Lazy admin’s guide to automated updates (Part 1: Debian Linux)

This week's massive SSL-security vulnerability showed how important regular security updates for all of our software is. Because – let's face it – today's world is largely powered by software. Software that is written by humans, who make mistakes when writing it. The rule should be: retire it or update it.

As a result of frequent more frequent security vulnerabilities in literally every kind of software that is used, most vendors now have much better update-mechanisms in place. In this multi-part blog series, I'd like to look at each source of software I'm using and explain how I plan on keeping it updated with minimal effort. I hope this helps my readers to reduce the time they are vulnerable to newly-discoverd software flaws.

The first part will cover Debian Linux. The reasons why my server operations system should have the highest priority is:

  1. Keeping servers running is more important than keeping a single Macbook running
  2. Debian already has great update-mechanisms in place that will make our job easier.

Debian uses a package management tool called apt to distributed compiled versions of almost any software on earth. Very rarely you will need to add a third-party repository to complement the huge core-collection of 50,000+ packages. To get the latest package index, use this command:

[cc lang="bash" width="100%"tab_size="4" lines="40" noborder="1" theme="dawn"]
apt-get update
[/cc]

This will check for updates on Debian's repository, but don't update anything yet. To actually install the latest version of all available packages, you need to run:

[cc lang="bash" width="100%"tab_size="4" lines="40" noborder="1" theme="dawn"]
apt-get -y upgrade
[/cc]

This will download the latest version and restart the relevant service in most cases. As we don't want to keep running these commands manully, I strongly advise you to combine them in a cron-job. Personally I run it every 3 hours. This will keep my system vulnerable for a maximum of 3 hours, after Debian issues an updated version. For heartbleed they were exceptionally quick. The full cron-job could look like this:

[cc lang="bash" width="100%"tab_size="4" lines="40" noborder="1" theme="dawn"]
20 */3 * * * root apt-get update && apt-get -y upgrade
[/cc]

This will cover for many scenarios, but yesterday I discoverd an issue with this setup: While all servers had the latest updates, they were still vulnerable because Apache and Nginx were still using old OpenSSL libraries. Apt-get doesn't restart related services when updating. In interactive mode it will ask you, but in automatic mode, this doesn't seem to happen. After some research I found a package called debian-goodies. It includes a script called checkrestart that will tell you which service needs restarting, but won't do the actual restart. In his github-repo the author has another script named restart-services that takes care of it. You need to install it manually, but together with checkrestart it works.

So here is the full cron-job that will also take care of restarts, if the 2 previous commands succeed without errors. I'm still testing the restart-services part, but the first 2 commands have never failed me in 5 or 6 years.

[cc lang="bash" width="100%"tab_size="4" lines="40" noborder="1" theme="dawn"]
20 */3 * * * root apt-get update && apt-get -y upgrade && restart-services
[/cc]

Please let me know, how you keep your Debian packages up-to-date and if there are better ways to restart services.

Next week's post will deal with Python update mechanisms.