How do OS security updates work

[sej7278]

Hi!

When I browse to a host e.g. Ubuntu 18/24, I can see:

Security Updates: Automatic updates are not configured

If I install and enable unattended-upgrades then reboot, that switches to this as expected:

Security Updates: Updates are downloaded an installed automatically

But the status always seems to be:

Pending Updates? No

If I run apt update I can see:

21 packages can be upgraded. Run 'apt list --upgradable' to see them.

So does "Pending Updates" not check that, what does it do? Maybe it filters by security?

How does it work on DNF-based distro's like AlmaLinux?

If I don't want to enable automatic updates (most people don't) can I deploy updates via OpenUEM somehow?

I've now disabled and uninstalled unattended-upgrades and rebooted, but the "Security Updates" status still seems to think I have them enabled. How do we force an agent to refresh/check-in with the server?

Looking at /var/log/openuem-agent/openuem-agent.log I see:

openuem-agent: 2025/08/05 14:48:23 [INFO]: new agent job has been scheduled every 60 minutes
openuem-agent: 2025/08/05 14:48:23 [INFO]: new pending ACK job has been scheduled every 5 minutes
openuem-agent: 2025/08/05 14:48:23 [INFO]: new check for Ansible profiles job has been scheduled every 30 minutes

So I guess it does an auto-checkin every 5/30/60 mins?

Update: I added an AlmaLinux 8.10 VM and its showing as "Pending Updates: Yes" which seems correct (just epel-release not a security patch) and I've installed that but it's still showing as pending.

[doncicuto]

Hi @sej7278, thanks for opening this discussion. I'll try to answer your questions

For debian based distributions, to check if security (pending) updates are available, this is used:

apt list --upgradable 2>/dev/null | grep "\-security" | wc -l

For debian based distributions, to check if unattended is used to download and install security updates, this is used:

grep unattended /var/log/apt/history.log | wc -l

For redhat based distributions, to check if security (pending) updates are available, this is used:

dnf check-update --refresh --security | wc -l

For redhat based distributions, to check if unattended is used to download and install security updates, this is used:

/etc/dnf/automatic.conf

If I don't want to enable automatic updates (most people don't) can I deploy updates via OpenUEM somehow?

Right now, no, but once I add the support for apt and dnf repositories you'll be able to trigger the update from OpenUEM's console, I've created an issue for those (#260 and #261)

How do we force an agent to refresh/check-in with the server?

If you want to force the agent to get a new report that will include the change to the unattended upgrade, you can go to the Agents view, click the three dots button for the agent and select Force Report

So I guess it does an auto-checkin every 5/30/60 mins?

Yes, two important timers are used:

• By default, every 60 minutes the agent will report info about the inventory and security state of the machine. You can change that agent frequency (https://openuem.eu/docs/Administration/general-settings) globally or set a different value for each tenant
• By default, every 30 minutes the agent contact with a worker to check if a configuration profile must be applied (with Ansible) to the endpoint. As before, you can change that frequency (https://openuem.eu/docs/Administration/general-settings) globally or set a different value for each tenant

While I've tested the agent for AlmaLinux I may have missed something so feel free to open an issue for that and I'll fix it

I hope that more or less I've answered your questions. If you have more, please don't hesitate to ask. OpenUEM is a WIP so the more feedback I get the better

[sej7278]

ok so you're filtering on security, I don't think i had any security updates pending (although epel-release on alma8 shouldn't be a security package). i'll make a reproducer and post an issue.

I might make a feature request to not have a massive dependency list on the agent e.g. is we have no use for vnc/rdp/flatpak/epel the agent shouldn't install xorg! also not sure why it installs ansible on the agent when it should only be needed on the server.

[doncicuto]

Thanks @sej7278,

Yes, I agree with your comment about dependencies, I'll create different packages with different dependencies as for those not using any remote assistance can see less packages installed.

Ansible. I'm afraid that this is a tricky situation. While you're totally true that Ansible is commonly used to run playbooks from a control machine, OpenUEM agent use Ansible to run playbooks locally (no SSH). The reason to this is that we cannot be sure that a direct connection is ready between the console, the workers and the agents, so in this case Ansible is a dependency. I'm sorry for this inconvenience but this is the current design that allow the agent to apply the playbooks that are sent from the agent worker to the agents

[sej7278]

Maybe make a headless agent variant like openjdk-headless?

Also installing agents from the mgmt server seems popular these days, so you don't need to connect to the internet, probably makes instructions easier too - you could even bundle the certs into a package (or script).

As for Ansible, ok that explains it, but maybe only ansible-core is needed, and again should probably be "install this if you want Ansible support" rather than a dependency for every agent?

[doncicuto]

Yes @sej7278, as OpenUEM is a WIP project, I'd like to thank you for these suggestions.

OpenUEM will have a Wazuh-like, install agent from the management server, but first I've an issue opened to define the storage solution that will be required

I'll check if ansible-core would be enough and of course I'll try to aim for different environments. OpenUEM first releases are aimed for environments with desktops and laptops, so that's why a headless version hasn't been created for agents. Again, the more people know the project the more features are requested to improve it, so thanks a bunch for your time