Patch security holes in a timely manner to prevent intrusions.
Updating and patching your systems in a timely manner is one of the most important things you can do to help protect them from the deluge of newly discovered security vulnerabilities. Unfortunately, this task often gets pushed to the wayside in favor of “more pressing” issues, such as performance tuning, hardware maintenance, and software debugging. In some circles, it’s viewed as a waste of time and overhead that doesn’t contribute to the primary function of a system. Coupled with management demands to maximize production, the task of keeping a system up-to-date is often pushed even further down on the to-do list.
Updating a system can be very repetitive and time-consuming if you’re not using scripting to automate it. Fortunately, most Linux distributions make their updated packages available for download from a standard online location, and you can monitor that location for changes and automatically detect and download the new updates when they’re made available. To demonstrate how to do this on an RPM-based distribution, we’ll use AutoRPM (http://www.autorpm.org).
AutoRPM is a powerful Perl script that allows you to monitor multiple FTP sites for changes. It will automatically download new or changed packages and either install them automatically or alert you so that you may do so. In addition to monitoring single FTP sites, you can also monitor a pool of mirror sites, to ensure that you still get your updates if the FTP server is busy. AutoRPM will monitor busy FTP servers and keep track of how many times connections to them have been attempted. Using this information, it assigns internal scores to each of the FTP sites configured within a given pool, with the outcome that the server in the pool that is available most often will be checked first.
To use AutoRPM, download the latest package and install it like this:
# rpm -ivh autorpm-3.3.3-1.noarch.rpm
Although a tarball is also available, installation is a little trickier than the typical make; make install, so it is recommended that you stick to installing from the RPM package.
By default AutoRPM is configured to monitor for updated packages for Red Hat’s Linux distribution, but you’ll probably want to change this to use Fedora or another RPM-based distribution. To do this, open the AutoRPM configuration file, /etc/autorpm.d/autorpm.conf, and find the following section:
######################## BEGIN Red Hat Linux #################################
# This automatically determines the version of Red Hat Linux
# You have... you can comment this out and define it yourself
# if you want to
Eval_Var("RHVersion", "sed 's/\(Red Hat Linux \)\?release \([^ ]*\) (.*)/\2/' /etc/redhat-release");
#Set_Var("RHVersion", "9.0");
# Look for official Red Hat updates
# (won't automatically install anything unless you edit the file)
Config_File("/etc/autorpm.d/redhat-updates.conf");
########################## END Red Hat Linux #################################Comment out the Eval_var, Set_Var, and Config_File lines. In the next section, uncomment the Eval_Var and Config_File lines to make it like this:
######################## BEGIN Fedora Linux #################################
# This automatically determines your version of Fedora Linux
Eval_Var("FedoraVersion", "rpm -q fedora-release | awk -F'-' {'print $3'}");
# Look for official Fedora updates
# (won't automatically install anything unless you edit the file)
Config_File("/etc/autorpm.d/fedora-updates.conf");
########################## END Fedora Linux #################################After you’ve done that, you can add a crontab entry for /etc/autorpm.d/autorpm.cron to schedule AutoRPM to run at a regular interval. When it runs, it will automatically download any pending updates.
Another way to perform automatic updates is to use the
yum program. By default, yum both downloads and installs updates, but you can change this behavior by installing the
downloadonly plug-in (http://linux.duke.edu/projects/yum/download/yum-utils/), causing yum to skip the installation step. You can then use the following command to download any updates that are available:
# yum --downloadonly -y update
Put this command in a crontab entry so that it will run at a regular interval. Then, when you’ve reviewed the updates that you’ve downloaded, you can use the usual yum update command to install them.
You can achieve similar results on Debian-based systems with apt-get -d -y
upgrade. This command downloads any pending updates to packages that you have installed. When you’ve decided to install them, you can do so by running apt-get upgrade.
As you can see, there are many ways that you can keep a system updated with the latest fixed packages. Whatever you decide to do, it’s important to stay current with operating system patches because of the security fixes they contain. If you fall behind, you’re a much easier target for an attacker.