Automated security updates in Debian
Subscribing to the security mailing lists is a must for every sysadmin, but who has the stamina and the determination to actually read them, and then analyze the impact of both the threat and the proposed fix?
A more casual user with no life-or-death-critical servers would happily settle for a solution that would download and install the security patches automatically. As always in Linux, there is more than one way of achieving this.
cron-apt works for me.
Most of this article is based on a wonderful post here.
Warning: many experienced sysadmins will warn you against installing anything automatically: things could go horribly wrong and you won’t be there to make a decision. The way I look at it is simple: assuming I am there, how likely am I to choose “no” and go investigate, as opposed to following the default suggestions and hoping that things will be fine?
Software updates (as opposed to security updates ) can be trickier, so I am writing about automating security updates only.
Here is what you do:
1. apt-get install cron-apt – cron-apt is the package that will get executed by cron on a regular basis (the default is 4:00 AM daily) and run apt with your pre-selected options
2. Edit /etc/apt/cron-apt/config Make the following changes:
# MAILTO=”root”
to
MAILTO=”myemailaddress@myisp.com”
Change
#MAILON=”error”
to
MAILON=”upgrade”
Now, this is the important part. Find this line
# OPTIONS=”-q -o Dir::Etc::SourceList=/etc/apt/security.sources.list”
and change it to:
OPTIONS=”-q -o Dir::Etc::SourceList=/etc/apt/security.sources.list”
3. The easiest way to create security.sources.list is to copy your existing sources.list
cp /etc/apt/sources.list /etc/apt/security.sources.list
and then delete or comment out everything but the security repositories. Now its contents are something like this:
deb http://security.debian.org/ etch/updates main
deb-src http://security.debian.org/ etch/updates main
4. edit /etc/cron-apt/action.d/3-download so that cron-apt downloads & installs upgrades. Otherwise it’ll just download the updates and you’ll need to install them yourself. The default command is both too greedy (dist-upgrade is not intended for minor upgrades like security patches – it’s for things like migrating from Etch to Lenny) and to tame ( -d will download the upgrades but not install them). So, replace
dist-upgrade -d -y
with
upgrade -u -y
5. You are DONE. If everything went right, next time there is a security patch it will be applied automatically and yu will receive an email notification. Oh, and do make sure it works before you let the complacency settle in 😉
8 Comments
Jump to comment form | comment rss [?] | trackback uri [?]