Automated security updates in Debian

Subscribing to the security mailing lists is a must for every sysadmin, but who has the stamina and the determination to actually read them, and then analyze the impact of both the threat and the proposed fix?

A more casual user with no life-or-death-critical servers would happily settle for a solution that would download and install the security patches automatically. As always in Linux, there is more than one way of achieving this.

cron-apt works for me.

Most of this article is based on a wonderful post here.

Warning: many experienced sysadmins will warn you against installing anything automatically: things could go horribly wrong and you won’t be there  to make a decision. The way I look at it is simple: assuming I am there, how likely am I to choose “no” and go investigate, as opposed to following the default suggestions and hoping that things will be fine?

Software updates (as opposed to security updates ) can be trickier, so I am writing about automating security updates only.

Here is what you do:

1. apt-get install cron-apt   – cron-apt is the package that will get executed by cron on a regular basis (the default is 4:00 AM daily) and run apt with your pre-selected options

2.  Edit /etc/apt/cron-apt/config    Make the following changes:

# MAILTO=”root”
to
MAILTO=”myemailaddress@myisp.com”

Change
#MAILON=”error”
to
MAILON=”upgrade”

Now, this is the important part. Find this line
# OPTIONS=”-q -o Dir::Etc::SourceList=/etc/apt/security.sources.list”
and change it to:

OPTIONS=”-q -o Dir::Etc::SourceList=/etc/apt/security.sources.list”

3.  The easiest way to create security.sources.list is to copy your existing sources.list

cp /etc/apt/sources.list /etc/apt/security.sources.list

and then delete or comment out everything but the security repositories. Now its contents are something like this:

deb http://security.debian.org/ etch/updates main
deb-src http://security.debian.org/ etch/updates main

4.  edit /etc/cron-apt/action.d/3-download so that cron-apt downloads & installs upgrades. Otherwise it’ll just download the updates and you’ll need to install them yourself. The default command is both too greedy (dist-upgrade is not intended for minor upgrades like security patches – it’s for things like migrating from Etch to Lenny) and to tame ( -d will download the upgrades but not install them). So, replace
dist-upgrade -d -y
with
upgrade -u -y

5.  You are DONE. If everything went right, next time there is a security patch it will be applied automatically and yu will receive an email notification. Oh, and do make sure it works before you let the complacency settle in 😉

Advertisements

About this entry