Best practice security updates linux servers?

1337

What is best practice when it comes to security updates on linux servers?

How should it be handled?

A lot of desktop systems are applying updates automatically but they are not mission critical either.

JaredBusch

@Pete-S said in Best practice security updates linux servers?:

What is best practice when it comes to security updates on linux servers?

How should it be handled?

A lot of desktop systems are applying updates automatically but they are not mission critical either.

I use yum-cron on RHEL 7/CentOS 7
I use dnf-automatic on Fedora

I only have a couple of Debian based servers and I keep being lazy about setting something there.

This is the package for it on Debian
https://wiki.debian.org/UnattendedUpgrades

1337

@JaredBusch said in Best practice security updates linux servers?:

@Pete-S said in Best practice security updates linux servers?:

What is best practice when it comes to security updates on linux servers?

How should it be handled?

A lot of desktop systems are applying updates automatically but they are not mission critical either.

I use yum-cron on RHEL 7/CentOS 7
I use dnf-automatic on Fedora

I only have a couple of Debian based servers and I keep being lazy about setting something there.

This is the package for it on Debian
https://wiki.debian.org/UnattendedUpgrades

So do you both download and apply them automatically?
Security updates only or everything?

travisdh1

@JaredBusch said in Best practice security updates linux servers?:

@Pete-S said in Best practice security updates linux servers?:

What is best practice when it comes to security updates on linux servers?

How should it be handled?

A lot of desktop systems are applying updates automatically but they are not mission critical either.

I use yum-cron on RHEL 7/CentOS 7
I use dnf-automatic on Fedora

I only have a couple of Debian based servers and I keep being lazy about setting something there.

This is the package for it on Debian
https://wiki.debian.org/UnattendedUpgrades

What @JaredBusch said. My first thing to setup/configure when making a new base image is the automatic update, dnf-automatic, yum-cron, or Unattended-Upgrades as the case may be.

Since I just did a new Debain and Ubuntu base this past weekend, for those it's
apt install -y unattended-upgrades && systemctl enable --now unattended-upgrades

Those all handle security updates, which should always be up to date.

JaredBusch

@Pete-S said in Best practice security updates linux servers?:

@JaredBusch said in Best practice security updates linux servers?:

@Pete-S said in Best practice security updates linux servers?:

What is best practice when it comes to security updates on linux servers?

How should it be handled?

A lot of desktop systems are applying updates automatically but they are not mission critical either.

I use yum-cron on RHEL 7/CentOS 7
I use dnf-automatic on Fedora

I only have a couple of Debian based servers and I keep being lazy about setting something there.

This is the package for it on Debian
https://wiki.debian.org/UnattendedUpgrades

So do you both download and apply them automatically?
Security updates only or everything?

Download and apply, everything

But this is a low risk IMO as each VM is a single task.

Not like updating very package ever on a server.

Danp

Here's a prior discussion on setting up Unattended Upgrades --

https://www.mangolassi.it/topic/19272/how-to-configure-automatic-updates-on-ubuntu-18-04-lts

scottalanmiller

@Pete-S said in Best practice security updates linux servers?:

A lot of desktop systems are applying updates automatically but they are not mission critical either.

The more mission critical, the more you want automated updates!

If you are big enough to have patch testing, then that's great and you should do that (if it makes financial sense.) But you have to be really, really big before it's financially viable as you basically need a full time staff, loads of compute resources, and a team that's doing that constantly and makes decisions lightning quick.

scottalanmiller

@Pete-S said in Best practice security updates linux servers?:

So do you both download and apply them automatically?
Security updates only or everything?

Security absolutely for sure. But often, everything. I always do security automatically. The other/rest is more situation by situation, but it's rare that I want (or a customer wants) to pay for updates when they could be automatic and faster.

scottalanmiller

Literally was doing this today for a F100 customer

VoIP_n00b

@scottalanmiller Who?

scottalanmiller

@VoIP_n00b said in Best practice security updates linux servers?:

@scottalanmiller Who?

Naming customers in public is not something people do in IT. Nor is in considered okay to ask.

marcinozga

This whole approach of not doing updates on mission critical system is nonsensical. Admins need to grow a set and setup automatic updates on everything by default. If stuff breaks when you update it, that's on software vendor, period.

Dashrender

@scottalanmiller said in Best practice security updates linux servers?:

@VoIP_n00b said in Best practice security updates linux servers?:

@scottalanmiller Who?

Naming customers in public is not something people do in IT. Nor is in considered okay to ask.

I can't remember where you fall on the asking about salary thing?

Dashrender

@marcinozga said in Best practice security updates linux servers?:

This whole approach of not doing updates on mission critical system is nonsensical. Admins need to grow a set and setup automatic updates on everything by default. If stuff breaks when you update it, that's on software vendor, period.

LOL - sure of course, we'd love this to be true... it may be on the software vendor, but it's still on you as the one who has to support it for the company.

dbeato

@Dashrender I believe @scottalanmiller said that it is okay to share what salary you earn.

scottalanmiller

@Dashrender said in Best practice security updates linux servers?:

@scottalanmiller said in Best practice security updates linux servers?:

@VoIP_n00b said in Best practice security updates linux servers?:

@scottalanmiller Who?

Naming customers in public is not something people do in IT. Nor is in considered okay to ask.

I can't remember where you fall on the asking about salary thing?

Salary is a personal matter. You should always be allowed to disclose details about yourself.

scottalanmiller

@Dashrender said in Best practice security updates linux servers?:

@marcinozga said in Best practice security updates linux servers?:

This whole approach of not doing updates on mission critical system is nonsensical. Admins need to grow a set and setup automatic updates on everything by default. If stuff breaks when you update it, that's on software vendor, period.

LOL - sure of course, we'd love this to be true... it may be on the software vendor, but it's still on you as the one who has to support it for the company.

Only if you chose it, and if you chose a vendor that doesn't have working software, that's something to ponder.

VoIP_n00b

@scottalanmiller said in Best practice security updates linux servers?:

Salary is a personal matter. You should always be allowed to disclose details about yourself.

Youtube Video

scottalanmiller

@VoIP_n00b said in Best practice security updates linux servers?:

@scottalanmiller said in Best practice security updates linux servers?:

Salary is a personal matter. You should always be allowed to disclose details about yourself.

Exactly, I've actually seen that before. But it's well known in the industry, too. In high end positions, people discuss their salaries all of the time.

It's not just within a single company. The entire IT industry does this. IT pros are constantly hiding their salaries, or worse, claiming that those that make better salaries than them are lying or anomalies. You see it here on ML a lot. People feel badly that they've negotiated so low and resent people finding out, but people with decent salaries often share, and get attacked for showing what can be earned.

There's so much pressure to shame people into hiding their salaries and IT pros tend to be very susceptible to that kind of pressure that we have an industry earning so much less than it should.

Dashrender

@scottalanmiller said in Best practice security updates linux servers?:

@VoIP_n00b said in Best practice security updates linux servers?:

@scottalanmiller said in Best practice security updates linux servers?:

Salary is a personal matter. You should always be allowed to disclose details about yourself.

Exactly, I've actually seen that before. But it's well known in the industry, too. In high end positions, people discuss their salaries all of the time.

It's not just within a single company. The entire IT industry does this. IT pros are constantly hiding their salaries, or worse, claiming that those that make better salaries than them are lying or anomalies. You see it here on ML a lot. People feel badly that they've negotiated so low and resent people finding out, but people with decent salaries often share, and get attacked for showing what can be earned.

There's so much pressure to shame people into hiding their salaries and IT pros tend to be very susceptible to that kind of pressure that we have an industry earning so much less than it should.

What industries don't you find this in?