6.9) | Within 30 days | Include in regular maintenance |
| Low (CVSS 0.1-3.9) | Within 90 days | Bundle with other updates |
Staying on top of patches doesn't have to be overwhelming. With the right tools and processes, you can dramatically reduce your attack surface. Start monitoring your systems to see exactly which CVEs affect your infrastructure.