How frequently do you implement security updates on Linux?

Share it

Keeping your Linux environment secure requires regular patching. Finding the right balance between update frequency and operational stability is crucial. Implementing security patching automation strategies can help maintain compliance and safety in even the most tightly regulated environments. Understanding Canonical’s software update release schedules and security patching coverage windows is essential for crafting an effective patching strategy. Recently, I delved into this topic in a live webinar, outlining ways to minimize patching frequency and reduce the window of vulnerability exploitation. Here, I’ll summarize the key takeaways and important considerations for scheduling updates.

Linux Kernel Security Patching

In Ubuntu, there are two kernel types: the General Availability (GA) kernel and the Hardware Enablement (HWE) kernel. These kernels can be packaged as debian packages or snap packages. The GA kernel is the initial version released with each Ubuntu LTS version. Ubuntu LTS releases receive point release updates biannually, with around 5 point releases typically. Ubuntu Server sticks with the GA kernel throughout the Ubuntu Pro coverage period. Ubuntu Desktop upgrades to the HWE kernel from the second point release onwards.

Security coverage for the GA kernel lasts as long as the Ubuntu Pro coverage, while the HWE kernel receives security support for the HWE kernel’s lifespan plus an additional 3 months, allowing for a smooth transition to the next HWE kernel version.

Reboot Requirements for Security Patches

Updating the kernel package necessitates a reboot to load the patched kernel into memory. For snap-installed GA kernels, updates trigger an automatic reboot. With deb-installed GA kernels, a manual reboot is needed to apply security updates. Some other Ubuntu packages like glibc, libc, CPU microcode, and the grub bootloader also require reboots when updated. Services like ssh or web servers must be restarted after security patches, while on-demand software updates do not require reboots.

The Livepatch service applies critical patches to the running kernel in memory but does not upgrade the kernel package itself. Live patches are valid for 13 months on GA kernels and 9 months on HWE kernels. After this period, a kernel upgrade and system reboot are necessary for Livepatch continuation.

Approaches to Security Patching

Canonical offers various tools like Livepatch, Landscape, Snaps, and command line utilities for automated security patching. These tools provide flexibility to enhance security on desktops, servers, and IoT devices. Security patching can follow different approaches based on preferences:

  1. Delay patching to procrastinate major updates.
  2. Implement security patches with predefined regularity.
  3. Minimize vulnerability windows by reducing patch installation time.

Irrespective of the chosen approach, unscheduled maintenance windows may be required for critical updates.

Security Patching Strategies

For those inclined to procrastinate, Livepatch on GA kernels requires upgrades and reboots every 13 months. The HWE kernel necessitates upgrades every 6 months after the initial 13-month period, leading to delayed patching of medium and low-risk vulnerabilities.

Adopting an annual patching cycle for GA kernels is viable, ensuring security coverage within the Livepatch window. With HWE kernels, patching once a year around the fourth point release maintains security postures.

A bi-annual patching schedule in May and September aligns with Canonical’s release timelines, offering consistent security coverage for both kernel types.

Maximizing Security with Timely Patching

Frequent, if not daily, security maintenance windows are advised to minimize the exploit window. Embracing Canonical’s patch releases promptly and integrating security automations can bolster system defenses. Structured phased upgrades and reboots provide a robust security stance for all your systems.

Enabling Automated Security Patching

Discover the best practices for scheduling security patching automations to address key aspects like available tools, patch distribution, application methods, and system maintenance event scheduling. This webinar sheds light on optimizing security patching in Ubuntu environments.

🤞 Don’t miss these tips!

🤞 Don’t miss these tips!

Solverwp- WordPress Theme and Plugin