Hi everybody,

I have a question about patching Centos (7) servers. How do you decide which patches to apply to the machine? Is there some tool which can help you determine which updates are relevant? Also, there are servers which are e.g connected to the internet vs those which are behind a firewall and are not exposed to any untrusted networks. Is it ok not to patch, or to patch such "internal" servers just with security updates?
I have seen several threads with similar topics, but they all deal more with "how to perform an update" rather than "how to select which updates to apply"?
Of course, the strategy would be to test the updates on test servers first - but I doubt even there you should "update all"... We are using a "minimal" install of Centos and would like it to stay as "minimal" as possible...

What do you think?

By applying knowledge of the system requirements and looking at the nature of the patch.
You could consider filtering yum to only list updates that are marked as security updates and then Google the rest. Somewhere in my server build document I've notes on how to configure yum to get a daily e-mail of security updates.
Depending on your IT security and patching policies yes or no.
"update all" will only update packages that are already on your server (plus their dependencies), so it won't necessarily "grow" your minimal install.

TenTenths, thank you for your answer, it was helpful