Linux

A Complete Guide to Easy Linux Patch Management

Patch management involves distributing and applying updates to software, including operating systems, platforms, and applications, to fix vulnerabilities and ensure system security, compliance, and uptime. Mondoo offers solutions to identify missing patches and facilitate their deployment across various systems, enhancing overall security and operational efficiency.

featured image linux patch management

What is patch management?

Patch management is the process of distributing and applying updates to software, such as operating systems (OS), platforms, and applications. It involves identifying out-dated software within your infrastructure, applying patches to that software, and validating the installation of those patches. These patches are often necessary to fix errors in the software, which are often referred to as vulnerabilities or bugs.

Why is patch management important?

Patch management is important for three main reasons:

  • Security: Patch management fixes vulnerabilities in your software (OS, platform, application) that are susceptible to exploitation. It helps your organization to reduce the risk of cyberattacks.
  • Compliance: Organizations are often required by regulators to follow strict guidelines because of the constant increase in cyberattacks. Patch management is a necessary part of complying to certain standards, such as PCI-DSS, HIPAA, SOC2, ISO27001, or BSI.
  • System uptime: Patch management ensures your software is kept up-to-date and running smoothly without errors causing system downtime.

Finding missing patches with Mondoo

As a part of its full-stack security solution, Mondoo identifies what important patches are missing from your systems. For this blog post, I set up some vagrant Linux machines with out-of-date operating systems. I’ll use them to walk through some different ways that Mondoo shows you the patches needed.

config.vm.define "debian9" do |debian9|
   debian9.vm.box = "bento/debian-9"
   debian9.vm.network :private_network, ip: "192.168.56.237"
 end

config.vm.define "ubuntu2004" do |ub2004|
  ub2004.vm.box = "ubuntu/focal64"
  ub2004.vm.box_version = "20211021.0.0"
  ub2004.vm.network :private_network, ip: "192.168.56.251"
 end

config.vm.define "rhel8" do |rhel8|
   rhel8.vm.box = "generic/rhel8"
   rhel8.vm.box_version = "3.6.13"
   rhel8.vm.network :private_network, ip: "192.168.56.242"
 end

Prerequisite: Please create a free account on console.mondoo.com.

Mondoo offers different options for scanning a Linux vagrant system:

Option 1: Install Mondoo Client on the Linux system

Option 2: Use vagrant transporter

Option 3: Use SSH transporter

Option 1: Find missing patches with Mondoo

1. Login to the vagrant Debian 9 system:

atomic111:..vagrant-test-boxen ∅> vagrant ssh debian9
Linux debian-9 4.9.0-17-amd64 #1 SMP Debian 4.9.290-1 (2021-12-12) x86_64

This system is built by the Bento project by Chef Software
More information can be found at https://github.com/chef/bento

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
vagrant@debian-9:~$ sudo -i
root@debian-9:~#

2. Install Mondoo Client:

A. Log into your account at console.mondoo.com

available integrations

B. Go to the Integrations tab and select Ubuntu/Debian

ubuntu debian

C. Copy the CLI commands provided and paste them in the Debian 9 root shell.

D. After the Mondoo Client installation, type mondoo status to verify that Mondoo Client is registered and working. It should look like this:

root@debian-9:~# mondoo status
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
→ Hostname:     debian-9
→ IP:           10.0.2.15
→ Platform:     debian
→ Release:      9.13
→ Time:         2022-07-01T08:38:09Z
→ Version:      6.4.0 (API Version: 6)
→ API ConnectionConfig: https://us.api.mondoo.com
→ API Status:   SERVING
→ API Time:     2022-07-01T08:38:09Z
→ API Version:  6
→ Space:        //captain.api.mondoo.app/spaces/keen-kowalevski-169528
→ Client:       //agents.api.mondoo.app/spaces/keen-kowalevski-169528/agents/2BKpZTDtSZFz0xOpHxWGMo5afz1
→ Service Account:      //agents.api.mondoo.app/spaces/keen-kowalevski-169528/serviceaccounts/2BKpZTQlGtWgoCHNyhjaPIa5PjG
→ client is registered
→ client authenticated successfully

E. Quickly verify that the following policies are enabled for your space:

  • Platform End-of-Life Policy by Mondoo
  • Platform Vulnerability Policy by Mondoo

Your Policy Hub should look like this:

policy hub

To scan the vagrant debian 9 system, just type mondoo scan local. Mondoo Client connects to the Mondoo backend and downloads the enabled policies. After the scan, Mondoo Client reports results back to the Mondoo backend:

Mondoo scan results

Now you can see the outdated packages on the machine and which package version you must install to fix the specific vulnerability. You can view results in the Mondoo Dashboard:

debian9

In the system overview, the Mondoo Dashboard highlights that the Debian 9 operating system is end-of-life. By default there is also a Linux Security Baseline enabled. Select Platform Vulnerabilities to see the vulnerable packages. Mondoo shows:

  • Outdated packages
  • CVEs that belong to the package
  • Which package version you must install to fix the vulnerability
  • How critical the vulnerability is
  • An overview of the advisories and CVEs
debian 9 policies

Find and fix the security risks that pose the biggest threat to your business.

Option 2: Scan a Linux vagrant machine via vagrant transporter

Install and register Mondoo Client on your host system running the vagrant Debian 9 system and then run the following command:

root@debian-9:~# mondoo scan local
→ Mondoo 6.4.0 (Space: "//captain.api.mondoo.app/spaces/keen-kowalevski-169528", Service Account: "2BKpZTQlGtWgoCHNyhjaPIa5PjG", Managed Client: "2BKpZTDtSZFz0xOpHxWGMo5afz1")
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ establish connection to asset debian-9 (baremetal)

███████████████████████████████████████████████████████████████████████████ 100% debian-9

→ send all results asset=debian-9

Data queries:
"9.13"
mondoo.jobEnvironment: {
 id: "client.mondoo.com"
 name: "Mondoo Client"
}
platform.arch: "x86_64"
platform.eol.date: 2020-07-06 00:00:00 +0000 UTC
os.uptime: 2 hours 20 minutes 3 seconds
platform.title: "Debian GNU/Linux"
kernel.installed: [
 0: {
   name: "4.9.0-17-amd64"
   running: true
   version: "4.9.290-1"
 }
 1: {
   name: "amd64"
   running: false
   version: "4.9+80+deb9u15"
... 2 more lines ...
platform.release: "9.13"
packages.list.length: 403
os.hostname: "debian-9"
platform.vulnerabilityReport: {
 advisories: [
   0: {
     ID: "DLA-3008-1"
     Mrn: "//vadvisor.api.mondoo.app/advisories/DLA-3008-1"
     affected: [
       0: {
         affected: true
         arch: "amd64"
         available: "1.1.0l-1~deb9u6"
... 7466 more lines ...

Controls:
✓ Pass:  Ensure rsyslog is installed
✕ Fail:  Ensure SSH LogLevel is appropriate
✕ Fail:  Ensure auditd is installed
✕ Fail:  Ensure session initiation information is collected
✕ Fail:  Ensure the platform is not End-of-Life
✓ Pass:  Ensure HTTP Proxy server is stopped and not enabled
✕ Fail:  Ensure IPv6 router advertisements are not accepted
✓ Pass:  Ensure core dumps are restricted
✓ Pass:  Ensure Avahi server is stopped and not enabled
✓ Pass:  Ensure rsh server is stopped and not enabled
✕ Fail:  Ensure discretionary access control permission modification events are collected
✓ Pass:  Ensure talk server is stopped and not enabled
✓ Pass:  Ensure X Window System is not installed
✕ Fail:  Ensure Reverse Path Filtering is enabled
✕ Fail:  Ensure system administrator actions (sudolog) are collected
✓ Pass:  Ensure permissions on /etc/gshadow are configured
✓ Pass:  Ensure telnet server is stopped and not enabled
✕ Fail:  Ensure kernel module loading and unloading is collected
✕ Fail:  Ensure SSH PermitEmptyPasswords is disabled
✓ Pass:  Ensure permissions on SSH private host key files are configured
✓ Pass:  Ensure permissions on SSH public host key files are configured
✓ Pass:  Ensure permissions on /etc/passwd are configured
✕ Fail:  Ensure events that modify the system's network environment are collected
✕ Fail:  Platform is not end-of-life
✕ Fail:  Ensure ICMP redirects are not accepted
✕ Fail:  Ensure changes to system administration scope (sudoers) is collected
✕ Fail:  Ensure SSH X11 forwarding is disabled
✕ Fail:  Ensure journald is configured to compress large log files
✓ Pass:  Ensure address space layout randomization (ASLR) is enabled
✓ Pass:  Ensure permissions on /etc/group- are configured
✓ Pass:  Ensure SNMP server is stopped and not enabled
✓ Pass:  Ensure HTTP server is stopped and not enabled
✓ Pass:  Ensure tftp server is stopped and not enabled
✕ Fail:  Ensure AIDE is installed
✓ Pass:  Ensure mail transfer agent is configured for local-only mode
✕ Fail:  Ensure login and logout events are collected
✓ Pass:  Ensure permissions on /etc/group are configured
✕ Fail:  Ensure only strong MAC algorithms are used
✕ Fail:  Ensure only strong ciphers are used
✓ Pass:  Ensure LDAP server is stopped and not enabled
✕ Fail:  Ensure journald is configured to send logs to rsyslog
✕ Fail:  Ensure SSH IgnoreRhosts is enabled
✓ Pass:  Ensure permissions on /etc/shadow are configured
✓ Pass:  Ensure rsyslog Service is enabled
✕ Fail:  Ensure SSH HostbasedAuthentication is disabled
✕ Fail:  Ensure SSH root login is disabled
✕ Fail:  Ensure auditing for processes that start prior to audit is enabled
✓ Pass:  Ensure CUPS is not enabled
✕ Fail:  Ensure secure ICMP redirects are not accepted
! Error: Ensure SSH LoginGraceTime is set to one minute or less
! Error: Ensure system is disabled when audit logs are full
✕ Fail:  Ensure journald is configured to write logfiles to persistent disk
✕ Fail:  Ensure no known platform advisories exist
✓ Pass:  Ensure DHCP server is stopped and not enabled
✕ Fail:  Ensure file deletion events by users are collected
✓ Pass:  Ensure permissions on /etc/passwd- are configured
✓ Pass:  Ensure DNS server is stopped and not enabled
✓ Pass:  Ensure broadcast ICMP requests are ignored
✕ Fail:  Ensure packet redirect sending is disabled
✓ Pass:  Ensure rsyslog default file permissions configured
✕ Fail:  Ensure unsuccessful unauthorized file access attempts are collected
✓ Pass:  Ensure IMAP and POP3 server is stopped and not enabled
✕ Fail:  Ensure permissions on all logfiles are configured
✕ Fail:  Ensure events that modify the system's Mandatory Access Controls are collected
✓ Pass:  Ensure bogus ICMP responses are ignored
✓ Pass:  Ensure TCP SYN Cookies is enabled
✕ Fail:  Ensure the audit configuration is immutable
! Error: Ensure SSH MaxAuthTries is set to 4 or less
✓ Pass:  Ensure FTP server is stopped and not enabled
✕ Fail:  Ensure that strong Key Exchange algorithms are used
✕ Fail:  Ensure SSH access is limited
✓ Pass:  Ensure rsync service is not enabled
✕ Fail:  Ensure filesystem integrity is regularly checked
✕ Fail:  Ensure SSH Protocol is set to 2
✕ Fail:  Ensure suspicious packets are logged
✕ Fail:  Ensure events that modify date and time information are collected
✕ Fail:  Ensure NFS and RPC are not enabled
✓ Pass:  Ensure NIS server is stopped and not enabled
✕ Fail:  Ensure SSH PermitUserEnvironment is disabled
✕ Fail:  Ensure events that modify user/group information are collected
✕ Fail:  Ensure successful file system mounts are collected
✕ Fail:  Ensure SSH warning banner is configured
✕ Fail:  Ensure permissions on /etc/ssh/sshd_config are configured
✓ Pass:  Ensure prelink is disabled
✓ Pass:  Ensure IP forwarding is disabled
✕ Fail:  Ensure no known platform CVEs exist
! Error: Ensure SSH Idle Timeout Interval is configured
! Error: Ensure audit logs are not automatically deleted
✕ Fail:  Ensure source routed packets are not accepted
✓ Pass:  Ensure Samba is not enabled
! Error: Ensure audit log storage size is configured
✓ Pass:  Ensure permissions on /etc/shadow- are configured
✓ Pass:  Ensure permissions on /etc/gshadow- are configured
✕ Fail:  Ensure auditd service is enabled
Vulnerabilities:
 ■  SCORE  PACKAGE                     INSTALLED                          FIXED                              AVAILABLE                
          
0      tzdata                      2021a-0+deb9u2                     2021a-0+deb9u4                     2021a-0+deb9u4           
          
0      debian-archive-keyring      2017.5+deb9u1                      2017.5+deb9u2                      2017.5+deb9u2            
          
4.6    udev                        232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    systemd-sysv                232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    systemd                     232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    libudev1                    232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    libsystemd0                 232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    libpam-systemd              232-25+deb9u13                     232-25+deb9u14                     232-25+deb9u14           
          
4.6    libavahi-common3            0.6.32-2                           0.6.32-2+deb9u1                    0.6.32-2+deb9u1          
          
4.6    libavahi-common-data        0.6.32-2                           0.6.32-2+deb9u1                    0.6.32-2+deb9u1          
          
4.6    libavahi-client3            0.6.32-2                           0.6.32-2+deb9u1                    0.6.32-2+deb9u1          
          
4.6    avahi-autoipd               0.6.32-2                           0.6.32-2+deb9u1                    0.6.32-2+deb9u1          
          
5      zlib1g                      1:1.2.8.dfsg-5                     1:1.2.8.dfsg-5+deb9u1              1:1.2.8.dfsg-5+deb9u1    
          
5      libssl1.0.2                 1.0.2u-1~deb9u6                    1.0.2u-1~deb9u7                    1.0.2u-1~deb9u7          
          
5      liblwres141                 1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libisccfg140                1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libisccc140                 1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libisc160                   1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libisc-export160            1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libglib2.0-data             2.50.3-2+deb9u2                    2.50.3-2+deb9u3                    2.50.3-2+deb9u3          
          
5      libglib2.0-0                2.50.3-2+deb9u2                    2.50.3-2+deb9u3                    2.50.3-2+deb9u3          
          
5      libdns162                   1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libdns-export162            1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      libbind9-140                1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      host                        1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      dnsutils                    1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
5      bind9-host                  1:9.10.3.dfsg.P4-12.3+deb9u10      1:9.10.3.dfsg.P4-12.3+deb9u12      1:9.10.3.dfsg.P4-12.3+deb
9u12       
6.5    libsasl2-modules-db         2.1.27~101-g0780600+dfsg-3+deb9u1  2.1.27~101-g0780600+dfsg-3+deb9u2  2.1.27~101-g0780600+dfsg-
3+deb9u2   
6.5    libsasl2-modules            2.1.27~101-g0780600+dfsg-3+deb9u1  2.1.27~101-g0780600+dfsg-3+deb9u2  2.1.27~101-g0780600+dfsg-
3+deb9u2   
6.5    libsasl2-2                  2.1.27~101-g0780600+dfsg-3+deb9u1  2.1.27~101-g0780600+dfsg-3+deb9u2  2.1.27~101-g0780600+dfsg-
3+deb9u2   
7      libfribidi0                 0.19.7-1+deb9u1                    0.19.7-1+deb9u2                    0.19.7-1+deb9u2          
          
7.1    xz-utils                    5.2.2-1.2+b1                       5.2.2-1.2+deb9u1                   5.2.2-1.2+deb9u1         
          
7.1    liblzma5                    5.2.2-1.2+b1                       5.2.2-1.2+deb9u1                   5.2.2-1.2+deb9u1         
          
7.1    gzip                        1.6-5+b1                           1.6-5+deb9u1                       1.6-5+deb9u1             
          
7.2    libcups2                    2.2.1-8+deb9u7                     2.2.1-8+deb9u8                     2.2.1-8+deb9u8           
          
7.2    cifs-utils                  2:6.7-1                            2:6.7-1+deb9u1                     2:6.7-1+deb9u1           
          
7.5    rsyslog                     8.24.0-1+deb9u1                    8.24.0-1+deb9u2                    8.24.0-1+deb9u3          
          
7.5    python2.7-minimal           2.7.13-2+deb9u5                    2.7.13-2+deb9u6                    2.7.13-2+deb9u6          
          
7.5    python2.7                   2.7.13-2+deb9u5                    2.7.13-2+deb9u6                    2.7.13-2+deb9u6          
          
7.5    libpython2.7-stdlib         2.7.13-2+deb9u5                    2.7.13-2+deb9u6                    2.7.13-2+deb9u6          
          
7.5    libpython2.7-minimal        2.7.13-2+deb9u5                    2.7.13-2+deb9u6                    2.7.13-2+deb9u6          
          
7.5    libpython2.7                2.7.13-2+deb9u5                    2.7.13-2+deb9u6                    2.7.13-2+deb9u6          
          
7.5    libldap-common              2.4.44+dfsg-5+deb9u8               2.4.44+dfsg-5+deb9u9               2.4.44+dfsg-5+deb9u9     
          
7.5    libldap-2.4-2               2.4.44+dfsg-5+deb9u8               2.4.44+dfsg-5+deb9u9               2.4.44+dfsg-5+deb9u9     
          
7.5    libexpat1                   2.2.0-2+deb9u3                     2.2.0-2+deb9u5                     2.2.0-2+deb9u5           
          
7.5    libdpkg-perl                1.18.25                            1.18.26                            1.18.26                  
          
7.5    dpkg                        1.18.25                            1.18.26                            1.18.26                  
          
8.8    libxml2                     2.9.4+dfsg1-2.2+deb9u5             2.9.4+dfsg1-2.2+deb9u7             2.9.4+dfsg1-2.2+deb9u7   
          
9      linux-image-4.9.0-17-amd64  4.9.290-1                          4.9.320-2                                                   
          
9.3    xxd                         2:8.0.0197-4+deb9u3                2:8.0.0197-4+deb9u7                2:8.0.0197-4+deb9u7      
          
9.3    vim-tiny                    2:8.0.0197-4+deb9u3                2:8.0.0197-4+deb9u7                2:8.0.0197-4+deb9u7      
          
9.3    vim-common                  2:8.0.0197-4+deb9u3                2:8.0.0197-4+deb9u7                2:8.0.0197-4+deb9u7      
          
9.8    libgc1c2                    1:7.4.2-8                          1:7.4.2-8+deb9u1                   1:7.4.2-8+deb9u1         
          
10     openssl                     1.1.0l-1~deb9u4                    1.1.0l-1~deb9u6                    1.1.0l-1~deb9u6          
          
10     libssl1.1                   1.1.0l-1~deb9u4                    1.1.0l-1~deb9u6                    1.1.0l-1~deb9u6          
          

Overall CVSS score: 10.0
                                                                                                         
                                                                                                                                
Summary                                                                                                                                 
========================                                                                                                                
                                                                                                                                       
Target:     debian-9                                                                                                                    
Score:      D    15/100     (100% completed)                                                                                            
✓ Passed:   ██████ 41% (39)                                                                                                             
✕ Failed:   ████████ 52% (49)                                                                                                           
! Errors:   █ 6% (6)                                                                                                                    
» Skipped:  0% (0)                                                                                                                      
                                                                                                                                       
Policies:
F   0  Platform End-of-Life Policy by Mondoo
F   0  Platform Vulnerability Policy by Mondoo                                                                                          
.  ..  Platform Overview Information by Mondoo                                                                                          
C  46  Linux Security Baseline by Mondoo
                                                                                                                                       
Report URL: https://console.mondoo.com/space/fleet/2BKtQFRnpaTBMJGKomPvtRN4vSS?spaceId=keen-kowalevski-169528

Scan other operating systems

You can also scan the Red Hat 8 and Ubuntu 20.04 systems I set up for this blog post. Use the installed Mondoo Client, ssh transporter, or vagrant transporter:

Scan via vagrant transporter:

mondoo scan vagrant rhel8

mondoo scan vagrant ubuntu2004

Scan via ssh transporter:

mondoo scan ssh vagrant@192.168.56.242 -p 'vagrant' --sudo --insecure -i .vagrant/machines/rhel8/virtualbox/private_key

mondoo scan ssh vagrant@192.168.56.251 -p 'vagrant' --sudo --insecure -i .vagrant/machines/ubuntu2004/virtualbox/private_key


fleet

Don’t stop at scanning the machines I set up for this exercise! You can follow the same steps to scan your own infrastructure.

Mondoo’s full-stack security solution identifies vulnerabilities and provides steps to fix the problems. Keep scanning! If you have questions, we’d love to help you on Slack.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

You might also like

Releases
Mondoo September 2024 Release Highlights
Releases
Mondoo August 2024 Release Highlights
Releases
Mondoo July 2024 Release Highlights