System Updates and Package Management: Keeping Your System Safe - Part 2 of 5 of the Terminal Techniques for You (TTY): Making Linux Security Accessible Blog Series

Welcome to part two our TTY series! In our first blog, we explored how to navigate the Linux file system using the terminal. Now that you can find your way around, let's focus on one of the most fundamental aspects of system security: keeping your software updated.

Unlike Windows or macOS, where updates usually come from a single source, Linux uses a package management system that helps you install, update, and remove software safely. Understanding this system is crucial for maintaining security, as outdated software is one of the most common entry points for attackers.

Why Updates Matter for Security

Before diving into commands, let's understand why updates are so important:

1. Security Patches: Developers regularly fix vulnerabilities in their software. Without updates, a system remains vulnerable to known exploits.
2. Bug Fixes: Updates often fix stability issues that might cause system crashes.
3. Feature Improvements: Updates can add new capabilities or improve existing ones.
4. Dependency Management: Linux software often relies on shared libraries and components. Updates ensure everything works together.

A real-world analogy: if you drive a car (or ride in one), without regular oil changes and tune-ups, it won’t run efficiently or safely. Similarly, updates keep the software on your system running smoothly and securely.

Understanding Linux Package Management

Unlike manually downloading programs from websites (as is common in Windows), Linux uses centralized software repositories; trusted collections of software managed by your distribution's maintainers.

This approach provides several security benefits:

1. Verified Sources: Official repositories are checked for malware and backdoors.
2. Digital Signatures: Package hashes are cryptographically signed, and the package manager verifies them.
3. Dependency Resolution: The package manager automatically installs other required components.
4. Centralized Updates: One command can update all installed software.

Different Linux distributions use different package managers. The most common are:

• `apt` and `dpkg`: Debian-based distributions (Ubuntu and Linux Mint)
• `dnf`, `yum`, and/or `rpm`: Fedora, Red Hat, CentOS, Alma, Rocky
• `pacman`: Arch-based distributions
• `zypper` and `rpm`: openSUSE
• `apk`: Alpine

Since Ubuntu and its derivatives are the most popular for beginners, we'll focus on the `apt` package manager, but the concepts apply to all distributions.

Checking for Updates

The first step in maintaining your system is checking for available updates. In Ubuntu/Debian systems, this involves two commands:

$ sudo apt update

Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease

Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease

Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease

Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

All packages are up to date.

This command doesn't install anything, it just updates your system's information about available packages. Think of it like refreshing a web page to check for new inventory before shopping.

The `sudo` prefix gives the command temporary administrative privileges required for system-wide changes. You'll be prompted for the password of the account executing the `sudo` command.

After updating the package information, you can see what packages need updating:

$ apt list --upgradable

Listing... Done

firefox/focal-updates 89.0+build2-0ubuntu0.20.04.1 amd64 [upgradable from: 88.0+build2-0ubuntu0.20.04.1]

libssl1.1/focal-updates 1.1.1f-1ubuntu2.4 amd64 [upgradable from: 1.1.1f-1ubuntu2.3]

Installing Updates

Once you know what updates are available, you can install them:

$ sudo apt upgrade

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Calculating upgrade... Done

The following packages will be upgraded:

firefox libssl1.1

2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 79.8 MB of archives.

After this operation, 6,144 B of additional disk space will be used.

Do you want to continue? [Y/n]

The system shows what will be upgraded and asks for confirmation. Press 'Y' and ENTER to proceed.

For a more thorough upgrade that can also remove obsolete packages or install new dependencies, use:

$ sudo apt full-upgrade

This is particularly important for major system upgrades.

Combining Update Commands

To make things more efficient, you can combine the update and upgrade command steps in a single line:

$ sudo apt update && sudo apt upgrade

The `&&` means "run the second command only if the first one succeeds."

Installing New Software

When you need to install new software, always use the package manager rather than downloading from websites:

$ apt search firewall

$ apt show ufw

$ sudo apt install ufw

Let's install the Uncomplicated Firewall (ufw) as an example, which we’ll explore in a futute post:

$ sudo apt install ufw

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

ufw

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 144 kB of archives.

After this operation, 768 kB of additional disk space will be used.

Do you want to continue? [Y/n]

Press 'Y' and Enter to install.

Removing Software Safely

Removing unused software reduces the attack surface and the number of potential vulnerability points in a system:

$ sudo apt remove package_name

$ sudo apt purge package_name

$ sudo apt autoremove

For example, if you installed a game but don't play it anymore:

$ sudo apt remove supertuxkart

$ sudo apt autoremove

The `autoremove` command is particularly useful as it cleans up dependencies that were installed automatically but are no longer needed.

Understanding Software Sources

Package managers use "sources" or "repositories" to know where to get software. These are configured in files like `/etc/apt/sources.list`.

By default, your distribution includes official repositories that are maintained and vetted for security. These typically include:

• Main/Core Repositories: Essential software maintained by the distribution maintainer
• Updates Repositories: Regular updates to packages
• Security Repositories: Critical security patches

There are also third-party repositories called Personal Package Archives (PPAs) in Ubuntu or similar concepts in other distributions. While these can provide newer software versions, they come with security considerations:

1. They may not be as thoroughly vetted.
2. They might not maintain the same security standards.
3. They could potentially distribute malicious software.

* Security Best Practice: Be selective about adding configuring or using third-party repositories. Only use those with a good reputation and come from trusted sources.

Automatic Security Updates

For critical security updates, it's a good idea to set up automatic updates. In Ubuntu/Debian:

$ sudo apt install unattended-upgrades

$ sudo dpkg-reconfigure unattended-upgrades

You'll be asked if you want to automatically download and install updates. For a desktop system, this is generally a good idea.

Verifying Package Integrity

When you install software through official repositories, the package manager automatically verifies digital signatures and/or hashes. However, if you download packages manually (with the `.deb` extension for Debian/Ubuntu), you should verify them:

$ dpkg-deb --info downloaded-package.deb

$ md5sum downloaded-package.deb

$ sha256sum downloaded-package.deb

Always compare the hash output from the appropriate command and ensure it matches the one provided by the official source.

Managing Package Vulnerabilities

As your security knowledge grows, you might want to check for known vulnerabilities in installed packages. Tools like `debsecan` can help:

$ sudo apt install debsecan

$ debsecan

This will list packages with known vulnerabilities that need updating, along with an associated common vulnerabilities and exposures (CVEs).

Practical Example: Securing a New System

Let's walk through a practical example of updating a freshly installed system:

$ sudo apt update

$ sudo apt upgrade

$ sudo apt install unattended-upgrades

$ sudo dpkg-reconfigure -plow unattended-upgrades

$ sudo apt autoremove

$ sudo apt install ufw fail2ban

These steps form a basic security baseline for any new Linux system.

Special Case: Kernel Updates

The kernel is the core of the Linux operating system, and kernel updates are particularly important for security. In Ubuntu, kernel updates come through the regular update process and sometimes require a reboot:

# Check if a reboot is needed after updates

$ ls -l /var/run/reboot-required*

# If the file exists, you should reboot:

$ sudo reboot

Unlike Windows, Linux typically only requires a reboot after a kernel update.

Distribution Upgrades: Moving to a New Version

Periodically, distributions release new major versions (like Ubuntu 22.04 to 24.04). These involve more significant changes:

# For Ubuntu desktop

$ sudo do-release-upgrade

# For Ubuntu server

$ sudo do-release-upgrade -d

Before performing major upgrades:

1. Always back up your data.
2. Read the release notes for compatibility issues.
3. Make sure you have time to troubleshoot if needed.

While skipping versions might seem tempting, it's generally safest to upgrade in order (20.04 to 22.04 then to 24.04).

Package Management Best Practices

Here are some best practices to keep your system secure:

1. Update regularly: Set a schedule (weekly is good for most users)
2. Use official repositories when possible
3. Be selective about PPAs and third-party sources
4. Remove software you don't use
5. Check for needed reboots after kernel updates
6. Stick with long-term support (LTS) versions for better stability, security, and support

Security Tips for Software Installation

Beyond the basic package management, consider these security tips:

1. Never run scripts directly from the internet without reviewing what the script will do on your system:

# Risky practice to avoid (NOT RECOMMENDED):

$ curl https://example.com/script.sh | bash

2. Check software requirements before installing:

$ apt show package_name

3. Use virtual machines or containers to test unknown software before installing it on your main system.

4. Be cautious with snap packages (a newer packaging system):

# List installed snap packages

$ snap list

Snaps have different security properties than traditional packages.

Troubleshooting Common Update Issues

Sometimes you might encounter issues during updates. Here are some common problems and solutions.

#### Locked Package Database

E: Could not get lock /var/lib/dpkg/lock-frontend

This usually means another package management process is running. It's generally a good idea to wait for it to finish.

While not typically recommended. Sometimes things happen and you know there is no other package management process running, then you could try:

$ sudo killall apt apt-get

$ sudo rm /var/lib/apt/lists/lock

$ sudo rm /var/cache/apt/archives/lock

$ sudo rm /var/lib/dpkg/lock*

$ sudo apt update

#### Failed Updates Due to Disk Space

E: You don't have enough free space

Clear package cache and remove unnecessary files:

$ sudo apt clean

$ sudo apt autoremove

#### Package Dependency Issues

E: Unable to correct problems, you have held broken packages.

Try fixing with:

$ sudo apt --fix-broken install

If that doesn't work, more advanced troubleshooting might be needed.

Creating a Simple Update Script

To simplify the update process, you can create a simple script:

# Create a new file

$ nano ~/scripts/update-system.sh

Add this content to the file:

#!/bin/bash

echo "Updating package lists..."

sudo apt update

echo "Installing available updates..."

sudo apt upgrade -y

echo "Removing unnecessary packages..."

sudo apt autoremove -y

echo "Cleaning package cache..."

sudo apt clean

echo "Checking if reboot is needed..."

if [ -f /var/run/reboot-required ]; then

echo "*** System reboot required ***"

else

echo "No reboot needed"

fi

echo "Update completed!"

NOTE: Up to this point, we have covered `apt`, but you might come across examples of scripts that use `apt-get`, which is also supported. However, there may be slight differences in syntax between the two commands.

Save the file (in nano, press CTRL+O, ENTER, then CTRL+X).

Make it executable:

$ chmod u+x ~/scripts/update-system.sh

Now you can run your update script:

$ ~/scripts/update-system.sh

Understanding Update Frequency

How often should you update? It depends on your security needs, the risk profile of the system, threat intelligence, and potentially many other factors. These are only examples, and my best suggestion for you is to get with your security team and follow their patch cycle.

If this is on your personal system, you own that risk and responsible for making these decisions:

• Security Updates: Install immediately (or set up automatic updates)
• Regular Updates: Weekly for desktop users and potentially daily, weekly, or monthly for stable servers
• Distribution Upgrades: Follow the distribution maintainer's support timeline

For Ubuntu LTS releases, you typically have multiple years of support, giving you plenty of time to plan major version upgrades.

Updates are Your Security Foundation

Keeping your system updated is one of the most effective security practices. With the commands and concepts we've covered, you now have the tools to:

• Keep your software up-to-date with the latest security patches
• Install new software from trusted sources
• Remove unnecessary software to reduce your attack surface (and save disk space)
• Automate security updates
• Troubleshoot common update problems

Remember, security is a continuous process, not a one-time setup. Regular updates are your first line of defense against known and emerging threats.

Practice Questions

To reinforce your understanding, answer these questions:

1. What command updates your system's package lists without installing anything?
2. How can you check if your system needs a reboot after updates?
3. What command removes unnecessary packages installed as dependencies?
4. What's the difference between `apt remove` and `apt purge`?
5. Why is it generally safer to install software using the package manager?

Want to know more? Check out the course preview of SEC406^TM: Linux Security for InfoSec Professionals^TM for a free hour of course content. Ready to take your Linux skills to the next level? For a limited time, take SEC406 for just $5,250!