LSUS — enterprise software update management (patch management) for Linux and Windows workstations and servers.
A single control point for mixed fleets: Astra Linux, RedOS, ALT, Debian, Ubuntu, AlmaLinux, CentOS Stream, and Windows — with flexible policies, pre-deployment testing, and air-gapped operation.
Testing updates before mass deployment, testing → stable channels, checklists and iterations — minimizing the risk of widespread failures.
From open networks to fully isolated (air-gapped) environments, including offline package import from ISO images.
Edge → Master → Site → clients: updates reach every machine without overloading links. Clients can connect to Master and Site simultaneously.
HTTPS at all levels, RBAC access model (8 roles), LDAP and Kerberos integration, audit log of all actions.
LSUS covers typical enterprise and public-sector landscapes: domestic distributions, popular DEB/RPM families, and Windows. Each OS family gets its own policies, repositories, sources options, and an agent with a native package manager.
Registry and import substitution
DEB and RPM ecosystems
Workstations and servers
The Linux client automatically detects the distribution and applies updates via APT, DNF/YUM, or APT-RPM. Policies, hold lists, schedules, and reports work the same across all OS families.
LSUS solves a key challenge: how to keep the entire fleet updated on time and securely without losing control. Instead of manually updating each server and workstation — a single management point with flexible policies, testing, and smart package delivery.
LSUS lets you create local repositories inside your organization and use them as trusted update sources. Supports direct package import from ISO images for fully isolated environments.
The platform optimizes update delivery to branch offices and protected network segments, reducing link load and speeding up package delivery to clients. Edge → Master → Site model; clients can work with Master and Site simultaneously.
LSUS solves a key organizational challenge: how to keep a mixed Linux and Windows fleet updated on time and securely without losing control. The platform is designed for any network conditions — from open networks to fully isolated (air-gapped) environments, with domestic and global distributions from a single console.
All updates, policies, repositories, and reports — in one web interface. Centralized control over the entire fleet without scattered tools.
Edge → Master → Site: flexible scaling from a single office to a distributed branch network. Clients can connect to Master and Site simultaneously for fault tolerance.
Full operation in closed and internet-isolated environments. Import updates from ISO images, offline deployment via Docker.
HTTPS at all levels, RBAC roles (viewer to admin), LDAP/Kerberos authentication, action audit log, and package signing.
testing/stable channels, testing iterations, checklists, and step-by-step verification. Minimizing the risk of widespread failures.
Only required repositories are replicated. Proxy caching speeds up repeat package delivery and saves bandwidth.
Multi-tier update delivery model: Edge (DMZ) downloads from the internet → Master manages policies → Site caches for branch offices → Clients receive updates. Clients can connect to Master and Site simultaneously.
Perimeter server for downloading updates from the internet and securely publishing them to clients without direct access to the internal network. Antivirus scanning, APT/DNF mirrors.
Control center: policies, repository catalog, OVAL sources, users, and RBAC. Administrator web interface, API, reports. Clients can connect directly.
Local update cache, proxy caching, and smart replication of required repositories for branch offices. Reduces load on Master and network links. Clients can work with Master and Site simultaneously.
Native agents for Linux (Astra, RedOS, ALT, Debian, Ubuntu, Kubuntu, AlmaLinux, CentOS Stream) and Windows. Each agent runs as a system service: registers the machine, receives policies, checks for updates, and applies them strictly on schedule.
System service (systemd + D-Bus). Auto-registration, policies, and installation via APT, DNF/YUM, or APT-RPM — depending on the distribution. Dry-run, LVM snapshots (Astra), hold lists.
Windows Service on .NET. Scanning via Windows Update API and wsusscn2.cab (offline), MSU package installation via WUSA. Pending reboot and agent auto-update support.
PyQt5 graphical shell. System tray icon, update scheduling window, notifications. Connects to the lsus-client service via D-Bus.
USB event monitoring service on Linux hosts. Tracks connections via udev, creates access rules, sends events to the Master server.
LSUS uses public security descriptions and helps match them against installed packages and available updates. Designed for analyzing package and update composition using open data.
OVAL data source for the ALT Linux ecosystem. Recommended for ALT-based infrastructures.
Public Debian Security OVAL descriptions for matching packages and security updates.
Official Red Hat OVAL data for RHEL-compatible package analysis and advisory scenarios.
Public Canonical OVAL metadata for Ubuntu and matching installed packages to advisories.
Open SUSE OVAL descriptions for working with package updates and package status.
Official Oracle Linux OVAL data for package analysis and available security updates.
Screenshots of Master, Site, and Edge web interfaces. Select a server, then a category. Click a card for full-screen view.
Brief answers for administrators and information security specialists
LSUS (Linux System Update Server) is a Russian patch management platform. It centralizes checking, testing, and installing updates across Linux and Windows fleets: instead of manually visiting servers and workstations, the administrator sets policies, repositories, and schedules from the Master web console.
Astra Linux, RedOS, ALT Linux, Debian, Ubuntu, Kubuntu, AlmaLinux, CentOS Stream, and Windows. The Linux agent works via APT, DNF/YUM, or APT-RPM; Windows uses a .NET agent with Windows Update API and offline KB catalog.
Yes. LSUS is built for On-Prem and closed environments: local repositories, ISO package import, Edge server in the DMZ, Site replication, offline wsusscn2.cab for Windows. Updates are delivered without direct client internet access.
Zoho Endpoint Central is a mature general-purpose UEM product (including macOS, mobile devices, and third-party app catalogs), focused on cloud and the international market. LSUS is a specialized patch management platform built for controlled updates in Russian enterprise and isolated environments.
| Criterion | Zoho ME Endpoint Central | LSUS |
|---|---|---|
| Focus | UEM + patch management | Centralized OS and package update management |
| Russian stack | No | Native support for Astra, Red OS, ALT Linux |
| Offline / critical infrastructure | Limited | Key scenario: local repos, ISO, wsusscn2.cab |
| Pre-production testing | Test & Approve, auto-approval | Testing module: areas, teams, checklists, testing → stable |
| Architecture | Central server + agents | Master / Site / Edge for branch offices and DMZ + agents |
| Deployment | On-prem and Cloud SaaS | On-prem only (Docker / packages), full control |
LSUS is stronger when the priority is controlled patch management in a Russian environment (mixed fleet, critical infrastructure, offline, distributed infrastructure, import substitution). In essence, LSUS is closer to WSUS/SCCM + local repositories + compliance, adapted for the Russian stack.
The platform uses HTTPS at all levels (agents, Site, Edge, Master). Console access is protected against brute-force (lockout after 5 attempts in 15 minutes); authentication via LDAP/LDAPS and Kerberos SSO is supported. A detailed role-based model (RBAC) and full action audit (log, REST API, export) are implemented. SIEM integration via API or external log forwarding (native syslog/CEF on the roadmap).
Fault tolerance is achieved through distributed architecture: when the Site server is unavailable, clients can automatically fail over to Master. Remote clients and NAC VLAN use an Edge server in the DMZ. If a client was disconnected, after connectivity returns the agent catches up on the update backlog in the next allowed installation window.
Yes. The computer program "LSUS (Linux System Update Server)" is registered with Rospatent, certificate No. 2026615730 dated 27.02.2026.
Contact us for demo access, deployment cost estimates, or technical consultation. We will run an online demo, answer your questions, and help choose a configuration for your needs.
We provide demo access to a test environment, help with pilot deployment, and recommend an optimal architecture for your organization's infrastructure.
LSUS