timely updates for found security problems are critical.
semi-manual system update method:
there shall be a /script/update.sh which shall be run, by the admin every week or every month on a fixed date manually:
- incremental backup (or even better snapshot) before update
- perform the update
- perform a reboot (as this is usually needed to make changes such as new kernels active)
crontab:
lsb_release -a; # tested Description: Debian GNU/Linux 11 (bullseye) su - root crontab -e; # will run the update process every night at 3:00 am 0 3 * * * /scripts/update.sh
update script:
vim /scripts/update.sh #!/bin/bash echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log apt update 2>&1 | tee -a /scripts/update.sh.log apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log echo "=== automatically removing un-needed packages (and old kernels) ===" # keeping too many old kernel versions might fill up boot partition apt -y autoremove | tee -a /scripts/update.sh.log echo "=== fine ===" | tee -a /scripts/update.sh.log echo "" | tee -a /scripts/update.sh.log
automatic updates?
CAN be also a good solution, if:
- the system is software wise very minimalistic (dedicated to one task only)
- security of the update-servers need to be maximum strong
- it is probably wise to auto-update only do minor version of Debian distributions (10.8 -> 10.9)
- automatic upgrade between major versions (Debian 10 -> 11) will often work (thanks for that good work) but are risky
- thus: definitely BACKUP (OR BETTER SNAPSHOT) MAJOR RELEASE UPGRADES! (DIST UPGRADE!)
- also dist upgrades usually will prompt the user to review and accept or discard changes to system config files
if those requirements are not met, go with semi-manual method above.
Also: it is wise to a have a non-production test-system plus a list of test-cases that the test-system needs to meet, before applying updates to production-systems.
“Debian takes security very seriously.”
- “We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.”
- “Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public”
- “and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.”
- “Experience has shown that
security through obscurity
does not work.” - “Public disclosure allows for more rapid and better solutions to security problems.”
- “In that vein, this page addresses Debian’s status with respect to various known security holes, which could potentially affect Debian.”
- “Debian also participates in security standardization efforts:
- the Debian Security Advisories are CVE-Compatible (review the cross references)
- Debian is represented in the Board of the Open Vulnerability Assessment Language project.
src: https://www.debian.org/security/
Keeping your Debian system secure
“In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list.”
You can use apt to easily get the latest security updates. This requires a line such as
deb http://security.debian.org/debian-security buster/updates main contrib non-free
this is the default setting for /etc/apt/sources.list in
hostnamectl; # tested on
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-17-amd64
Architecture: x86-64
# how to update
su - root apt-get update && apt-get upgrade
to download and apply the pending updates. The security archive is signed with the normal Debian archive signing keys.
For more information about security issues in Debian, please refer to the Security Team FAQ and a manual called Securing Debian.
apt-transport-https obsolete as apt can do https
requirement: /etc/apt/sources.list http -> https
no need to install apt-transport-https manually anymore, as it is “a dummy transitional package – https support has been moved into the apt package in 1.5. It can be safely removed”
IF (!!!) https is used in /etc/apt/sources.list (src)
which can be search & replaced like this in vim:
su - root vim /etc/apt/sources.list :%s/http:/https:/g
apt show -a apt-transport-https Package: apt-transport-https Version: 1.8.2.3 Priority: optional Section: oldlibs Source: apt Maintainer: APT Development Team <deity@lists.debian.org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Tag: role::shared-lib Download-Size: 149 kB APT-Manual-Installed: yes APT-Sources: http://ftp.halifax.rwth-aachen.de/debian buster/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed. Package: apt-transport-https Version: 1.8.2.2 Priority: optional Section: admin Source: apt Maintainer: APT Development Team <deity ÄT lists DOTTTT debian DOTT org> Installed-Size: 156 kB Depends: apt (>= 1.5~alpha4) Download-Size: 149 kB APT-Sources: http://security.debian.org/debian-security buster/updates/main amd64 Packages Description: transitional package for https support This is a dummy transitional package - https support has been moved into the apt package in 1.5. It can be safely removed.