Automated delayed installation of security updates - Any thoughts on how to do?
I'm looking for a way to automatically install security updates on a webserver, but with a twist - that the installation should be delayed a few days.
My reasoning for wanting this is based on these assumptions:
* The Internet is an extremely hostile network.
* New security flaws are always going to be found.
* Initial security fixes may be found to be buggy, introduce new vulnerabilities, or not fix the problem completely.
* Finding and fixing these problems in updates takes time.
* Updates can be revised multiple times.
* I may not always be available to hand-install updates - I may get sick, be on holidays, etc.
What I have currently is automatic downloading and notification of updated packages (using the script from here : http://www.cryptio.net/~ferlatte/config/cron.daily.apt ). I can add something to this to install packages as soon as they are downloaded, but based on the above reasons I'm not comfortable doing that. What I do currently is hand-install updates after a suitable delay, but this leaves the machine vulnerable if I'm not available to do this, plus the criteria I'm following are quite strict and straightforward, so it feels like something that could be automated.
My basic idea of how this could work is something like how packages move from unstable --> testing (a package must go for 10 days without changes before it makes the transition). So using the recent OpenSSH updates as an example, with a 10 day delay, the timeline would be like so:
* Prior to 17-Sept-2003, previous version of SSH installed
* On 17-Sept-2003, SSH updates released (DSA-382-1)
* Later on during 17-Sept-2003, revised SSH updates released (DSA-382-2)
* 18-Sept-2003 as part of cron.daily: Updated DSA-382-2 packages automatically downloaded
* 18-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 0 days old
* 19-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 1 day old
* 20-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 2 days old
* 21-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 3 days old
* On 22-Sept-2003, revised SSH updates released (DSA-382-3)
* 22-Sept-2003 as part of cron.daily: Updated DSA-382-3 packages automatically downloaded
* 22-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 0 days old (note: restarts the counter on the age of the updates)
* 23-Sept-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 1 day old
... skip forward a bit ...
* 1-Oct-2003 as part of cron.daily: Delayed installer does not install SSH updates as only 9 days old
* 2-Oct-2003 as part of cron.daily: Delayed installer installs SSH updates as they now 10 days old
My blue-sky-dreaming ideal is to have a system whereby I could have variable delays for different packages, namely :
* Network visible things (Apache, OpenSSL, SSH) install updates after 10 days of no changes.
* PHP updates after 15 days (have some apps in PHP, need more time to test these).
* Everything else update after 30 days (this is a dedicated webserver, so non-network visible vulnerabilities are less of an immediate threat).
Note that these figures are appropriate for me based on my experiences and configuration, plus the "Timing the Application of Security Patches for Optimal Uptime" paper (visible at: http://www.homeport.org/~adam/time-to-patch-usenix-lisa02.pdf ) - but different delays would probably be appropriate for other system administrators.
Here's where I've looked at so far:
* apt-cache search delay
* apt-cache search auto | grep -i install
* apt-cache show auto-apt
* apt-cache show auto-install
* apt-cache show fai
* apt howto - http://www.debian.org/doc/manuals/apt-howto/index.en.html
* man apt-get
* man dpkg
* Searched google and google groups for "delayed package installation debian" (first 50 hits)
Have I missed something, or is there an obvious way to do this, or a pre-existing solution? I think it's very rare to be the first person ever to face a problem, so I'm suspecting that someone else has had this problem previously, and if I'm very lucky maybe even found a solution to it. If so, please let me know what you found or ended up doing, or if you have any thoughts on how to accomplish this please let me know.
Thanks for your consideration.
Sign-up for your own personalized E-mail at Mail.com
CareerBuilder.com has over 400,000 jobs. Be smarter about your job search