Ubuntu Linux Hardened Repository - "Patching" best practices?

[ssafar]

Hello,
We recently deployed our first Linux Immutable Hardened Backup repository, with help from a certified Veeam partner. This box has been hardened / secured using a lot of tips or other information we found on Veeam forum posts & KB articles.

My question is, what are others doing (those who are also running or utilizing Linux Hardened Backup Repo's), as far as on-going patching / maintenance goes, to their Linux repository machines? We typically patch most of our critical systems on a quarterly basis, but with most other systems we have means of easily backing them up prior to doing so (i.e. - VM snapshots, etc...), in case one of the patches or updates that are installed causes a particular system to go south if you will. We were given the commands or instructions to use on our Linux Backup Repository ("sudo apt-get update" & "sudo apt-get upgrade") to perform updates on it, but I'm hesitant to do so given my overall knowledge and proficiency of working with or supporting Ubuntu Linux systems. Is it necessary to patch these Hardened Linux Repositories as often, given they're already "Hardened"? As previously mentioned, I'd be curious to know what others are doing as far as on-going patching or maintenance is concerned with their Hardened Linux Repositories.

Thanks in advance!!!

[Gostev]

Hello, you're very much unlikely to get into any sort of trouble from patching your hardened repository with "sudo apt-get update" & "sudo apt-get upgrade". Once hardened repository has been deployed, it runs very little of fairly basic code which is extremely unlikely to be affected by the OS updates in any way. Thank you

[mkretzer]

I find auto-updating such servers a must. You can never know which kernel bug might make a server a target even with very few to no open ports. But perhaps i am paranoid (we simply auto-update ALL our ~900 Linux servers with no issues at all in the last years). The main problem is to find the right time for auto-rebooting the hosts after upgrade by unattended-upgrades. But you can schedule times in which Veeam should not transfer anything, Linux auto-updates really reboot at the time you tell them to - not like windows auto-updates which sometimes seem to take the value as a "suggestion" .