A special note should be mentioned regarding kernel upgrades. Every time you upgrade a kernel, a new version of the kernel gets installed. Over a period of time, these kernels can accumulate on the system and consume significant disk space. Whenever a new kernel gets installed as part of the upgrade, you can clean up the old ones. As a best practice you can keep three kernels, the current active one plus two old ones — so that you can fall back to the old one if needed.
You can learn more here. To see all the kernels installed on the system, check using:. To see the list of currently active kernel. And set it up for automatic upgrade using these options:. Using the "unattended-upgrades" package you can set up the system for automatic upgrades including optional reboot, email notification etc. You can check for details here. Again, the above works when you have a few systems to manage.
When you are talking about hundreds of systems with live running applications that cannot be afforded to be disrupted, you have to come up with a more organized custom approach with regression testing and scheduled downtimes built into your automation scripts.
As more organizations move towards microservices and containerization of their applications, the adoption of Ubuntu based base images for running the microservices and other containers can become a common practice. Here too, updating the OS vulnerabilities periodically becomes imperative. The easiest way to handle this is to have a line of code, that does the upgrades, in the Dockerfile of your service. This way every time your Docker image gets built; it is automatically up to date with the latest OS packages.
Sometimes, you can run into situations when the packages do not get upgraded through any of these usual methods and yet your system is left vulnerable. This can only get caught when you run vulnerability scans against the system.
In such a case, you have to upgrade to the latest OS version and if you need to buy time, another option would be to manually remove that package and install an alternative, if required. A typical application environment, whether a cloud or on-prem model, contains s or even s of systems that need to be kept up to date with respect to operating system patches.
Self-aware organizations should ensure that their security policies mandate timely application of patches that get released periodically from vendors.
Keeping OS packages upgraded not only improves your security posture but will also improve the stability and performance of the system. And finally, that makes your customers happy! Mrudula Madiraju's technical career spans across multiple technologies, domains, customers, services and products.
Whenever time permits, she loves to learn and share tidbits of epiphanies through sessions and writings. Connect with her on LinkedIn.
He is an avid problem solver, and is skilled in Python, Unix scripting, Jenkins andTekton. Chetan is great at handling crisis situations, and never has to repeat a job more than once. Connect with Chetan on LinkedIn. What Are You Looking For? Popular Tags ransomware must-read.
This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 9. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included.
There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. In order to receive the latest Debian security advisories, subscribe to the debian-security-announce mailing list. You can use apt to easily get the latest security updates. This requires a line such as. The security archive is signed with the normal Debian archive signing keys. These web pages include a condensed archive of security advisories posted to the debian-security-announce list.
The latest Debian security advisories are also available in RDF format. We also offer a second file that includes the first paragraph of the corresponding advisory so you can see in it what the advisory is about.
0コメント