Create a daily system-update script
17 June 2010 08:53 0 messages
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Introduction
Keeping your system up to date with the latest patches is security basics. In this article I will show how to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly and in case of a strong firewall, the script should open the necessary ports.
I Create the script
Lets call our script ’system_update’.touch system_update
Edit system_update with your favorite editor.
If you have a Debian based distrib :
#!/bin/bash # Update my system if apt-get -qq -y update then apt-get -qq -y dist-upgrade || { failure=1 } else failure=1 fi if [ $failure ] then echo "Could not update system." >&2 exit 1 fi echo "Update successful" exit 0
If you have a RedHat based distrib :
#!/bin/bash # Update my system if ! yum -q -y update then failure=1 fi if [ $failure ] then echo "Could not update system." >&2 exit 1 fi echo "Update successful" exit 0
If you use OpenSuse distrib :
#!/bin/bash # Update my system if ! zypper --non-interactive update then failure=1 fi if [ $failure ] then echo "Could not update system." >&2 exit 1 fi echo "Update successful" exit 0
If you use Mandriva distrib :
#!/bin/bash # Update my system if ! urpmi --force --quiet --auto-update then failure=1 fi if [ $failure ] then echo "Could not update system." >&2 exit 1 fi echo "Update successful" exit 0
.
II Advanced script, automatic firewall rules
If your system has a restrictive host firewall, you need to be sure to allow the Internet connections implied by the system update. These connections
are:
- DNS request to resolve repositories IP address. That means allowing connection to distant port 53 UDP and TCP
- HTTP to fetch repositories and packages. That means allowing connection to distant port 80 TCP
If iptables OUTPUT default policy is set to DROP. You should have the next iptables rules :iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
If iptables INPUT default policy is set to DROP. You should have the next iptables rules : iptables -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
If we adapt the previous script we have :
#!/bin/bash # Open firewall for system update iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (tcp)." -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (udp)." -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant HTTP." -j ACCEPT iptables -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (tcp)." -j ACCEPT iptables -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (udp)." -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant HTTP." -j ACCEPT # Update my system if apt-get -qq -y update then apt-get -qq -y dist-upgrade || { failure=1 } else failure=1 fi # Destroy the previously created firewall rules iptables --delete OUTPUT -p tcp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (tcp)." -j ACCEPT iptables --delete OUTPUT -p udp --dport 53 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant DNS (udp)." -j ACCEPT iptables --delete OUTPUT -p tcp --dport 80 -m state --state NEW -m comment --comment "cron system_update : Accept connections to distant HTTP." -j ACCEPT iptables --delete INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (tcp)." -j ACCEPT iptables --delete INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant DNS (udp)." -j ACCEPT iptables --delete INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -m comment --comment "cron system_update : Accept connections from distant HTTP." -j ACCEPT # Exit script if [ $failure ] then echo "Could not update system." >&2 exit 1 fi echo "Update successful" exit 0
III Create the cron task
The best way to have planified task is to create a cron script. Before you continue,
assure yourself that cron is enabled at boot. Verify if the /etc/init.d/cron exist and is link to the correct rc folder.
If you use Ubuntu, verify that cron is enable in /etc/init/cron.conf.
If you plan to run this script on a non-server box. You may also want to verify if anacron is running at boot (/etc/init.d/anacron or
/etc/init.anacron.conf for Ubuntu upstart jobs).
Create a cron task is really easy. If you want your system_update script to run daily put the script in /etc/cron.daily, if you want it to run weekly,
put your script in /etc/cron.weekly.
cp system_update /etc/cron.daily/system_update
chown root:root /etc/cron.daily/system_update
chmod 700 /etc/cron.daily/system_update
You can verify if the script is working by running it :
/bin/bash /etc/cron.daily/system_update
Also in this section
20 July 2017 – Digging passwords in Linux swap
30 May 2016 – VNC to access Kali Linux on Raspberry Pi
5 December 2010 – Linux filesystem security scans
27 August 2010 – Linux security using a limited group (PAM modules)
14 August 2010 – How to secure Linux users