Continuously update the system

You should conduct security updates frequently. The vast majority of exploits result from known vulnerabilities that have not been patched in time, as this paper by Bill Arbaugh (http:

//www.cs.umd.edu/~waa/vulnerability.html) (presented at the 2001 IEEE Sympo-sium on Security and Privacy) explains. Updates are described under ‘Execute a security up-date’ on page48.

Manually checking which security updates are available

Debian does have a specific tool to check if a system needs to be updated but many users will just want to manually check if any security updates are available for their system.

If you have configured your system as described in ‘Execute a security update’ on page48you just need to do:

# apt-get update

# apt-get upgrade -s

[ ... review packages to be upgraded ... ]

# apt-get upgrade

# checkrestart

[ ... restart services that need to be restarted ... ]

And restart those services whose libraries have been updated if any. Note: Read ‘Execute a security update’ on page48for more information on library (and kernel) upgrades.

The first line will download the list of packages available from your configured package sources. The -s will do a simulation run, that is, it will not download or install the pack-ages but rather tell you which ones should be downloaded/installed. From the output you can derive which packages have been fixed by Debian and are available as a security update.

Sample:

# apt-get upgrade -s

Reading Package Lists... Done Building Dependency Tree... Done

2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable) Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)

In this example, you can see that the system needs to be updated with new cvs and cupsys packages which are being retrieved from woody’s security update archive. If you want to un-derstand why these packages are needed, you should go tohttp://security.debian.org and check which recent Debian Security Advisories have been published related to these pack-ages. In this case, the related DSAs are DSA-233 (http://www.debian.org/security/

2003/dsa-233) (for cvs) and DSA-232 (http://www.debian.org/security/2003/

dsa-232) (for cupsys).

Notice that you will need to reboot your system if there has been a kernel upgrade.

Checking for updates at the Desktop

Since Debian 4.0 lenny Debian provides and installs in a default installation update-notifier. This is a GNOME application that will startup when you enter your Desktop and can be used to keep track of updates available for your system and install them. It uses update-manager for this.

In a stable system updates are only available when a security patch is available or at point releases. Consequently, if the system is properly configured to receive security updates as described in ‘Execute a security update’ on page48and you have a cron task running to update the package information you will be notified through an icon in the desktop notifcation area.

The notification is not intrusive and users are not forced to install updates. From the notifica-tion icon a desktop user (with the administrator’s password) can access a simple GUI to show available updates and install them.

This application works by checking the package database and comparing the system with its contents. If the package database is updated periodically through a cron task then the contents of the database will be newer than the packages installed in the system and the application will notify you.

Apt installs such a task (/etc/cron.d/apt) which will run based on Apt’s configura-tion (more specifically APT::Periodic). In the GNOME environment this configuraconfigura-tion value can be adjusted by going to System > Admin > Software origins > Updates, or running /usr/bin/software-properties.

If the system is set to download the packages list daily but not download the packages them-selves your /etc/apt/apt.conf.d/10periodic should look like this:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "0";

You can use a different cron task, such as the one installed by cron-apt (see ‘Automatically checking for updates with cron-apt’ on this page). You can also just manually check for up-grades using this application.

Users of the KDE desktop environment will probably prefer to install adept and adept-notifierinstead which offers a similar functionality but is not part of the standard installation.

Automatically checking for updates with cron-apt

Another method for automatic security updates is the use of cron-apt. This package provides a tool to update the system at regular intervals (using a cron job), and can also be configured to send mails to the system administrator using the local mail transport agent. It will just update the package list and download new packages by default but it can be configured to automatically install new updates.

Notice that you might want to check the distribution release, as described in ‘Per distribution release check’ on page139, if you intend to automatically updated your system (even if only downloading the packages). Otherwise, you cannot be sure that the downloaded packages really come from a trusted source.

More information is available at the Debian Administration site (http://www.

debian-administration.org/articles/162).

Automatically checking for security issues with debsecan

The debsecan program evaluates the security status of by reporting both missing security up-dates and security vulnerabilities. Unlike cron-apt, which only provides information related

to security updates available, but this tool obtains information from the security vulnerability database maintained by the Debian Security Team which includes also information on vulner-abilities which are not yet fixed through a security update. Consequently, it is more efficient at helping administrators track security vulnerabilities (as described in ‘Tracking security vul-nerabilities’ on page167).

Upon installing the Debian package debsecan, and if the administrator consents to it, it will generate a cron task that will make it run and send the output to a specific user whenever it finds a vulnerable package. It will also download the information from the Internet. The location of the security database is also part of the questions ask on installation and are later defined /etc/default/debsecan, it can be easily adjusted for systems that do not have Internet access so that they all pull from a local mirror so that there is a single point that access the vulnerability database.

Notice, however, that the Security Team tracks many vulnerabilities including low-risk issues which might not be fixed through a security update and some vulnerabilities initially reported as affecting Debian might, later on, upon investigation, be dismissed. Debsecan will report on all the vulnerabilities, which makes it a quite more verbose than the other tools described above.

More information is available at the author’s siste (http://www.enyo.de/fw/software/

debsecan/).

Other methods for security updates

There is also the apticron, which, similarly to cron-apt will check for updates and send mails to the administrator. More information on apticron is available at the Debian Adminis-tration site (http://www.debian-administration.org/articles/491).

You might also want to take a look at secpack (http://clemens.endorphin.org/

secpack/) which is an unofficial program to do security updates from security.debian.org with signature checking written by Fruhwirth Clemens. Or to the Nagios Plu-gin check_debian_updates.sh (http://www.unixdaemon.net/nagios_pluPlu-gins.html#

check_debian_packages) written by Dean Wilson.