Create a daily system-update script

How to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly. If you use a restrictive iptables firewall, the script should open the necessary ports.

Article published on 17 June 2010
last modification on 29 May 2016

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

Introduction

Keeping your system up to date with the latest patches is security basics. In this article I will show how to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly and in case of a strong firewall, the script should open the necessary ports.

I Create the script

Lets call our script ’system_update’.
touch system_update
Edit system_update with your favorite editor.
If you have a Debian based distrib :


If you have a RedHat based distrib :


If you use OpenSuse distrib :


If you use Mandriva distrib :

.

II Advanced script, automatic firewall rules

If your system has a restrictive host firewall, you need to be sure to allow the Internet connections implied by the system update. These connections
are:

  • DNS request to resolve repositories IP address. That means allowing connection to distant port 53 UDP and TCP
  • HTTP to fetch repositories and packages. That means allowing connection to distant port 80 TCP

If iptables OUTPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A OUTPUT -p tcp  --dport 53  -m state --state NEW   -j ACCEPT
iptables -A OUTPUT -p udp  --dport 53  -m state --state NEW   -j ACCEPT
iptables  -A OUTPUT -p tcp  --dport 80  -m state --state NEW  -j ACCEPT

If iptables INPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A INPUT -p tcp  --sport 53  -m state --state RELATED,ESTABLISHED   -j ACCEPT
iptables -A INPUT -p udp  --sport 53  -m state --state RELATED,ESTABLISHED  -j ACCEPT
iptables  -A INPUT -p tcp  --sport 80  -m state --state RELATED,ESTABLISHED   -j ACCEPT

If we adapt the previous script we have :

Note : Output DNS and HTTP connection will be enabled during all update time. If you think this isn’t secure enough, you can limit these rules by specifying the destination/source ip address of the repositories.

III Create the cron task

The best way to have planified task is to create a cron script. Before you continue,
assure yourself that cron is enabled at boot. Verify if the /etc/init.d/cron exist and is link to the correct rc folder.
If you use Ubuntu, verify that cron is enable in /etc/init/cron.conf.
If you plan to run this script on a non-server box. You may also want to verify if anacron is running at boot (/etc/init.d/anacron or
/etc/init.anacron.conf for Ubuntu upstart jobs).

Create a cron task is really easy. If you want your system_update script to run daily put the script in /etc/cron.daily, if you want it to run weekly,
put your script in /etc/cron.weekly.

cp system_update /etc/cron.daily/system_update
chown root:root /etc/cron.daily/system_update
chmod 700 /etc/cron.daily/system_update

You can verify if the script is working by running it :
/bin/bash /etc/cron.daily/system_update