Posted by Nickj on Sat 12 Feb 2005 at 05:55
I'm looking for a way to automatically install security updates on a webserver running Debian stable, but with a twist: that the installation should be delayed a few days from when the updated package is released.
My reasoning for wanting this is based on these fairly straight-forward assumptions:
- The Internet is an extremely hostile network.
- New security flaws are always going to be found.
- Initial security fixes may (despite the best efforts of the Debian Developers) be found to be buggy, introduce new vulnerabilities, or not fix the problem completely.
- Finding and fixing these problems in updated packages takes time.
- Updates can be revised multiple times.
- I may not always be available to hand-install updates - I may get sick, be on holidays, the office's network might be down, etc.
- Anything that makes administration more automated, and less prone to human error, is generally a good thing.
What I have currently is automatic downloading and notification of updated packages, via a simple cron job that calls apt. I can easily add something to this to install packages as soon as they are downloaded, but based on the above reasons I'm not comfortable doing that. What I do currently is hand-install updates after a suitable delay, but this leaves the machine vulnerable if I'm not available to do this, plus the criteria I'm following are quite strict and straightforward, so it feels like an administrative task that could be automated.
My basic idea of how this could work is something like how packages migrate from unstable to testing (i.e. a package must go for 10 days without changes before it makes the transition, and all of its dependencies must be satisfied). Basically I want something that applies the same logic as that, to downloaded security updates for Debian.
So using 2003's OpenSSH updates as an example, with a 10 day delay, the hypothetical timeline would be like so:
- Prior to 17-Sept-2003, previous version of SSH installed
- On 17-Sept-2003, SSH updates released (DSA-382-1)
- Later on during 17-Sept-2003, revised SSH updates released (DSA-382-2)
- 18-Sept-2003 as part of cron.daily: Updated DSA-382-2 packages automatically downloaded
- 18-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 0 days old
- 19-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 1 day old
- 20-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 2 days old
- 21-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 3 days old
- On 22-Sept-2003, revised SSH updates released (DSA-382-3)
- 22-Sept-2003 as part of cron.daily: Updated DSA-382-3 packages automatically downloaded
- 22-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 0 days old (note: restarts the counter on the age of the updates)
- 23-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 1 day old
- .. skip forward a bit ...
- 1-Oct-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 9 days old
- 2-Oct-2003 as part of cron.daily: Delayed installer installs SSH updates as they are now 10 days old
My blue-sky-dreaming ideal is to have a system whereby I could have variable delays for different packages (My main responsibility is administering a dedicated webserver, so local vulnerabilities are far less critical from my perspective than remote vulns). So for example :
- Network visible things (Apache, OpenSSL, SSH) install updates after 10 days of no changes.
- PHP updates after 15 days (have some apps in PHP, need more time to test these).
- Everything else update after 30 days (as this is a dedicated webserver, so non-network visible vulnerabilities are less of an immediate threat).
Note that these figures are appropriate for me based on my experiences and configuration, plus the "Timing the Application of Security Patches for Optimal Uptime" paper (visible at: http://www.homeport.org/~adam/time-to-patch-usenix-lisa02.pdf - basically this paper suggests either applying updates either after 10 days, or after 30 days). However, different delays would probably be appropriate for other system administrators.
I've searched all the obvious places I can think of to see if there's a way to do this, but I haven't been able to find anything. Any help is most appreciated.
Kind Regards,
Nick.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 Nickj - please ask for permission to republish or translate.