You are here : Home » Learning security » Operating Systems » GNU Linux » Create a daily system-update script

Create a daily system-update script

D 17 June 2010     H 08:53     A Emeric Nasi     C 0 messages


agrandir


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

Introduction

Keeping your system up to date with the latest patches is security basics. In this article I will show how to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly and in case of a strong firewall, the script should open the necessary ports.

I Create the script

Lets call our script ’system_update’.
touch system_update
Edit system_update with your favorite editor.
If you have a Debian based distrib :

  1. #!/bin/bash
  2. # Update my system
  3. if apt-get -qq -y update
  4. then
  5. apt-get -qq -y dist-upgrade ||
  6. {
  7. failure=1
  8. }
  9. else
  10. failure=1
  11. fi
  12. if [ $failure ]
  13. then
  14. echo "Could not update system." >&2
  15. exit 1
  16. fi
  17. echo "Update successful"
  18. exit 0


If you have a RedHat based distrib :

  1. #!/bin/bash
  2. # Update my system
  3. if ! yum -q -y update
  4. then
  5. failure=1
  6. fi
  7. if [ $failure ]
  8. then
  9. echo "Could not update system." >&2
  10. exit 1
  11. fi
  12. echo "Update successful"
  13. exit 0


If you use OpenSuse distrib :

  1. #!/bin/bash
  2. # Update my system
  3. if ! zypper --non-interactive update
  4. then
  5. failure=1
  6. fi
  7. if [ $failure ]
  8. then
  9. echo "Could not update system." >&2
  10. exit 1
  11. fi
  12. echo "Update successful"
  13. exit 0


If you use Mandriva distrib :

  1. #!/bin/bash
  2. # Update my system
  3. if ! urpmi --force --quiet --auto-update
  4. then
  5. failure=1
  6. fi
  7. if [ $failure ]
  8. then
  9. echo "Could not update system." >&2
  10. exit 1
  11. fi
  12. echo "Update successful"
  13. exit 0

.

II Advanced script, automatic firewall rules

If your system has a restrictive host firewall, you need to be sure to allow the Internet connections implied by the system update. These connections
are:

  • DNS request to resolve repositories IP address. That means allowing connection to distant port 53 UDP and TCP
  • HTTP to fetch repositories and packages. That means allowing connection to distant port 80 TCP

If iptables OUTPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A OUTPUT -p tcp  --dport 53  -m state --state NEW   -j ACCEPT
iptables -A OUTPUT -p udp  --dport 53  -m state --state NEW   -j ACCEPT
iptables  -A OUTPUT -p tcp  --dport 80  -m state --state NEW  -j ACCEPT

If iptables INPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A INPUT -p tcp  --sport 53  -m state --state RELATED,ESTABLISHED   -j ACCEPT
iptables -A INPUT -p udp  --sport 53  -m state --state RELATED,ESTABLISHED  -j ACCEPT
iptables  -A INPUT -p tcp  --sport 80  -m state --state RELATED,ESTABLISHED   -j ACCEPT

If we adapt the previous script we have :

  1. #!/bin/bash
  2. # Open firewall for system update
  3. iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (tcp)." -j ACCEPT
  4. iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (udp)." -j ACCEPT
  5. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant HTTP." -j ACCEPT
  6. iptables -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (tcp)." -j ACCEPT
  7. iptables -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (udp)." -j ACCEPT
  8. iptables -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant HTTP." -j ACCEPT
  9. # Update my system
  10. if apt-get -qq -y update
  11. then
  12. apt-get -qq -y dist-upgrade ||
  13. {
  14. failure=1
  15. }
  16. else
  17. failure=1
  18. fi
  19. # Destroy the previously created firewall rules
  20. iptables --delete OUTPUT -p tcp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (tcp)." -j ACCEPT
  21. iptables --delete OUTPUT -p udp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (udp)." -j ACCEPT
  22. iptables --delete OUTPUT -p tcp --dport 80 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant HTTP." -j ACCEPT
  23. iptables --delete INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (tcp)." -j ACCEPT
  24. iptables --delete INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (udp)." -j ACCEPT
  25. iptables --delete INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant HTTP." -j ACCEPT
  26. # Exit script
  27. if [ $failure ]
  28. then
  29. echo "Could not update system." >&2
  30. exit 1
  31. fi
  32. echo "Update successful"
  33. exit 0
Note : Output DNS and HTTP connection will be enabled during all update time. If you think this isn’t secure enough, you can limit these rules by specifying the destination/source ip address of the repositories.

III Create the cron task

The best way to have planified task is to create a cron script. Before you continue,
assure yourself that cron is enabled at boot. Verify if the /etc/init.d/cron exist and is link to the correct rc folder.
If you use Ubuntu, verify that cron is enable in /etc/init/cron.conf.
If you plan to run this script on a non-server box. You may also want to verify if anacron is running at boot (/etc/init.d/anacron or
/etc/init.anacron.conf for Ubuntu upstart jobs).

Create a cron task is really easy. If you want your system_update script to run daily put the script in /etc/cron.daily, if you want it to run weekly,
put your script in /etc/cron.weekly.

cp system_update /etc/cron.daily/system_update
chown root:root /etc/cron.daily/system_update
chmod 700 /etc/cron.daily/system_update

You can verify if the script is working by running it :
/bin/bash /etc/cron.daily/system_update

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post