[Feature Requests] Operating System Update Notifications / Automatic Security Patching

[micoolpaul]

Morning,

This idea I believe would be great for Veeam Backup for AWS/Azure/GCP but I don’t want to start spamming all sub-forums.

Requests
1. Provide an option to use SMTP notifications when Application/Operating System updates are available.
2. In addition to the existing options for installing/scheduling updates, include an option such as a checkbox to enable Veeam to automatically install security updates whilst jobs aren’t being processed.

Justification:
Veeam Backup for Microsoft Azure is a self contained package, meaning users don’t know what components are installed alongside this as well as what components will be used in the future. This makes it challenging to them to know if they’re impacted by new CVEs. Their only option at present is to sign into the web portal, for the SMBs and overstretched sysadmins in particular, this can be a challenge to ensure their environments are best protected, though I believe this would bring benefits to most.

By providing the option to opt-in to notifications, Veeam makes itself more proactive on attempting security remediations and reduces the risk of these systems being compromised and by extension, backup integrity.

Secondly the option to auto patch would take this a step further by managing the security patches. Realistically there is little increase to the risk of stability as it’s no different to a user manually installing a patch as it becomes available. By making it a checkbox for opt-in or out, those that would be worried about automatic patching can continue unchanged.

Other options could be allowing users to specify a minimum time the patch is available for before auto installing to avoid bad releases, but I don’t see that as a major need and would require the second option to be implemented first anyway.

Thanks!

[nielsengelen]

Hi Michael,

Thanks for the requests.

1. I would presume that you want this only for security-critical updates. Since there are quite often minor updates within operating system packages, this could become quite an overload on emails (which then would become a filtered rule).
2. While I somewhat understand the idea, wouldn't it be easier as a company to integrate the application with the existing cycle for installing security updates? How do you install security updates now on other appliances or Linux servers? Are you running this automatically (with a potential huge impact)?

[micoolpaul]

Hi Niels,

Thanks for replying.
1. Potentially an all/security option, but to avoid over complicating this, definitely anything security related.
2. Agreed that companies should integrate into their existing cycles, as a VASP & VCSP I've got a mixture of clients that are managed and deployment only. Especially for those I've only deployed to, it would be nice to give the system some sort of automatic lifecycle with installing security patches automatically, makes it easier to align application patching with the customer's patch cycles, whether monthly, quarterly etc.

The main increased risk are these backup appliances are publicly accessible normally, so prompt patching makes sense. I would suggest that patching would wait for Veeam to be idle when there's no backup jobs scheduled within the next 15/30 minutes as a good time window to patch. Assuming a customer doesn't meet this requirement they'd need to be disabling jobs for a maintenance window anyway and wouldn't benefit from automatic patching.

[Vitaliy S.]

Hi Michael,

Let me chime into the discussion.

While we can definitely have an option to install security updates to our product, I'm not sure how it would work for 3rd party packages or the Ubuntu image itself. Ideally, the component updates should be handled by native Ubuntu functionality like Windows machines. Anyway, thanks for the feedback, good food for thought.

Thanks!

[micoolpaul]

Hi Vitaliy,

Welcome to the discussion!

As this comes as part of the complete image, I believe that most users will be expected to not touch the underlying OS to avoid breaking it or ending up in unsupported territory. So if I can clarify something please, did you mean that Veeam could potentially look to leverage native Ubuntu functionality, or pass this onto us sysadmins to implement?

Thanks!

[nielsengelen]

This is what I was asking about and suggesting to potentially look into for future releases. To me, it makes more sense to integrate the appliance in the regular security update cycle compared to Veeam doing it automatically (and what if there is a faulty update and things go wrong in the worst way ). That is why I was wondering which systems you have in place now to maintain and install updates at your customers.

[micoolpaul]

Thanks for clarifying Niels!

Most of my customer install base is Windows so I'm sure others could have better insights, I've historically used unattended-upgrades (https://wiki.debian.org/UnattendedUpgra ... d_Upgrades) for self-maintaining systems combined and either monitoring configured on the device if it's a basic system or for production combined with an RMM platform that provides monitoring. I've heard of Ubuntu Livepatch achieving similar results, it's included in Ubuntu Pro & Ubuntu Advantage, so unless Veeam have some agreement with Ubuntu that would enable the use of this, that could be cost-prohibitive to implement.

Realistically if Veeam is backing itself up then that mitigates most risk, and then it's no different to a manual patch installation going wrong, sometimes these problems just happen! If someone is overly concerned they could opt-out of automatic patching.

[nielsengelen]

Thank you for the feedback! We will look into this idea for sure for our future plans.