On 2012-12-12 02:24, Asif Iqbal wrote:
> We manage lots of ubuntu LTS 64 bit servers Lucid and Precise.
>
> We are using unattended-upgrades and only have the following
> line uncommented in /etc/apt/apt.conf.d/50unattended-upgrades file
>
> "${distro_id}:${distro_codename}-security";
>
> I am looking for a best practice to keep the system secure with
> less number of reboots. Should that be sufficient?
Short answer: yes.
Long answer: you can apply "${distro_codename}" and
"${distro_codename}-updates" if you want. I do. But it does mean *services*
will restart more often.
You don't have to reboot at all. With any of these updates applied you'll
get new kernels periodically, and it's best to reboot when they come in.
But you don't have to, unless you think the reason for the update is a
security problem you have to address. For example, on servers with no local
users (including the web server), I'm less concerned about local user
privilege escalation. On servers without IPX, I don't care about updates to
the IPX network stack. Etc. So I don't reboot unless I see the update
matters to me.
Here is my recommended best practice:
1. Keep ${distro_codename}-security updated automatically.
2. Periodically (say, monthly), update ${distro_codename} and
${distro_codename}-updates. Use clusterssh/puppet/whatever to do this.
3. Subscribe to ubuntu-security-annou...@lists.ubuntu.com and read it
daily. If you see an update that pertains to you, apply it immediately and
reboot if needed. If not, you can ignore new kernels.
Regards,
Tyler
--
"... my partner and I became exhibit A in a process that I have been
warning Americans about since 2007: first they come for the 'other' –
the 'terrorist', the brown person, the Muslim, the outsider; then they
come for you – while you are standing on a sidewalk in evening dress,
obeying the law."
-- Naomi Wolf, "How I was arrested at Occupy Wall Street", 2011-10-19
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
