Automatic Updates and Auditing
Automatic Updates and Auditing#
Concepts#
Why Automatic Updates?#
Security patches are released frequently. If you don’t apply them promptly, your system is vulnerable to known exploits. Unattended upgrades automatically install security updates so you don’t have to remember.
unattended-upgrades#
Both Ubuntu and Debian support automatic security updates via the unattended-upgrades package.
Install and Enable#
# Install (pre-installed on Ubuntu, may need installing on Debian)
sudo apt install -y unattended-upgrades
# Enable
sudo dpkg-reconfigure -plow unattended-upgrades
# Select "Yes" to enable automatic updates
Configuration#
# Main config
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Key settings:
// Which updates to install automatically
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security"; // security updates
// "${distro_id}:${distro_codename}-updates"; // uncomment for all updates
};
// Auto-remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Auto-reboot if needed (e.g., kernel update)
Unattended-Upgrade::Automatic-Reboot "false"; // set to "true" for servers
Unattended-Upgrade::Automatic-Reboot-Time "03:00"; // reboot at 3 AM
// Email notifications (requires mail setup)
// Unattended-Upgrade::Mail "admin@example.com";
// Blacklist packages that should NOT be auto-updated
Unattended-Upgrade::Package-Blacklist {
// "linux-image*"; // don't auto-update kernel
};
The update schedule is controlled by:
cat /etc/apt/apt.conf.d/20auto-upgrades
# APT::Periodic::Update-Package-Lists "1"; # apt update daily
# APT::Periodic::Unattended-Upgrade "1"; # run unattended-upgrades daily
# APT::Periodic::Download-Upgradeable-Packages "1"; # pre-download
# APT::Periodic::AutocleanInterval "7"; # clean old packages weekly
Testing and Monitoring#
# Dry run (see what would be upgraded)
sudo unattended-upgrades --dry-run --debug
# Force a run now
sudo unattended-upgrades --debug
# Check the log
cat /var/log/unattended-upgrades/unattended-upgrades.log
# Check what was installed
cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log 2>/dev/null
Ubuntu: unattended-upgrades is pre-configured to install security updates by default. Debian: After installing the package, run
sudo dpkg-reconfigure -plow unattended-upgradesto enable it.
apt-listchanges#
apt-listchanges shows you changelogs before packages are installed — useful for understanding what’s changing:
sudo apt install -y apt-listchanges
# Configure
sudo dpkg-reconfigure apt-listchanges
# Choose: display method (pager, text, mail), confirm changes
needrestart#
After updates, some services need restarting to use the new code. needrestart detects this:
sudo apt install -y needrestart
# Check what needs restarting
sudo needrestart
# It runs automatically after apt upgrades and prompts you
Security Auditing#
Auditing means checking your system for vulnerabilities, misconfigurations, and suspicious activity.
Checking Open Ports#
# What's listening?
sudo ss -tlnp
# External scan of your machine (from another machine)
# nmap -sV target_ip
# What services are exposed?
sudo ss -tlnp | grep -v "127.0.0"
# ^ shows services listening on all interfaces (not just localhost)
Every open port is a potential attack surface. Close ports you don’t need:
# Find the service using a port
sudo ss -tlnp | grep ":8080"
# Stop and disable it
sudo systemctl stop service-name
sudo systemctl disable service-name
# Or block it with the firewall
sudo ufw deny 8080
Lynis — Security Auditing Tool#
Lynis is an open-source security auditing tool that scans your system and suggests hardening steps:
# Install
sudo apt install -y lynis
# Run a full audit
sudo lynis audit system
# The output includes:
# - Warnings (things to fix)
# - Suggestions (improvements)
# - Hardening index (score)
# - Detailed test results
Lynis checks:
- Boot and services
- Kernel hardening
- Memory and processes
- Users and authentication
- Shells and permissions
- File permissions
- Firewalls
- SSH configuration
- Software integrity
- And much more
# View just warnings
sudo lynis audit system 2>/dev/null | grep -A 1 "Warning"
# View suggestions
sudo lynis audit system 2>/dev/null | grep -A 1 "Suggestion"
# Save report
sudo lynis audit system --report-file /tmp/lynis-report.txt
rkhunter — Rootkit Detection#
rkhunter scans for rootkits, backdoors, and suspicious files:
# Install
sudo apt install -y rkhunter
# Update the database
sudo rkhunter --update
# Set baseline properties
sudo rkhunter --propupd
# Run a scan
sudo rkhunter --check
# Skip prompts (for cron)
sudo rkhunter --check --skip-keypress
# View the log
sudo cat /var/log/rkhunter.log | grep -i warning
Automate rkhunter#
# Add to root's crontab
sudo crontab -e
# Add:
# 0 4 * * * /usr/bin/rkhunter --check --skip-keypress --report-warnings-only >> /var/log/rkhunter-cron.log 2>&1
Other Security Checks#
Check for SUID/SGID Files#
SUID/SGID files run with elevated privileges — unexpected ones could be backdoors:
# Find all SUID files
find / -perm -4000 -type f 2>/dev/null
# Find all SGID files
find / -perm -2000 -type f 2>/dev/null
# Compare against a known-good list periodically
Check Installed Packages for Vulnerabilities#
# Debian/Ubuntu: check which packages have security updates available
apt list --upgradable 2>/dev/null | grep -i security
# Check if a specific package has known CVEs (requires debsecan)
sudo apt install -y debsecan
debsecan
Review User Accounts#
# Users with login shells
grep -v "nologin\|false" /etc/passwd
# Users with UID 0 (root-equivalent) — should only be root
awk -F: '$3 == 0 {print $1}' /etc/passwd
# Recently modified accounts
ls -lt /etc/passwd /etc/shadow /etc/group
# Users with empty passwords
sudo awk -F: '$2 == "" {print $1}' /etc/shadow
Review Cron Jobs#
# All user crontabs
for user in $(cut -f1 -d: /etc/passwd); do
crontab -l -u "$user" 2>/dev/null | grep -v "^#" | grep -v "^$" && echo " (user: $user)"
done
# System cron
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
Lab#
Exercise 1: Check Automatic Updates#
# Is unattended-upgrades installed?
dpkg -l | grep unattended-upgrades
# View configuration
cat /etc/apt/apt.conf.d/20auto-upgrades 2>/dev/null
cat /etc/apt/apt.conf.d/50unattended-upgrades 2>/dev/null | head -20
# Check logs
ls /var/log/unattended-upgrades/ 2>/dev/null
Exercise 2: Audit Open Ports#
# What's listening?
sudo ss -tlnp
# Which of these are accessible from outside?
sudo ss -tlnp | grep -v "127.0.0"
Exercise 3: Run Lynis#
sudo apt install -y lynis
sudo lynis audit system 2>&1 | tail -30
Exercise 4: Security Checks#
# SUID files
find / -perm -4000 -type f 2>/dev/null | head -15
# Users with login shells
grep -v "nologin\|false" /etc/passwd
# Root-equivalent users
awk -F: '$3 == 0 {print $1}' /etc/passwd
# Available security updates
apt list --upgradable 2>/dev/null
Review#
1. What does unattended-upgrades do?
Automatically downloads and installs security updates (and optionally all updates). It runs daily and keeps your system patched without manual intervention.
2. Where is unattended-upgrades configured?
/etc/apt/apt.conf.d/50unattended-upgrades (what to upgrade, reboot policy, blacklist) and /etc/apt/apt.conf.d/20auto-upgrades (schedule and frequency).
3. What does Lynis do?
Lynis is a security auditing tool that scans your system for vulnerabilities, misconfigurations, and hardening opportunities. It checks services, permissions, firewalls, SSH, kernel settings, and more, then provides warnings, suggestions, and a hardening score.
4. Why should you monitor open ports?
Every open port is a potential entry point for attackers. Services you don’t need should be stopped and disabled, or blocked by the firewall. Regular port audits (ss -tlnp) ensure nothing unexpected is exposed.
5. Why should you check for unexpected SUID files?
SUID files run with the file owner’s privileges (often root). An attacker who installs a SUID root binary has a persistent backdoor for privilege escalation. Regular checks against a known-good baseline can detect unauthorized changes.
Previous: SSH Hardening and fail2ban | Next: Building Your Environment