Unfortunately, how frequently Linux updates is not a straightforward question with a straightforward answer. Linux and related software get updates when the updates are ready. This can confuse security professionals who are used to companies like Microsoft and Adobe releasing updates on a predefined schedule.
The frequency of open source updates
This can be a tricky area for people unfamiliar with the open source community to navigate. The answer regarding their schedule is there is no schedule. Since this is software written by volunteers, getting them to adhere to a schedule is asking a bit much. When they find a bug, including a security bug, they release a fix when it’s ready. Then the vendor tests, backports if necessary, and releases an updated package.
So it’s not to say Linux systems don’t get updates. They get plenty of updates. The updates just don’t come out on the second Tuesday of every month the way they do from certain other vendors.
And while this makes planning more difficult in theory, in practice there isn’t much of a problem. According to a 2018 study by Kenna Security, when analyzing the vulnerability data provided by their customers, they found 17% of the open unresolved vulnerabilities in their data set was Microsoft related. No single Linux vendor was any higher than 2%. This was in spite of a comparable number of CVEs being disclosed every year for any given Linux vendor versus Microsoft Windows. In the years when fewer CVEs are disclosed for windows then for any given Linux vendor, Microsoft has been known to make a lot of noise about that.
What I recommend is deploying what’s ready when a remediation window is available. Then repeat next month. Yes, that means more lag time than Windows systems have, but in the grand scheme of things, the difference should be negligible unless something else is going on.
Why Linux can be tougher to update than other systems
So don’t worry too much about the frequency of Linux updates. The questions that you need to be asking are whether you see a significant difference in remediation time and other VM metrics between Linux systems and Windows systems, and then if you see a discrepancy, ask why. Do your Linux administrators have comparable tooling to what your windows administrators have? It’s not fair to compare Windows administrators who have SCCM against Linux administrators who have to log into every system and run a command at the console. That is like comparing the productivity of somebody with a power tool against the productivity of someone with hand tools. Granted, I don’t think any Linux administrator will regard SCCM as a high quality power tool, but even a low quality power tool increases productivity above hand tools.
But when both teams have comparable tools, Linux tends to be easier to update. That’s because it has less problem with file contention and fewer of their updates require reboots to take effect.
I run both rolling and static versions of openSUSE. I haven’t had issues with updates, with either, for quite some time. What I do like is that I can choose when I update. The various systems running the rolling version, Tumbleweed, are resilient enough that I can update as frequently or infrequently as necessary. Since most of the vulnerabilities that seem to be discovered are more related to when someone has physical access to the machine, I don’t worry much. I also want to state that I am a very lazy sysadmin and everything I do should be viewed with scrutiny. ?