Nobody likes to spend the day hopping on and off computers to install patches, and a good patch management solution can turn a long-winded chore into a simple process.
Patch management tools that deploy updates to devices throughout your network remotely are one of the greatest time-saving solutions you have at your disposal.
Here is our list of the Top Ten Linux Patch Management tools:
- ManageEngine Patch Manager Plus EDITOR’S CHOICE Patch management solution for managing Linux, Windows, and Mac devices. The user can set deployment policies, schedule future patches, test patches, and generate reports. Download the 30-day free trial.
- Syxsense Manage (FREE TRIAL) A cloud-based endpoint management system that includes a patch manager and oversees devices running Linux, Windows, and macOS. Get started with a 14-day free trial.
- Ivanti Neurons for Patch Intelligence Web-based patch management tool for Linux, Unix, and Mac. It comes with automatic patch deployment, scheduling, and testing. It also includes a customizable reports system.
- GFI LanGuard Patch management software for Linux, Microsoft, and macOS devices. On Linux, the tool supports RedHat Enterprise Linux, CentOS, Ubuntu, Debian, SUSE Linux Enterprise, openSUSE, and Fedora 19.
- Automox Cloud-based patch manager for Linux, Windows, and macOS. Configure policies and automatically patch devices throughout your network or create custom scripts with Automox Worklets.
- Kace Systems Management Appliance Systems management solution with software deployment and patch management for Linux, Windows, and macOS. It also supports custom package installations.
- SanerNow Patch Management Cloud-based patch management tool that supports Linux, Windows, and macOS. Includes automated patch discovery, task scheduling, and reports.
- HCL Software BigFix Patch management tool compatible with Linux, UNIX, Windows, and macOS. Automatically discovers and distributes software to connected devices.
- Red Hat Satellite A software and system management package that automatically introduces patches for registered software.
- SysWard Patch management tool compatible with CentOS, Ubuntu, RedHat, Debian, OpenSUSE, SUSE, Fedora, Oracle Linux, and more. It includes a dashboard and an alerts system.
See also: Best Patch Management Tools
Best Patch Management Tools for Linux
What should you look for in a Linux patch management tool?
We reviewed the market for Linux patch managers and analyzed tools based on the following criteria:
- A software asset inventory
- Automated scans for updates
- Processes to queue available patches for installation
- A maintenance calendar that allows patches to be applied at unobtrusive times
- Completion reports and the option to rerun patches manually
- A free trial or a demo account for a cost-free assessment
- Value for money from a tool that will save technician time, sold at a fair price
With these selection criteria in mind, we investigated Linux patch management systems for Linux that provide automation to improve efficiency.
ManageEngine Patch Manager Plus is a patch management solution that can manage Linux, Windows, and Mac devices. The platform offers an agent for the following OS’s; Red Hat, SUSE Linux, Ubuntu, Debian, and CentOS. ManageEngine Patch Manager Plus scans online for missing patches and tests them before deploying them to your computer. The user can schedule patch scans to continually find new scans.
- Patches RHEL, SUSE, CentOS, Ubuntu, and Debian
- SaaS platform or installs on Windows Server
- Suitable for MSPs
- Patch sandboxing
- Multi-site version available
To ensure that you stay protected, ManageEngine Patch Manager Plus allows you to set deployment policies and prioritize searching for patches with the highest priority. For example, the software will install critical patches before focusing on low or moderate severity level updates.
With System Health Reports you can check how your computers are performing after the patch has been installed. Here you can view the patch status and verify that the vulnerability is secured.
- Multi-platform usage makes it ideal for businesses that support multiple operating systems like MSPs.
- Prioritizes patches by highest priority automatically
- Easy health reports provide an at-a-glance view of a machine’s patch status
- Flexible licensing makes ManageEngine Patch Manager Plus a great option for any size network
- Sandbox environment allows you to test patches before pushing them to production
- Plenty of features, can require investing some time into learning the platform
There are three On-Premises versions of ManageEngine Patch Manager Plus available: Free Edition, Professional, and Enterprise. The Free Edition supports up to 20 computers and five servers free of charge.
The Professional annual subscription costs $245 (£205) with third-party patch management and report scheduling. The Enterprise version costs $345 (£290) with automatic testing and approval. You can start the 30-day free trial.
ManageEngine Patch Manager Plus is our top choice! Makes it effortless to scan endpoints to detect patches that have been missed. You get a sandbox to test patches before deploying and you can use it to produce audits and reports with ease.
Start a 30-day Free Trial: manageengine.com/patch-management/
OS: Linux, Mac & Windows, On-premises or Cloud
Syxsense Manage is a cloud-based service that can identify and enroll all of your endpoints. It compiles an asset inventory of desktops and servers running Linux, macOS, and Windows.
- Software inventory
- Automated patch availability polling
- 50 GB of cloud storage
Once the service discovers a device, it scans it, recording its operating system version and logging all installed software. This is the beginning of the patch management process. Knowing what software is running on each device, the service then looks on the services of each vendor for updates and patches. When the system finds a patch available, it copies the installer over to its cloud storage – each account gets 50GB of server space on the Syxsense cloud system for this purpose and for storing logs.
You can set up a schedule of maintenance windows and the Syxsense patch manager will install available patches at the next available window. The service records all OS and software versions and also logs all of its patching actions. This information can be run off in a report in a format suitable for compliance reporting for PCI DSS, SOX, and HIPAA.
- Great user interface
- Multi-platform support for Linux, Mac, and Windows makes it great for diverse environments
- Based in the cloud, requires no hardware or on-boarding expenses
- Starting 50GB of server space of logs and patch installs will more than enough for most businesses
- The subscription model allows companies of all sizes to use the product and helps growing businesses scale their patching over time
- Compliance reporting tools are very detailed and require time to learn
Syxsense Manage is a subscription service and you can get it on a 14-day free trial.
Ivanti Neurons for Patch Intelligence is part of a cloud platform of system protection and compliance tools. The package includes a vulnerability scanner and a patch manager that acts on the results of the scans.
- Vulnerability patching
- Compliance reporting
- System hardening
The vulnerability scanner is tailored and constantly adapted to recent threat vectors that are listed in a threat intelligence feed. The vulnerability manager then uses AI processes to work out which services and applications will be vulnerable. As well as launching the patch manager, the package will implement configuration changes to close off weaknesses.
The software also has a reporting function, which shows how many devices haven’t been patched, with graphs and pie charts for greater visibility. Reports are customizable so you can choose how the patch data is displayed on the screen. These reports are very useful for regulatory compliance because they help to verify that your infrastructure is up to date.
Ivanti is a solution suitable for companies seeking to deploy patches in cross-platform environments. It’s easy to use and gives the user complete control over device security.
- Multi-platform support for Linux, Mac, and Unix gives the tool flexibility in diverse networks
- Patch scheduling works well out of the box
- Offers simple graphical reporting which is easy to setup
- Must contact company for exact pricing
To find out the pricing information for Ivanti, you will have to contact the company directly. You can get a 45-day free trial of the entire Ivanti Neurons platform.
GFI LanGuard is a piece of patch management software that can patch Linux, Microsoft, macOS, and other third-party applications including Apple QuickTime, Mozilla Firefox, Adobe Acrobat, Adobe Flash Player, Shockwave Player, Mozilla Thunderbird, Java Runtime, and more. For Linux, users, GFI LanGuard supports a range of distributions including RedHat Enterprise Linux, CentOS, Ubuntu, Debian, SUSE Linux Enterprise, openSUSE, and Fedora 19.
- Patches RHEL, SUSE, CentOS, Ubuntu, Fedora, and Debian
- Creates software inventory
- Automated patching
The tool comes with a quality GUI where you can manage patches across all of your connected devices. Scan your network manually or automatically to download new patches. Automatic patch downloading is great for reducing the manual administration you have to do to update devices.
There is also a vulnerability assessment feature, which can detect over 60,000 vulnerabilities. Vulnerability scans use a combination of OVALand SANS Top 20 to scan for vulnerabilities within your devices. If there is a problem then the software provides you with additional information about the status so you can resolve it.
- Multi-platform support for Microsoft, Linux, and Mac
- Includes support for patching other popular third-party applications like Adobe, Java, and Runtime
- Simple, yet effective interface
- Built-in vulnerabilities assessment uses patch information to help gauge risk for security teams
- Would like to see more features for scheduling patches
- Could use more up to date support for newer third party applications
GFI LanGuard is offered in three plans: Small, Medium, and Large. The Small plan covers 10 to 49 nodes and costs $26 (£21.80) per node per year. You can download the 30-day free trial.
Automox is a cloud-based patch management platform for Linux, Windows, and macOS. Automox can automatically patch vulnerable devices. The tool is easy to use and deploy with a lightweight agent that has a minimal impact on your system resources.
- Patches Linux, Windows, and macOS
- Patch only a specific group of devices
- Scripting language
Through the GUI the user can create policies and assign them to devices or groups. Grouping devices together makes it much easier to manage a high number of devices. For example, if a user creates a group of devices then they can edit policies and affect the entire group.
Grouped devices can also be supported by department, OS, or region, enabling simple navigation. If you need more control then you can use Automox Worklets to script custom tasks.
Automox is one of the most low maintenance patch management tools on this list with excellent configuration options.
- Multi-platform support for Microsoft, Linux, and Mac
- Run in the cloud, and doesn’t require an on-premise server installation
- Features a sleek highly visual interface
- Utilizes grouping to makes patching large numbers of devices easy to organize
- Could use better reporting features in terms of compliance (HIPAA, PCI, etc)
- Could use better support for third-party application patching
There are two versions of Automox available to purchase: Patch, and Patch & Manage. Prices start at $3 (£2.50) per device per month. You can start the 15-day free trial.
KACE Systems Management Appliance is a systems management solution with a patch management feature. On Linux, the software agent is compatible with Linux Red Hat Linux AS and ES, Ubuntu, SUSE Linux Enterprise Server, and Raspbian Linux.
- Patches RHEL, SUSE, Ubuntu, and Raspbian
- IT asset management
- Software license management
The software deploys automated updates to Linux, Mac and Windows computers or servers. The software also supports custom package installations, in .rpm, .zip., .bin, .tgz.m and tar.gz on Linux.
The GUI allows the user to monitor their entire asset inventory through the dashboard. On the dashboard, you can view devices and monitor performance. If you click through to the Patch Management screen you can view statistics and complete actions such as detecting missing patches, deploying available patches, and rolling back installed patches.
KACE Systems Management Appliance is one of the most complete patch management tools on the market. The tool is available as a virtual or hosted appliance.
- Supports a wide range of different Linux operating systems
- Can be used as both a virtual or hosted application, giving it additional flexibility upon install
- Supports automatic patch deployment
- Must contact company for pricing
- Reporting dashboards could use better filtering options
To receive a quote you will need to contact the company directly. You can download the 30-day free trial.
SanerNow Patch Management is a cloud-based patch management solution that automates patches to Linux, Windows, and macOS. SanerNow Patch Management can automatically discover new patches and apply them without manual intervention. If a patch causes problems then the software can roll them back.
- Associated with a vulnerability scanner
- Compliance reporting
- Patches OSs and 300+ applications
To use the tool, the user configures patch rules and then schedules tasks for the tool to complete. For example, you can configure a rule to automatically patch devices. You can also prioritize patches according to the level of severity.
To help you keep an eye on what devices have been patched, SanerNow Patch Management comes with a reporting feature. Reports show you which patches have been rolled out and what risks they’ve protected you against. Elements like patching impact analysis and historical tracking help to show what changes have been made to your network.
SanerNow Patch Management is one of the top patch management tools for those enterprises that want a basic asset management experience. The software supports Redhat Enterprise Linux, CentOS, Fedora, Oracle Linux, Amazon Linux, Ubuntu, and Debian on Linux.
- Cloud-based patch management, requiring no server installation or onboarding
- Has an easy to use patch ruleset feature that aids in patch scheduling
- Can track patch deployments over times and features impact analysis stats to correlate issues with patch deployments
- Interface can be confusing at times, especially with a large number of devices
- Must contact sales for pricing
For pricing information you will have to contact the sales team directly. You can try the free trial.
HCL Software BigFix is endpoint management and patch management software for Linux, UNIX, Windows, and macOS. HCL Software BigFix combines automated asset discovery with automatic software distribution to update devices efficiently with minimal user intervention. The tool is scalable and can monitor up to 250,000 different endpoints.
- Endpoint management
- Automated patching
- Compliance reporting
You can use the tool to monitor endpoint states in real-time. Real-time monitoring enables you to see patch levels and confirms whether a patch has been deployed successfully before updating the management server.
Confirming installations is useful for providing evidence of patching in a regulatory compliance scenario. There is also a reporting system that allows you to highlight entities that need updates.
HCL Software BigFix is worth investigating if you need to manage devices divided up between different operating systems. It also has the bandwidth to support everyone from SME’s to large companies.
- Features lightweight asset management tools alongside patch management
- Supports Linux, Windows, and Unix systems
- Can scale to over 250,000 endpoints
- Must contact sales for pricing
- Does not offer a free trial, only demo
To view the pricing information you will have to contact the company directly. You can schedule a demo.
RHEL owners can maintain their operating system, RHEL utility components, and any other software installed on the system with the RHEL Satellite service. This is a complete system management tool that will monitor all versions of software installed on your RHEL machine and the operating system, too.
- Specialized for RHEL patching
- Patches OS and applications
- Part of a suite of RHEL management tools
The Satellite software is a suite of tools. This is a substantial package and it takes 90 minutes to install. The nine components are:
- The Foreman: A provision and lifecycle management tool for both physical and virtual systems.
- Katello: Subscription and repository management.
- Candlepin: The subscription management part of Katello.
- Pulp: The content and repository management part of Katello.
- Hammer: A command-line interface for all Satellite functions.
- REST API: A RESTful API to enable the creation of integration modules.
- Apache Tomcat: The embedded server for the front end of the Satellite system.
- Puppet: A Puppet Master server.
- Hiera: a key-value database needed for Puppet.
The key element in all of this is Katello, which is where all the patch management functions lie.
- Contains a suite of tools that support patching, lifecycle management, and support for RHEL environments
- Focuses heavily on Linux environments, great for larger networks primarily running only Linux
- Ideal for Linux professionals
- Can be complicated to use, especially for new users
- Interface is barebones and can be difficult to find certain features
- Some features may be in different tools across the suite, adding complexity
- Long installation time
The Satellite system is able to manage the operating system and software of several hosts owned by an organization and it can also include remote and cloud servers. The system is free to use and is available from the Red Hat website.
SysWard is a patch management solution that supports a range of operating systems for Linux including CentOS, Ubuntu, RedHat, Debian, OpenSUSE, SUSE, Fedora, Oracle Linux, and more. Through the dashboard, you can view a view of updates broken down into Security Updates, Regular Updates, Dead Hosts, Job Failures, and more.
- Patches RHEL, SUSE, CentOS, Ubuntu, Fedora, Oracle, and Debian
- Creates an asset inventory
- Software vulnerability management
You can also view a list of Agents within your network. The Agents view shows you information including the OS, Hostname, Group, Updates, Memory, Version, and Last Checkin. The Agents view is good for managing your asset inventory and monitoring update statuses. If you need to, you can export this data in CSV format.
The platform also comes with an alerts system that produces a notification whenever a new patch is available for a package. Alerts are assigned a level of severity based on how important they are to your network. The alerts feature is useful because it keeps you updated on changes to your infrastructure.
- Supports multiple distribution types like Oracle, Debian, and Fedora
- Agent tracking shows their hardware resource utilization, making this a lightweight monitor agent as well as a patch manager
- Alerting works well out of the box
- Could benefit from better reporting features
- Would like to see more export formats
SysWard is a good choice for enterprises that want a simple patch management tool with a low price tag. The software is available for free for up to two agents. If you need more, you can purchase a paid plan starting at $2.50 (£2.10) per agent per month. You can download the program for free.
Choosing a patch management tool for Linux: Reporting is a Must!
Going from device to device searching for updates and installing them isn’t the most efficient way to patch dozens of devices. Linux Patch management tools take care of the tedious task of finding and installing patches so that you can focus on more pressing issues.
The less time you spend installing updates manually the more time you can spend on more important tasks. We’ve listed a variety of tools on this list to suit enterprises of all kinds. ManageEngine Patch Manager Plus is a great place to start if you’re looking for a basic and accessible solution.
When searching for a patch management solution it is a good idea to purchase one with reports. A good reporting feature will allow you to check up on what vulnerabilities have been patched and verify that your network is secure. They can also be extremely useful if you’re ever audited by a third party!
Linux Patch Management FAQs
How often should patch management be performed?
Perform a patch run at least once a week. That’s a good compromise cycle length but each business has different constraints. The typical non-committal advice given all over the internet is “that depends” because network managers are also constrained by service level agreements that sometimes require constant availability. Ensure that contract managers insert a once-a-week window in system availability agreements for patches that require the system to be bounced.
Why is patch management important for network security?
Patches are issued to close off security vulnerabilities that have been revealed by hacker attacks after the current version of the software was finalized and released. In most cases, new versions of software and operating systems have been extensively tested and analyzed for bugs before they are released. So, patches are not usually issued because the developers got something wrong in their original software versions. Patch management is an essential part of system security procedures and should be regarded as a priority task.
What is a kernel patch?
A kernel patch is an update to the operating system in Unix and Unix-like systems. This group of operating systems includes Mac OS, Linux, BSD, Android, Amazon Fire OS, and Raspberry Pi.