-
Notifications
You must be signed in to change notification settings - Fork 9
/
debian-security-update
204 lines (171 loc) · 7.3 KB
/
debian-security-update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
http://serverfault.com/questions/22324/should-i-have-to-enable-automatic-update-on-debian-lenny-stable
=============================
head -37 /etc/cron.daily/apt
# "APT::Periodic::Unattended-Upgrade"
# - Run the "unattended-upgrade" security upgrade script
# every n-days (0=disabled)
# Requires the package "unattended-upgrades" and will write
# a log in /var/log/unattended-upgrades
http://www.debian.org/doc/manuals/reference/ch02.en.html
sudo aptitude install unattended-upgrades
less /usr/share/doc/unattended-upgrades/README
cat >> /etc/apt/apt.conf
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
cat >> /etc/apt/apt.conf.d/50periodic
Unattended-Upgrade::Mail "[email protected]";
/var/log/unattended-upgrades/
This script can install security upgrades automatically and
unattended. It will not install packages that require dependencies
that can't be fetched from security and it will check for conffile
prompts before the install and holds back the package that creates
them.
=============================
http://www.steve.org.uk/Software/debian-updates/
--- cok eski calismiyor
"debian-updates" is a simple Perl script which is designed to warn you of any packages you have installed upon your Debian hosts which need upgrading after being featured in a Debian Security Advisory.
Since the script works by querying the remote Debian security advisories itrequires connection to the internet to be present while it executes.
It should run quite happily from a cronjob, sending an email to a defined user whenever a vulnerable package needs upgrading.
==================
http://www.debian.org/doc/developers-reference/pkgs.html#bug-security-building
When an update is made to the stable release, care must be taken to avoid changing system behavior or introducing new bugs. In order to do this, make as few changes as possible to fix the bug. Users and administrators rely on the exact behavior of a release once it is made, so any change that is made might break someone's system. This is especially true of libraries: make sure you never change the API or ABI, no matter how small the change.
This means that moving to a new upstream version is not a good solution. Instead, the relevant changes should be back-ported to the version present in the current stable Debian release. Generally, upstream maintainers are willing to help if needed. If not, the Debian security team may be able to help.
In some cases, it is not possible to back-port a security fix, for example when large amounts of source code need to be modified or rewritten. If this happens, it may be necessary to move to a new upstream version. However, this is only done in extreme situations, and you must always coordinate that with the security team beforehand.
==========================
dpkg-scanpackages, dpkg-scansources
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-security-update
=======================
http://forums.debian.net/viewtopic.php?f=16&t=4778
cp -f /etc/apt/sources.list.securityonly /etc/apt/sources.list
aptitude update
aptitude -y upgrade
cp -f /etc/apt/sources.list.full /etc/apt/sources.list
====================
https://wiki.ubuntu.com/AutomaticUpdates
The policy should include:
* don't prompt
* do the right thing if debconf is set to non-interactive
* no changed conffiles (if not *absolutely* required)
https://help.ubuntu.com/8.10/serverguide/C/automatic-updates.html
sudo apt-get install unattended-upgrades
vi /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"Ubuntu intrepid-security";
// "Ubuntu intrepid-updates";
};
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
view /var/log/unattended-upgrades
Another useful package is apticron. apticron will configure a cron job to email an administrator information about any packages on the system that need updated as well as a summary of changes in each package.
sudo apt-get install apticron
vi /etc/apticron/apticron.conf
EMAIL="[email protected]"
https://help.ubuntu.com/community/AutomaticSecurityUpdates
-----------------------
Using apt.conf.d
vi /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
vi /etc/apt/apt.conf.d/50unattended-upgrades
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
"Ubuntu karmic-security";
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
-----------------
Using cron
sudo vi /etc/cron.weekly/apt-security-updates
<---start
echo "**************" >> /var/log/apt-security-updates
date >> /var/log/apt-security-updates
aptitude update >> /var/log/apt-security-updates
aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> /var/log/apt-security-updates
echo "Security updates (if any) installed"
-----> end
sudo chmod +x /etc/cron.weekly/apt-security-updates
sudo vi /etc/logrotate.d/apt-security-updates
<---start
/var/log/apt-security-updates {
rotate 2
weekly
size 250k
compress
notifempty
}
-----> end
-----------------
Using cron-apt to handle automatic updating
=======================
http://www.debian-administration.org/articles/162
apt-get install cron-apt
By default, cron-apt will only download updates -- it will not install them.
/etc/cron-apt/config
MAILON="always"
ve
---------------
/usr/local/sbin/my-cron-apt
#!/bin/bash
/usr/local/sbin/apt-fw start
test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
/usr/local/sbin/apt-fw stop
--------------
/usr/local/sbin/apt-fw.sh
#!/bin/bash
IPTABLES=/sbin/iptables
GREP=/bin/grep
AWK=/usr/bin/awk
TAIL=/usr/bin/tail
CHAIN="aptChain"
function d_start() {
$IPTABLES -N $CHAIN
$IPTABLES -A $CHAIN -p udp --dport 53 -j ACCEPT
$IPTABLES -A $CHAIN -p tcp -m multiport --dport 21,80 -j ACCEPT
$IPTABLES -A $CHAIN -j REJECT
for APT in `$GREP ^deb /etc/apt/sources.list | $AWK '{print $2}' | uniq`; do
APT=`echo $APT | $AWK '{sub (/[fht]*p:\/\//,"",$1); print}'`
APT=`echo $APT | $AWK '{sub (/\/[a-zA-Z0-9\-_/]*\/?/,"",$1); print}'`
$IPTABLES -A OUTPUT -d $APT -j $CHAIN
done
}
function d_stop() {
$IPTABLES -F $CHAIN
I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'`
while [ "$I" != "" ]; do
$IPTABLES -D OUTPUT $I
I=`$IPTABLES -L OUTPUT -n --line-number | $GREP $CHAIN | $TAIL -n 1 | $AWK '{print $1}'`
done
$IPTABLES -X $CHAIN
}
case "$1" in
start)
d_start
;;
stop)
d_stop
;;
*)
echo "Usage: $0 {start|stop}" >&2
exit 1
;;
esac
exit 0