updates are a bless (fixes to problems, keep system secure from hackerz) but also a curse (it might break things)
on systems that follow the UNIX K.I.S.S principle, they should “just work”, to the extreme of (kernel) live patching (currently costs 500 bucks a year for ONE instance!)
timely updates for found security problems are critical.
semi-manual system update method:
there shall be a /script/update.sh which shall be run daily on times with little or no load to the system:
- incremental backup/snapshot before update
- perform the update
- perform a reboot (optional but probably wise to run the latest kernel)
- test “all” critical functionalities according to a pre-prepared list X-D
- does it boot -> no -> revert snapshot/restore backup
- is it possible to login -> no -> revert snapshot/restore backup
- does it still do task x -> no -> revert snapshot/restore backup
- …
crontab:
lsb_release -a; # tested Description: Debian GNU/Linux 11 (bullseye) su - root crontab -e; # will run the update process every night at 3:00 am 0 3 * * * /scripts/update.sh
update script:
vim /scripts/update.sh #!/bin/bash echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log apt update 2>&1 | tee -a /scripts/update.sh.log apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log echo "=== automatically removing un-needed packages (and old kernels) ===" # keeping too many old kernel versions might fill up boot partition apt -y autoremove | tee -a /scripts/update.sh.log echo "=== fine ===" | tee -a /scripts/update.sh.log echo "" | tee -a /scripts/update.sh.log
automatic updates?
CAN be also a good solution, if:
- the system is software wise very minimalistic (dedicated to one task only, again UNIX K.I.S.S principle)
- security of the update-servers need to be maximum strong (public internet facing server etc.)
- it is wise to auto-update only minor version of Debian distributions (10.8 -> 10.9)
- upgrade between major versions (Debian 10 -> 11) should be done manually by the administration (they often work, but in comparison to complete re-install are a very very risky business)
- thus: definitely BACKUP (OR BETTER SNAPSHOT) BEFORE MAJOR RELEASE UPGRADES! (DIST UPGRADE!)
- also dist upgrades usually will prompt the user to review and accept or discard changes to system config files manually, so a complete automation is not (yet?) possible there
if those requirements are not met, go with semi-manual method:
- backup
- update
- test
- restore or keep
Also: it is wise to a have a test-test-system (as identical as possible to production) and test things out there, before applying it to production.
plus a list of test-cases that the test-system needs to meet, after updates were applied, so the system is guranteed to be in an “quality tested” state and very likely meet the functional requirements of production.
“Debian takes security very seriously.”
- “We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.”
- “Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public”
- “and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.”
- “Experience has shown that
security through obscurity
does not work.” - “Public disclosure allows for more rapid and better solutions to security problems.”
- “In that vein, this page addresses Debian’s status with respect to various known security holes, which could potentially affect Debian.”
- “Debian also participates in security standardization efforts:
- the Debian Security Advisories are CVE-Compatible (review the cross references)
- Debian is represented in the Board of the Open Vulnerability Assessment Language project.
src: https://www.debian.org/security/
Keeping your Debian system secure
“In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list.”
You can use apt to easily get the latest security updates. This requires a line such as
deb http://security.debian.org/debian-security buster/updates main contrib non-free
this is the default setting for /etc/apt/sources.list in
hostnamectl; # tested on
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-17-amd64
Architecture: x86-64
# how to update
su - root apt-get update && apt-get upgrade
to download and apply the pending updates. The security archive is signed with the normal Debian archive signing keys.
For more information about security issues in Debian, please refer to the Security Team FAQ and a manual called Securing Debian.
apt-transport-https obsolete as apt can do https
requirement: /etc/apt/sources.list http -> https
no need to install apt-transport-https manually anymore, as it is “a dummy transitional package – https support has been moved into the apt package in 1.5. It can be safely removed”
IF (!!!) https is used in /etc/apt/sources.list (src)
which can be search & replaced like this in vim:
su - root vim /etc/apt/sources.list :%s/http:/https:/g
apt show -a apt-transport-https Package: apt-transport-https Version: 1.8.2.3 Priority: optional Section: oldlibs Source: apt Maintainer: APT Development Team <deity@lists.debian.org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Tag: role::shared-lib Download-Size: 149 kB APT-Manual-Installed: yes APT-Sources: http://ftp.halifax.rwth-aachen.de/debian buster/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed. Package: apt-transport-https Version: 1.8.2.2 Priority: optional Section: admin Source: apt Maintainer: APT Development Team <deity ÄT lists DOTTTT debian DOTT org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Download-Size: 149 kB APT-Sources: http://security.debian.org/debian-security buster/updates/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed.
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!
