Updates: why they are important and what are the risks
Updates are an essential part of any secure system. They prevent incidents and ensure the smooth operation of IT systems and services. This article compares the benefits and risks of manual and automatic updates, primarily in Linux distributions. To complement this, it provides an example of automatic updates for the current LTS versions of Ubuntu 24.04 and 22.04.
No software is flawless; some bugs affect functionality, while others pose security risks, which we refer to as vulnerabilities. Timely fixing of vulnerabilities minimizes the risk of exploitation and consequences such as leakage of sensitive information, malware infection or disruption of service availability.
Even more so today, when advanced technical knowledge is not required to exploit vulnerabilities. For many vulnerabilities, there are scripts and tools that can be easily used by anyone with basic IT skills. Examples are the Metasploit framework or the Nuclei vulnerability scanner.
Regular and timely software updates are an effective protection against exploitable vulnerabilities. In a university environment, it should be emphasized that unupdated software poses a significant risk not only to the device on which it is installed, but can also compromise the security of the entire university network.
A quick look at security updates for the Debian linux distribution reveals dozens of patched vulnerabilities per month.
Regular updates are required in the university environment according to MU Directive no. 9/2017.
As vulnerabilities are increasingly appearing in critical software, purely manual updates are no longer sufficient. The situation must be approached systematically and automated. In the following lines we will therefore focus on software that can be installed using package managers of Linux distributions, such as Advanced Packaging Tool (APT) or Dandified YUM (DNF).
Operating systems and application libraries
Operating systems and application libraries are the basic building blocks of any system, so ensuring they are regularly updated is essential. They often contain critical dependencies that affect the functionality and security of the entire IT environment, making their maintenance crucial.
Manual updates
For systems that require high service availability, manual updates are recommended. We recommend the following procedure for smooth manual updates:
1. Set up notifications to check for updates on a regular basis.
2. Make updates when the system is least used to allow room for corrections in case of failure.
3. For critical systems, it is desirable to verify the update on a test instance and apply it to the production system after verification.
3. Restart the updated services to allow the updates to take effect.
4. Check the system state after the updates have been applied.
Note: Simply updating the system package is not enough. Running services must be restarted to allow the updated version to replace the existing one. If the services are not restarted, it may be that the files on the disk are updated, but the old versions of the software are still running in the operating memory. In the case of kernel or library updates, it may be necessary to reboot the entire system. If you want to receive email notifications of new updates available for your server, you can set them up, for example, by following the instructions in the article Get Notified of Ubuntu Box Security Updates.
Automatic updates
Systems where availability is not a critical factor can benefit from automatic updates to system packages and libraries. However, there are risks to enabling automatic updates. A failed update can lead to unavailability of service or the need to restore the system to a previous state. It is not only for these reasons that monitoring, logging and backups are necessary. Therefore, at least the following issues should be considered before enabling automatic updates:
1. When is the system least used by users?
2. When do I have enough time to solve any problems with the update?
3. Do I monitor the system regularly and will I be informed of availability limitations caused by the update?
4. Do I have processes (DRP) in place for disaster recovery (e.g., tested backups, system configuration versioning, available staff for repairs)?
Note: Many Linux distributions such as Debian, Ubuntu, Alma Linux and others offer the option to schedule automatic updates for a specific day and time! In addition, they allow you to limit updates to only those that fix security vulnerabilities. Furthermore, exceptions can be defined for those packages that should not be updated.
Automatic updates on Ubuntu 22.04 and 24.04 linux distributions
Automatic updates are provided through the package unattended-upgrades. Its configuration can be found in the files /etc/apt/apt.conf.d/50unattended-upgrades and /etc/apt/apt.conf.d/20auto-upgrades, logs in /var/log/unattended-upgrades/. Automatic updates are triggered by the systemd timer: apt-daily-upgrade.timer
In the default settings of Ubuntu 22.04 and 24.04, automatic updates are enabled, automatic restart of services and reboot arranged is not enabled. In the default settings, even updates without security impact are applied.
-
1. Package installation
Verify that the unattended-upgrades package is installed by: sudo apt install unattended-upgrades
-
2. Configuration of systemd timer
We copy the systemd timer that triggers the update so we can modify its value: sudo cp /usr/lib/systemd/system/apt-daily-upgrade.timer /etc/systemd/system/ -> timer can be edited in the text editor. OnCalendar value defines when the timer is triggered. The following example triggers an update every Tuesday at 6am. The timer can also be set to other values, which are listed on the manual page systemd.time(7).
[Unit]
Description=Daily apt upgrade and clean activities
After=apt-daily.timer
[Timer]
OnCalendar=Tue 6:00
RandomizedDelaySec=60m
Persistent=true
[Install]
WantedBy=timers.target -
3. Automatic update configuration
Automatic updates can be turned off or on by editing the file /etc/apt/apt.conf.d/20auto-upgrades -> they are turned on by default:
- APT::Periodic::Update-Package-Lists “1”
- APT::Periodic::Unattended-Upgrade “1”
The automatic updates themselves are configured in the file:/etc/apt/apt.conf.d/50unattended-upgrades -> similarly to the timer settings, copy the file and modify its values: cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/51unattended-upgrades
The following configuration file enables security updates. Among other things, it also enables an automatic reboot at 8am after the update - the reboot will only take place if it is required by the system, for example after a kernel update. Consult the default configuration file for all possible configuration options.
#clear Unattended-Upgrade::Allowed-Origins;
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security";
};
// automatic reboot if necessary
Unattended-Upgrade::Automatic-Reboot "true";
// automatic reboot even if there are logged users
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "08:00"; -
4. Restarting services after an update
After the update, you need to restart the services that are still running from the old packages. The update is handled by the needrestart package: sudo apt install needrestart -> next, create a file /etc/needrestart/conf.d/config.conf, in which you set all services to restart automatically if they have been updated, except for qubes-gui-agent and qubes-core-agent-linux.
$nrconf{restart} = 'a';
$nrconf{override_rc}->{q(^qubes-core-agent-linux)} = 0;
$nrconf{override_rc}->{q(^qubes-gui-agent)} = 0; -
5. Loading a new configuration
Finally, load the new systemd daemon configuration: sudo systemctl daemon-reload -> the system now has the correct automatic updates.
Closing recommendations
Regular updates are crucial, but they alone are not enough to ensure the security of your servers. Equally important is proper network segmentation, which can significantly reduce the risk of vulnerabilities and limit the spread of potential attacks.
In the article Recommendations for securing devices on the MUNI network, we discuss measures such as firewalls, network traffic monitoring, and regular checks of systems and services in addition to network segmentation. Not only are these essential to securing the services you manage.
If you run your own servers, you will need to set up and manage updates, backups and logging separately.
If you want to use a currently available IT solution, we recommend ICS services.
If you have identified inconsistencies in the services offered by the ICS, need advice, or have suggestions for more specific topics, please contact us at csirt@muni.cz.