Linux - Software - Apply Updates With Exceptions File

What the update exceptions enforcer does

This Automox Worklet™ applies software updates to Linux endpoints while excluding specified packages defined in an exceptions file. The Worklet reads a list of package names from a payload file you provide, then applies all available updates except those listed.

The Worklet automatically detects whether the endpoint runs a Debian-based distribution (using apt) or a Red Hat-based distribution (using yum), then applies the appropriate update mechanism. This detection supports Ubuntu, Debian, CentOS, AlmaLinux, Rocky Linux, Fedora, Amazon Linux, Oracle Linux, CloudLinux, and other standard distributions.

The script works across major Linux distributions including Ubuntu, Debian, CentOS, AlmaLinux, Rocky Linux, Fedora, Amazon Linux, Oracle Linux, and CloudLinux.

Why exclude packages from updates

Some packages require careful change management and should not update automatically. Critical packages like kernels, databases, or custom configurations may need testing in staging environments before production deployment. Excluding these packages lets you maintain a comprehensive patch schedule while protecting mission-critical systems.

This approach reduces endpoint vulnerability exposure while giving your team control over when and how certain packages are updated. You balance security by applying the majority of patches automatically with operational safety by preserving critical package stability.

How update exclusion works

1. Evaluation phase: The Worklet detects the Linux distribution by reading /etc/os-release and determines whether to use apt or yum as the package manager.

2. Remediation phase: The Worklet reads the exceptions file line-by-line to build a list of packages to exclude, then applies all available updates except those matching the exclusion patterns. For apt-based systems, it uses apt-mark hold to temporarily lock excluded packages during the upgrade, then removes those holds. For yum-based systems, it passes --exclude flags for each package.

Update exceptions requirements

• Supported distributions: Ubuntu, Debian, CentOS, AlmaLinux, Rocky Linux, Amazon Linux, Fedora, Oracle Linux, and CloudLinux

• Payload file required: A text file containing package names or patterns to exclude, one per line

• File path configuration: The Worklet looks for exclusions.txt in the current directory by default; you can modify the FILE variable to specify a different path

• Root or sudo privileges: The endpoint must have permission to run package manager commands

• Mode configuration: Set MODE to 'test' for a dry-run that displays which packages would update without applying changes, or 'prod' for live updates

Expected update behavior after remediation

When the Worklet runs, it outputs the list of excluded packages before applying updates. All available updates for packages not in the exclusions file install immediately. Excluded packages remain at their current versions regardless of available updates.

The endpoint completes the update process more quickly than a full update would, since fewer packages are installed. In test mode, the Worklet displays which updates would be applied without making any changes, allowing you to verify the exclusion list works as intended before enabling production updates.

How to validate apply updates with exceptions file changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for apply updates with exceptions file.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as function, test, prod, then rerun evaluation for compliance.