Linux - Software - Report Available Package Updates

What the Package Update Reporter does

This Automox Worklet™ scans Linux endpoints for available package updates and creates a detailed report. The Worklet identifies your package manager and queries for upgradeable packages, then formats the results into a structured CSV file stored at /var/log/amagent/available_package_updates.csv.

The report includes package names, new version numbers, and repository sources for each available update. This information also appears in the Automox Activity Log for centralized visibility. By default, the Worklet only reports updates without applying them, giving you full control over when upgrades occur.

You can optionally configure the Worklet to perform automatic upgrades by setting the complete_upgrade variable to 1, which triggers apt upgrade or yum update after generating the report.

Why track available package updates

Maintaining visibility into pending updates across your Linux infrastructure helps you plan maintenance windows and prioritize critical security patches. Without centralized reporting, administrators must connect to individual endpoints to check update status, creating blind spots in patch management.

This Worklet provides a consistent view of update availability across endpoints running different Linux distributions. The CSV output enables integration with other monitoring tools and reporting systems. You can schedule the Worklet to run regularly and generate update inventories without disrupting production systems.

The optional upgrade capability allows you to use the same Worklet for both reporting and patching scenarios, controlled by a single configuration variable.

How package update reporting works

1. Evaluation phase: The Worklet detects the package manager by checking for yum or apt-get commands. It then runs apt list --upgradable (for Debian/Ubuntu) or yum check-update (for RHEL/CentOS) to identify available updates. If any packages require updates, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet queries for upgradeable packages and formats the output into a CSV file at /var/log/amagent/available_package_updates.csv with columns for Package, New-Version, and Repository. If complete_upgrade is set to 1, the Worklet executes apt upgrade -y or yum update -y to apply all available updates.

Package update reporting requirements

• Linux endpoint with apt (Debian/Ubuntu) or yum (RHEL/CentOS/Fedora) package manager

• Write access to /var/log/amagent/ directory for CSV output

• Root or sudo privileges

• Set complete_upgrade=1 in the remediation script to enable automatic updates (optional)

Expected output after package reporting

After successful remediation, a CSV file exists at /var/log/amagent/available_package_updates.csv containing all packages with available updates. You can verify successful execution by checking the CSV file at /var/log/amagent/available_package_updates.csv. The Automox Activity Log displays the same information for centralized visibility.

If you enabled automatic upgrades, the endpoint reflects the updated package versions and the Activity Log shows the upgrade results. You can verify the changes by running the package manager's upgrade check command again, which should show fewer or no available updates.

How to validate report available package updates changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for report available package updates.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, return, elif.

4. Validate remediation effects from script operations such as function, return, elif, then rerun evaluation for compliance.