How patch baseline rules work on Linux-based systems - AWS Systems Manager

How patch baseline rules work on Linux-based systems

The rules in a patch baseline for Linux distributions operate differently based on the distribution type. Unlike patch updates on Windows Server managed nodes, rules are evaluated on each node to take the configured repos on the instance into consideration. Patch Manager, a capability of AWS Systems Manager, uses the native package manager to drive the installation of patches approved by the patch baseline.

For Linux-based operating system types that report a severity level for patches, Patch Manager uses the severity level reported by the software publisher for the update notice or individual patch. Patch Manager doesn't derive severity levels from third-party sources, such as the Common Vulnerability Scoring System (CVSS), or from metrics released by the National Vulnerability Database (NVD).

How patch baseline rules work on Amazon Linux and Amazon Linux 2

On Amazon Linux and Amazon Linux 2, the patch selection process is as follows:

  1. On the managed node, the YUM library accesses the updateinfo.xml file for each configured repo.

    Note

    If no updateinfo.xml file is found, whether patches are installed depend on settings for Approved patches include non-security updates and Auto-approval. For example, if non-security updates are permitted, they're installed when the auto-approval time arrives.

  2. Each update notice in updateinfo.xml includes several attributes that denote the properties of the packages in the notice, as described in the following table.

    Update notice attributes
    Attribute Description
    type

    Corresponds to the value of the Classification key attribute in the patch baseline's PatchFilter data type. Denotes the type of package included in the update notice.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    severity

    Corresponds to the value of the Severity key attribute in the patch baseline's PatchFilter data type. Denotes the severity of the packages included in the update notice. Usually only applicable for Security update notices.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    update_id

    Denotes the advisory ID, such as ALAS-2017-867. The advisory ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    references

    Contains additional information about the update notice, such as a CVE ID (format: CVE-2017-1234567). The CVE ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    updated

    Corresponds to ApproveAfterDays in the patch baseline. Denotes the released date (updated date) of the packages included in the update notice. A comparison between the current timestamp and the value of this attribute plus the ApproveAfterDays is used to determine if the patch is approved for deployment.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

  3. The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

  4. Packages are selected for the update according to the following guidelines.

    Security option Patch selection

    Pre-defined default patch baselines provided by AWS and custom patch baselines where the Approved patches include non-security updates is not selected

    For each update notice in updateinfo.xml, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

    The equivalent yum command for this workflow is:

    sudo yum update-minimal --sec-severity=Critical,Important --bugfix -y

    Custom patch baselines where the Approved patches include non-security updates check box is selected

    In addition to applying the security updates that were selected from updateinfo.xml, Patch Manager applies nonsecurity updates that otherwise meet the patch filtering rules.

    The equivalent yum command for this workflow is:

    sudo yum update --security --bugfix -y

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on CentOS

On CentOS, the patch selection process is as follows:

  1. On the managed node, the YUM library (on CentOS 6.x and 7.x versions) or the DNF library (on CentOS 8.x) accesses the updateinfo.xml file for each configured repo.

    Note

    If there is no updateinfo.xml found, whether patches are installed depend on settings for Approved patches include non-security updates and Auto-approval. For example, if non-security updates are permitted, they're installed when the auto-approval time arrives.

  2. Each update notice in updateinfo.xml includes several attributes that denote the properties of the packages in the notice, as described in the following table.

    Update notice attributes
    Attribute Description
    type

    Corresponds to the value of the Classification key attribute in the patch baseline's PatchFilter data type. Denotes the type of package included in the update notice.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    severity

    Corresponds to the value of the Severity key attribute in the patch baseline's PatchFilter data type. Denotes the severity of the packages included in the update notice. Usually only applicable for Security update notices.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    update_id

    Denotes the advisory ID, such as CVE-2019-17055. The advisory ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    references

    Contains additional information about the update notice, such as a CVE ID (format: CVE-2019-17055) or a Bugzilla ID (format: 1463241). The CVE ID and Bugzilla ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    updated

    Corresponds to ApproveAfterDays in the patch baseline. Denotes the released date (updated date) of the packages included in the update notice. A comparison between the current timestamp and the value of this attribute plus the ApproveAfterDays is used to determine if the patch is approved for deployment.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

  3. The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

  4. Packages are selected for the update according to the following guidelines.

    Security option Patch selection

    Pre-defined default patch baselines provided by AWS and custom patch baselines where the Approved patches include non-security updates is not selected

    For each update notice in updateinfo.xml, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

    For CentOS 6 and 7, the equivalent yum command for this workflow is:

    sudo yum update-minimal --sec-severity=Critical,Important --bugfix -y

    For CentOS 8, the equivalent dnf commands for this workflow are:

    sudo dnf update-minimal --sec-severity=Critical --bugfix -y \ sudo dnf update-minimal --sec-severity=Important --bugfix -y

    Custom patch baselines where the Approved patches include non-security updates check box is selected

    In addition to applying the security updates that were selected from updateinfo.xml, Patch Manager applies nonsecurity updates that otherwise meet the patch filtering rules.

    For CentOS 6 and 7, the equivalent yum command for this workflow is:

    sudo yum update --security --bugfix -y

    For CentOS 8, the equivalent dnf command for this workflow is:

    sudo dnf update --security --bugfix -y

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on Debian Server and Raspberry Pi OS

On Debian Server and Raspberry Pi OS (formerly Raspbian), the patch baseline service offers filtering on the Priority and Section fields. These fields are typically present for all Debian Server and Raspberry Pi OS packages. To determine whether a patch is selected by the patch baseline, Patch Manager does the following:

  1. On Debian Server and Raspberry Pi OS systems, the equivalent of sudo apt-get update is run to refresh the list of available packages. Repos aren't configured and the data is pulled from repos configured in a sources list.

  2. If an update is available for python3-apt (a Python library interface to libapt), it is upgraded to the latest version. (This nonsecurity package is upgraded even if you did not select the Include nonsecurity updates option.)

    Important

    On Debian Server 8 only: Because Debian Server 8.* operating systems refer to an obsolete package repository (jessie-backports), Patch Manager performs the following additional steps to ensure that patching operations succeed:

    1. On your managed node, the reference to the jessie-backports repository is commented out from the source location list (/etc/apt/sources.list.d/jessie-backports). As a result, no attempt is made to download patches from that location.

    2. A Stretch security update signing key is imported. This key provides the necessary permissions for the update and install operations on Debian Server 8.* distributions.

    3. The apt-get operation is run at this point to ensure that the latest version of python3-apt is installed before the patching process begins.

    4. After the installation process is complete, the reference to the jessie-backports repository is restored and the signing key is removed from the apt sources keyring. This is done to leave the system configuration as it was before the patching operation.

  3. Next, the GlobalFilters, ApprovalRules, ApprovedPatches and RejectedPatches lists are applied.

    Note

    Because it isn't possible to reliably determine the release dates of update packages for Debian Server, the auto-approval options aren't supported for this operating system.

    Approval rules, however, are also subject to whether the Include nonsecurity updates check box was selected when creating or last updating a patch baseline.

    If nonsecurity updates are excluded, an implicit rule is applied in order to select only packages with upgrades in security repos. For each package, the candidate version of the package (which is typically the latest version) must be part of a security repo. In this case, for Debian Server, patch candidate versions are limited to patches included in the following repos:

    These repos are named as follows:

    • Debian Server 8: debian-security jessie

    • Debian Server and Raspberry Pi OS 9: debian-security stretch

    • Debian Server and Raspberry Pi OS 10: debian-security buster

    If nonsecurity updates are included, patches from other repositories are considered as well.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

To view the contents of the Priority and Section fields, run the following aptitude command:

Note

You might need to first install Aptitude on Debian Server systems.

aptitude search -F '%p %P %s %t %V#' '~U'

In the response to this command, all upgradable packages are reported in this format:

name, priority, section, archive, candidate version

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on macOS

On macOS, the patch selection process is as follows:

  1. On the managed node, Patch Manager accesses the parsed contents of the InstallHistory.plist file and identifies package names and versions.

    For details about the parsing process, see the macOS tab in How patches are installed.

  2. The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

  3. Packages are selected for the update according to the following guidelines.

    Security option Patch selection

    Pre-defined default patch baselines provided by AWS and custom patch baselines where the Approved patches include non-security updates is not selected

    For each available package update, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

    Custom patch baselines where the Approved patches include non-security updates is selected

    In addition to applying the security updates that were identified by using InstallHistory.plist , Patch Manager applies nonsecurity updates that otherwise meet the patch filtering rules.

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on Oracle Linux

On Oracle Linux, the patch selection process is as follows:

  1. On the managed node, the YUM library accesses the updateinfo.xml file for each configured repo.

    Note

    The updateinfo.xml file might not be available if the repo isn't one managed by Oracle. If there is no updateinfo.xml found, whether patches are installed depend on settings for Approved patches include non-security updates and Auto-approval. For example, if non-security updates are permitted, they're installed when the auto-approval time arrives.

  2. Each update notice in updateinfo.xml includes several attributes that denote the properties of the packages in the notice, as described in the following table.

    Update notice attributes
    Attribute Description
    type

    Corresponds to the value of the Classification key attribute in the patch baseline's PatchFilter data type. Denotes the type of package included in the update notice.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    severity

    Corresponds to the value of the Severity key attribute in the patch baseline's PatchFilter data type. Denotes the severity of the packages included in the update notice. Usually only applicable for Security update notices.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    update_id

    Denotes the advisory ID, such as CVE-2019-17055. The advisory ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    references

    Contains additional information about the update notice, such as a CVE ID (format: CVE-2019-17055) or a Bugzilla ID (format: 1463241). The CVE ID and Bugzilla ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    updated

    Corresponds to ApproveAfterDays in the patch baseline. Denotes the released date (updated date) of the packages included in the update notice. A comparison between the current timestamp and the value of this attribute plus the ApproveAfterDays is used to determine if the patch is approved for deployment.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

  3. The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

  4. Packages are selected for the update according to the following guidelines.

    Security option Patch selection

    Pre-defined default patch baselines provided by AWS and custom patch baselines where the Approved patches include non-security updates is not selected

    For each update notice in updateinfo.xml, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

    For version 7 managed nodes, the equivalent yum command for this workflow is:

    sudo yum update-minimal --sec-severity=Important,Moderate --bugfix -y

    For version 8 managed nodes, the equivalent dnf command for this workflow is:

    sudo dnf upgrade-minimal --security --sec-severity Moderate --sec-severity Important

    Custom patch baselines where the Approved patches include non-security updates is selected

    In addition to applying the security updates that were selected from updateinfo.xml, Patch Manager applies nonsecurity updates that otherwise meet the patch filtering rules.

    For version 7 managed nodes, the equivalent yum command for this workflow is:

    sudo yum update --security --bugfix

    For version 8 managed nodes, the equivalent dnf command for this workflow is:

    sudo dnf upgrade --security --bugfix

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on RHEL, CentOS Stream, and Rocky Linux

On Red Hat Enterprise Linux (RHEL), CentOS Stream, and Rocky Linux, the patch selection process is as follows:

  1. On the managed node, the YUM library (RHEL 7) or the DNF library (RHEL 8, CentOS Stream, and Rocky Linux) accesses the updateinfo.xml file for each configured repo.

    Note

    The updateinfo.xml file might not be available if the repo isn't one managed by Red Hat. If there is no updateinfo.xml found, no patch will be applied.

  2. Each update notice in updateinfo.xml includes several attributes that denote the properties of the packages in the notice, as described in the following table.

    Update notice attributes
    Attribute Description
    type

    Corresponds to the value of the Classification key attribute in the patch baseline's PatchFilter data type. Denotes the type of package included in the update notice.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    severity

    Corresponds to the value of the Severity key attribute in the patch baseline's PatchFilter data type. Denotes the severity of the packages included in the update notice. Usually only applicable for Security update notices.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

    update_id

    Denotes the advisory ID, such as RHSA-2017:0864. The advisory ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    references

    Contains additional information about the update notice, such as a CVE ID (format: CVE-2017-1000371) or a Bugzilla ID (format: 1463241). The CVE ID and Bugzilla ID can be used in the ApprovedPatches or RejectedPatches attribute in the patch baseline.

    updated

    Corresponds to ApproveAfterDays in the patch baseline. Denotes the released date (updated date) of the packages included in the update notice. A comparison between the current timestamp and the value of this attribute plus the ApproveAfterDays is used to determine if the patch is approved for deployment.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

  3. The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

  4. Packages are selected for the update according to the following guidelines.

    Security option Patch selection

    Pre-defined default patch baselines provided by AWS and custom patch baselines where the Approved patches include non-security updates check box is not selected

    For each update notice in updateinfo.xml, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

    For RHEL 7, the equivalent yum command for this workflow is:

    sudo yum update-minimal --sec-severity=Critical,Important --bugfix -y

    For RHEL 8, CentOS Stream, and Rocky Linux, the equivalent dnf commands for this workflow are:

    sudo dnf update-minimal --sec-severity=Critical --bugfix -y \ sudo dnf update-minimal --sec-severity=Important --bugfix -y

    Custom patch baselines where the Approved patches include non-security updates check box is selected

    In addition to applying the security updates that were selected from updateinfo.xml, Patch Manager applies nonsecurity updates that otherwise meet the patch filtering rules.

    For RHEL 7, the equivalent yum command for this workflow is:

    sudo yum update --security --bugfix

    For RHEL 8, CentOS Stream, and Rocky Linux, the equivalent dnf command for this workflow is:

    sudo dnf update --security --bugfix

For information about patch compliance status values, see Understanding patch compliance state values.

How patch baseline rules work on SUSE Linux Enterprise Server

On SLES, each patch includes the following attributes that denote the properties of the packages in the patch:

  • Category: Corresponds to the value of the Classification key attribute in the patch baseline's PatchFilter data type. Denotes the type of patch included in the update notice.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

  • Severity: Corresponds to the value of the Severity key attribute in the patch baseline's PatchFilter data type. Denotes the severity of the patches.

    You can view the list of supported values by using the AWS CLI command describe-patch-properties or the API operation DescribePatchProperties. You can also view the list in the Approval rules area of the Create patch baseline page or Edit patch baseline page in the Systems Manager console.

The product of the managed node is determined by SSM Agent. This attribute corresponds to the value of the Product key attribute in the patch baseline's PatchFilter data type.

For each patch, the patch baseline is used as a filter, allowing only the qualified packages to be included in the update. If multiple packages are applicable after applying the patch baseline definition, the latest version is used.

Note

For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

How patch baseline rules work on Ubuntu Server

On Ubuntu Server, the patch baseline service offers filtering on the Priority and Section fields. These fields are typically present for all Ubuntu Server packages. To determine whether a patch is selected by the patch baseline, Patch Manager does the following:

  1. On Ubuntu Server systems, the equivalent of sudo apt-get update is run to refresh the list of available packages. Repos aren't configured and the data is pulled from repos configured in a sources list.

  2. If an update is available for python3-apt (a Python library interface to libapt), it is upgraded to the latest version. (This nonsecurity package is upgraded even if you did not select the Include nonsecurity updates option.)

  3. Next, the GlobalFilters, ApprovalRules, ApprovedPatches and RejectedPatches lists are applied.

    Note

    Because it's not possible to reliably determine the release dates of update packages for Ubuntu Server, the auto-approval options aren't supported for this operating system.

    Approval rules, however, are also subject to whether the Include nonsecurity updates check box was selected when creating or last updating a patch baseline.

    If nonsecurity updates are excluded, an implicit rule is applied in order to select only packages with upgrades in security repos. For each package, the candidate version of the package (which is typically the latest version) must be part of a security repo. In this case, for Ubuntu Server, patch candidate versions are limited to patches included in the following repos:

    • Ubuntu Server 14.04 LTS: trusty-security

    • Ubuntu Server 16.04 LTS: xenial-security

    • Ubuntu Server 18.04 LTS: bionic-security

    • Ubuntu Server 20.04 LTS: focal-security

    • Ubuntu Server 20.10 STR: groovy-gorilla

    If nonsecurity updates are included, patches from other repositories are considered as well.

    Note

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

To view the contents of the Priority and Section fields, run the following aptitude command:

Note

You might need to first install Aptitude on Ubuntu Server 16 systems.

aptitude search -F '%p %P %s %t %V#' '~U'

In the response to this command, all upgradable packages are reported in this format:

name, priority, section, archive, candidate version

For information about patch compliance status values, see Understanding patch compliance state values.