Setting up Patching for Ubuntu

Endorsed by Nick The Ninja

Since there are some Linux systems in my environment which need regular updates I built a little routine for that. If you like to take over any parts of it, feel free.
I assume that you know how to setup KACE scripting, Custom Inventory Rules and labels, so I just provide the snippets.

It consists of a regulary running script which does a Detect of patches, a Deployment of patches, cleaning out old downloaded patches and logs it, so I can review errors.
In addition it updates the search database so the newly installed versions can be found and be used in internal scripts.


1. all Linux systems have the agent installed
2. a local mirror is setup (optional, if not done, the updates are taken from the official mirrors)
3. all Linux systems have an interactive root-account

Setting up the script:

apt update;
apt upgrade -y;
apt dist-upgrade -y;
apt autoremove -y;
apt autoclean -y;
rm /root/upgrade.result
echo "last run: " >>/root/upgrade.result
date >>/root/upgrade.result
echo "Results:"  >>/root/upgrade.result
echo "updating the patch list: "  >>/root/upgrade.result
echo $update >>/root/upgrade.result
echo "run the patches: "  >>/root/upgrade.result
echo $upgrade >>/root/upgrade.result
echo "distribution patches: "  >>/root/upgrade.result
echo $dist-upgrade >>/root/upgrade.result
echo "Housekeeping: "  >>/root/upgrade.result
echo "remove old updates: "  >>/root/upgrade.result
echo $remove >>/root/upgrade.result
echo "clean the logs and results: "  >>/root/upgrade.result
echo $clean>>/root/upgrade.result
echo "updating the database: " >>/root/upgrade.result
echo $search >>/root/upgrade.result
cat /var/run/reboot-required >>/root/upgrade.result

If needed the script can be split in multiple scripts, so a detect ( apt update ), deploy (apt upgrade and apt dist-upgrade) and the housekeeping steps (apt autoremove and apt autoclean) are split in single scripts.

Result handling and automatic reboot

To have the results directly in the SMA there was simply a small CIR needed:

ShellCommandTextReturn( cat /root/upgrade.result )

The second CIR is needed for getting the info which services need a reboot:

ShellCommandTextReturn( cat /var/run/reboot-required.pkgs )

The third CIR is needed for getting all systems which need to be rebooted:

FileExists (/var/run/reboot-required )

This one is linked to a smart label, which regulary reboots the systems out of hours.
Note: /var/run/reboot-required  and /var/run/reboot-required.pkgs are automaticly deleted after a reboot, so rebooted systems fall out of the labels.
Note: the log contains only the last run and brings down the error codes from apt directly. If you need more speaking error messages, just add the translation to the script.


  • Thanks this looks great! Ill give it a try. - quickwhips 4 years ago
This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ