ACTUALIZACIONES DE SEGURIDAD DE PAQUETES DEBIAN EN MAQUINAS SIN CONEXION: Como actualizar los paquetes que hayan tenido problemas de seguridad. Ha realizar periodicamente (cuando apetezca). Metodo adaptado de: http://jedrm.wordpress.com/2006/09/12/howto-updateinstallupgrade-a-debian-box-with-no-internet/ 1º. MAQUINA CON CONEXION: - Buscar con un navegador el mirror de debian desde el que se descargan las actualizaciones de seguridad: http://security.debian.org (los dir que tengo en /etc/apt/sources.list son: 'etch/updates main contrib non-free'). Se puede acceder desde http://security.debian.org/dists/etch/updates - Copiar los archivos "Release" y "Release.gpg" que estan justo en ese dir raiz. Renombrar los archivos como: - security.debian.org_dists_etch_updates_Release - security.debian.org_dists_etch_updates_Release.gpg Posiblemente esta parte no sea necesaria hacerla siempre, con la 1º vez que se haga una actualizacion de seguridad valga, despues estos archivos no cambiarian. Pero bueno, porsia... no cuesta nada... - Entrar en los dir "contrib/binary-i386", "main/binary-i386" y "non-free/binary-i386" y copiar los archivos Package.gz. Descomprimirlos con gunzip y renombrar el archivo resultante como (respectivamente): - security.debian.org_dists_etch_updates_contrib_binary-i386_Packages - security.debian.org_dists_etch_updates_main_binary-i386_Packages - security.debian.org_dists_etch_updates_non-free_binary-i386_Packages Tras descomprimir algun archivo, este puede quedar de 0 bytes. Esto es porque no hay ninguna actualizacion de seguridad de esa rama. Llevarlo tambien a la maquina sin conexion. - En el caso de una actualizacion que implique tambien mejoras en la version estable de Debian (ejemplo paso de 4.0 a 4.0r1, que ambas son Etch, pero la 2º es una actualizacion), tambien se actualizan paquetes desde el repositorio principal, que en nuestro caso es ftp.fr.debian.org. Entonces se entrara en: http://ftp.fr.debian.org/debian/dists/stable/ y tambien en los subdir "contrib/binary-i386", "main/binary-i386" y "non-free/binary-i386", y se copiaran los mismos archivos que en el anterior caso, gunzip/renombrandolos como: - ftp.fr.debian.org_debian_dists_etch_Release - ftp.fr.debian.org_debian_dists_etch_Release.gpg - ftp.fr.debian.org_debian_dists_etch_contrib_binary-i386_Packages - ftp.fr.debian.org_debian_dists_etch_main_binary-i386_Packages - ftp.fr.debian.org_debian_dists_etch_non-free_binary-i386_Packages - Coger todos esos archivos y llevarlos a la maquina sin conexion. 2º. MAQUINA SIN CONEXION: - Poner en /etc/apt/sources.list la siguiente linea (si no esta ya): deb http://security.debian.org etch/updates main contrib non-free - Comprobar que los archivos estan bien renombrados, comparando los nombres de los que existen en la maquina y los que traemos. Copiar todos los archivos pillados en el /var/lib/apt/lists/ de la maquina sin conexion (sustituyendo los que ya pudiera haber y que hayan quedado obsoletos). - Hacer un 'apt-get check' para actualizar la cache de paquetes. Hacer un 'apt-get update' para que apt se entere de que tiene nuevos listados de paquetes (creo que no es necesario, ademas da error, pero mejor hacerlo porsia). - Hacer un apt-get upgrade (para intentar actualizar los paquetes que hayan cambiado por motivos de seguridad), pero que no intente instalar nada, solo nos diga las URL de las que bajar los paquetes necesarios, y guardarlas en un archivo de texto: apt-get -qq --print-uris upgrade | cut -f 2 -d \' > garraxiaux-upgrade.txt - Llevar el archivo de texto 'garraxiaux-upgrade.txt' a la maquina con conexion. Comprobar antes que tiene contenido, si no tendria nada es que no habia ningun paquete instalado en la maquina sin conexion que requiriera una actualizacion de seguridad. Comprobar tambien que todos los paquetes se pillaran de http://security.debian.org/. Si hubiera de otras fuentes, mirarlo bien porque igual conviene borrarlos del archivo de texto. Esto puede ocurrir porque tenemos paquetes instalados desde otras fuentes (por ejemplo de testing) y/o que fueron compilados por mi, o por otras causas (mirarlo bien antes). Si se hace la actualizacion de seguridad de varias maquinas a la vez, comparar los archivos resultantes de cada una de ellas, y tratar de poner todos los paquetes a bajar en uno solo, dado que lo mas probable es que en todas las maquinas se vallan a actualizar los mismos paquetes, con pocas diferencias. 3º. MAQUINA CON CONEXION: - Crear un dir temporal, poner en el el archivo de texto 'garraxiaux-upgrade.txt' y hacer un 'wget -c -i garraxiaux-upgrade.txt'. Esto baja todos los paquetes debian necesarios en ese dir temporal. - Meter el dir temporal en la memoria usb y llevarlo a la maquina sin conexion. 4º. MAQUINA SIN CONEXION: - Copiar los paquetes deb descargados en el /var/cache/apt/archives de la maquina sin conexion (dejarlos entre los que ya existen, los que ya estan ahi no "molestan", a no ser que tengamos falta de espacio. - Hacer el 'apt-get upgrade' "de verdad". Mirar los errores que salen, dado que quizas hemos dejado sin bajar algunos paquetes que tenia que upgradear. si aparecen errores de ese tipo (porque no encuentra paquetes), utilizar 'apt-get --fix-missing upgrade'. Esto lo que hace es olvidarse de los archivos que no hemos bajado. - Despues conviene reiniciar el ordenador (sobre todo si hemos upgradeado el kernel), o al menos reiniciar algunos servicios (daemons), por ejemplo usando el programa "checkrestart" (available in the debian-goodies package) para saber cuales hay que reiniciar. Ver a continuacion (pillado de: http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-security-update). - Si se realizan muchas actualizaciones de este tipo, es facil que el directorio que guarda los paquetes descargados se valla llenando. Para eliminar los paquetes que ya son obsoletos pues han sido reemplazados por uno nuevo hacer: $apt-get autoclean (Para borrar todos los paquetes seria: $apt-get clean). --------------------------------------------------------------------------------- 4.2 Execute a security update As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on http://security.debian.org. If you are installing a Debian release you must take into account that since the release was made there might have been security updates after it has been determined that a given package is vulnerable. Also, there might have been minor releases (there have been four for the Debian 3.0 sarge release) which include these package updates. You need to note down the date the removable media (if you are using it) was made and check the security site in order to see if there are security updates. If there are and you cannot download the packages from the security site on another system (you are not connected to the Internet yet? are you?) before connecting to the network you could consider (if not protected by a firewall for example) adding firewall rules so that your system could only connect to security.debian.org and then run the update. A sample configuration is shown in Security update protected by a firewall, Appendix F. Note: Since Debian woody 3.0, after installation you are given the opportunity to add security updates to the system. If you say 'yes' to this, the installation system will take the appropriate steps to add the source for security updates to your package sources and your system, if you have an Internet connection, will download and install any security updates that might have been produced after your media was created. If you are upgrading a previous version of Debian, or you asked the installation system not to do this, you should take the steps described here. To manually update the system, put the following line in your sources.list and you will get security updates automatically, whenever you update your system. deb http://security.debian.org/ stable/updates main contrib non-free Note: If you are using the testing branch use the security testing mirror sources as described in Security support for the testing branch, Section 10.1.4. Once you've done this you can use multiple tools to upgrade your system. If you are running a desktop system you will have[8] an application called update-notifier that will alert you that new updates are available, by selecting it you can make a system upgrade from the desktop (using update-manager). In desktop environments you can also use synaptic, kpackage or adept for more advanced interfaces. If you are running a text-only terminal you can use aptitude, apt or dselect (deprecated) to upgrade: * If you want to use aptitude's text interface you just have to press u (update) followed by g (to upgrade). Or just do the following from the command line (as root): # aptitude update # aptitude upgrade * If you want to use apt do just like with aptitude but substitute the aptitude lines above with apt-get. * If you want to use dselect then first [U]pdate, then [I]nstall and finally, [C]onfigure the installed/upgraded packages. If you like, you can add the deb-src lines to /etc/apt/sources.list as well. See apt(8) for further details. Note: You do not need to add the following line: deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free this is because security.debian.org is hosted in a non-US location and doesn't have a separate non-US archive. ---------------------------------------------------------------------- 4.2.1 Security update of libraries Once you have executed a security update you might need to restart some of the system services. If you do not do this, some services might still be vulnerable after a security upgrade. The reason for this is that daemons that are running before an upgrade might still be using the old libraries before the upgrade [9]. In order to detect which daemons might need to be restarted you can use the checkrestart program (available in the debian-goodies package) or use this one liner[10] (as root): # lsof | grep | awk '{print $1, $9}' | uniq | sort +0 Some packages (like libc6) will do this check in the postinst phase for a limited set of services specially since an upgrade of essential libraries might break some applications (until restarted)[11]. Bringing the system to run level 1 (single user) and then back to run level 3 (multi user) should take care of the restart of most (if not all) system services. But this is not an option if you are executing the security upgrade from a remote connection (like ssh) since it will be severed. Excercise caution when dealing with security upgrades if you are doing them over a remote connection like ssh. A suggested procedure for a security upgrade that involves a service restart is to restart the SSH daemon and then, inmediately, attempt a new ssh connection without breaking the previous one. If the connection fails, revert the upgrade and investigate the issue. ---------------------------------------------------------------------- 4.2.2 Security update of the kernel First, make sure your kernel is being managed through the packaging system. If you have installed using the installation system from Debian 3.0 or previous releases, your kernel is not integrated into the packaging system and might be out of date. You can easily confirm this by running: $ dpkg -S `readlink -f /vmlinuz` kernel-image-2.4.27-2-686: /boot/vmlinuz-2.4.27-2-686 If your kernel is not being managed you will see a message saying that the package manager did not find the file associated to any package instead of the message above, which says that the file associated to the current running kernel is being provided by the kernel-image-2.4.27-2-686. So first, you will need to manually install a kernel image package. The exact kernel image you need to install depends on your architecture and your prefered kernel version. Once this is done, you will be able to manage the security updates of the kernel just like those of any other package. In any case, notice that the kernel updates will only be done for kernel updates of the same kernel version you are using, that is, apt will not automatically upgrade your kernel from the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 release[12]). The installation system of the Debian 3.1 release will handle the selected kernel (either 2.4 or 2.6) as part of the package system. You can review which kernels you have installed by running: $ COLUMNS=150 dpkg -l 'kernel-image*' | awk '$1 ~ /ii/ { print $0 }' To see if your kernel needs to be updated run: $ kernfile=`readlink -f /vmlinuz` $ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'` $ apt-cache policy $kernel kernel-image-2.4.27-2-686: Installed: 2.4.27-9 Candidate: 2.4.27-9 Version Table: *** 2.4.27-9 0 (...) If you are doing a security update which includes the kernel image you need to reboot the system in order for the security update to be useful. Otherwise, you will still be running the old (and vulnerable) kernel image. If you need to do a system reboot (because of a kernel upgrade) you should make sure that the kernel will boot up correctly and network connectivity will be restored, specially if the security upgrade is done over a remote connection like ssh. For the former you can configure your boot loader to reboot to the original kernel in the event of a failure (for more detailed information read Remotely rebooting Debian GNU/Linux machines). For the later you have to introduce a network connectivity test script that will check if the kernel has started up the network subsystem properly and reboot the system if it did not[13]. This should prevent nasty surprises like updating the kernel and then realizing, after a reboot, that it did not detect or configure the network hardware properly and you need to travel a long distance to bring the system up again. Of course, having the system serial console [14] in the system connected to a console or terminal server should also help debug reboot issues remotely.