Ubuntu Patch Baseline

The issue you're experiencing is likely related to how Patch Manager handles patch approval for Ubuntu Server. For Ubuntu Server operating systems, auto-approval options are not supported because it's not possible to reliably determine the release dates of update packages. This is a known limitation specific to Ubuntu Server.

When you create a custom patch baseline for Ubuntu, you need to explicitly approve patches rather than relying on auto-approval rules. If your patch baseline doesn't have explicitly approved patches listed, Patch Manager won't report any patches as missing or approved for installation, even though apt detects upgradeable packages on your system.

To resolve this issue, you should:

1. Remove any auto-approval rules from your custom Ubuntu patch baseline, as they won't function for Ubuntu Server
2. Explicitly add the specific patches you want to approve in the approved patches list of your baseline
3. Ensure that the patches you're approving match the packages that apt is detecting as upgradeable

Remember that a patch will only be installed on a managed node if it applies to the software on that node and has been explicitly approved in your patch baseline. The rejected list will override any approvals, so make sure you haven't inadvertently rejected the patches you're trying to install.

If you need to install specific packages, you must list them individually in the approved patches section of your custom patch baseline rather than relying on automatic approval mechanisms.
Sources
Creating a custom patch baseline for Linux - AWS Systems Manager
Predefined and custom patch baselines - AWS Systems Manager