Linux Contentless Patching

Before V2024.1, all Linux patching in Security Controls was content-based. Engineers at Ivanti identified and curated the files required to fix a vulnerability, creating a content-based patch that could then be deployed. The main disadvantages of this method are that there is a delay while the content package is being created, and not all vulnerabilities are addressed.

From V2024.1, a new contentless method of Linux patching is being implemented. With this method, the repository for your Linux distribution is the direct source of all patch packages. This means that you have immediate access to all packages, giving you a more efficient and more complete patching mechanism, while maintaining the control and visibility of patching that Security Controls brings.

Watch a related video (02:44)

For a while, both methods will be available through Security Controls, but we recommend you start planning and implementing your migration to contentless patching now, because the old content-based method of patching Linux will be removed in a future release.

What has changed?

The main differences you will notice are:

  • The previous Linux patching is available in Security Controls using the name Linux Patch (Content-Based) and the icon content-based linux icon.
  • There is no separate Patch Scan Configuration for the new contentless Linux patching. Whenever a Linux Patch Task runs, it runs a scan for all missing packages and advisories. You can then separately specify Deploy options as part of the Linux Patch Task.
  • A new column has been added to the grids on the Machine View that, for contentless Linux, shows the source repository of the package.
  • For V2024.2, the Deploy by patch group option for the new patch configuration supported the patching of packages associated with an advisory only. Adding packages to a patch group was supported in V2024.3, and Deploy by severity in V2024.4.

How do I migrate?

We recommend the following strategy to gain confidence in contentless patching and so move away from content-based patching for Linux:

  1. Scan your test Linux machines using a Linux Content-Based Patch Task configured to scan for All Patches, then examine the Health column in the Machine View.
  2. Deploy patches to your test machines using the existing content-based patch task, then re-examine the Health column in the Machine View.
  3. Create or update an agent policy that includes a Linux Patch Task with the Deployments option disabled.
    This creates a scan all task using the new contentless functionality.
  4. Install the agent with the new policy on your test Linux machines.
    A scan runs automatically after the engine installation.
  5. After the scan has completed, check the Health column.
    Notice that new vulnerabilities have been discovered.
  6. Enable the Deployments option in the new contentless patch task, and re-deploy patches.
  7. Check the Health column again.
    The vulnerabilities have been remediated.