On 2012-12-12 02:24, Asif Iqbal wrote: > We manage lots of ubuntu LTS 64 bit servers Lucid and Precise. > > We are using unattended-upgrades and only have the following > line uncommented in /etc/apt/apt.conf.d/50unattended-upgrades file > > "${distro_id}:${distro_codename}-security"; > > I am looking for a best practice to keep the system secure with > less number of reboots. Should that be sufficient?
Short answer: yes. Long answer: you can apply "${distro_codename}" and "${distro_codename}-updates" if you want. I do. But it does mean *services* will restart more often. You don't have to reboot at all. With any of these updates applied you'll get new kernels periodically, and it's best to reboot when they come in. But you don't have to, unless you think the reason for the update is a security problem you have to address. For example, on servers with no local users (including the web server), I'm less concerned about local user privilege escalation. On servers without IPX, I don't care about updates to the IPX network stack. Etc. So I don't reboot unless I see the update matters to me. Here is my recommended best practice: 1. Keep ${distro_codename}-security updated automatically. 2. Periodically (say, monthly), update ${distro_codename} and ${distro_codename}-updates. Use clusterssh/puppet/whatever to do this. 3. Subscribe to ubuntu-security-annou...@lists.ubuntu.com and read it daily. If you see an update that pertains to you, apply it immediately and reboot if needed. If not, you can ignore new kernels. Regards, Tyler -- "... my partner and I became exhibit A in a process that I have been warning Americans about since 2007: first they come for the 'other' – the 'terrorist', the brown person, the Muslim, the outsider; then they come for you – while you are standing on a sidewalk in evening dress, obeying the law." -- Naomi Wolf, "How I was arrested at Occupy Wall Street", 2011-10-19 -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam