Skip to content

Blog

Automating Security Updates… Cautiously

Broken padlock

Effraction by Sébastien Launay on Flickr. Licensed under CC-BY 2.0.

My attention has turned recently to how to automate the installation of security updates on various Linux distributions.

As Van Patten Media runs more servers, the effort and time needed to apply critical security updates promptly grows. Waiting several days to get security fixes just isn’t acceptable in a post-Shellshock era, yet there is always a risk of a completely automated update breaking important functionality.

One of the projects I will be investigating over these few weeks is how we might build an automated test environment that could apply the updates quickly to a test VM, run a test suite to verify none of our critical client functionality breaks, then push those updates to the live servers.

There are various solutions for truly automatic updates; I focus on Debian’s unattended-upgrades package here. What seems to be more difficult, however, is being able to push that list of ‘approved’ packages and just install those when we are ready.

My current train of thought on how to proceed on this is as follows:

  • Test box installs the day’s upgrades
  • Runs the test suite automatically
  • If the test suite passes, it determines which packages were most recently installed
  • Pushes that/those package names to the unattended-upgrades whitelist on the clients
  • Clients, on next unattended-upgrades run, will install those upgrades
  • Upon successful upgrade, we reset the whitelist

I am in the very early stages of looking at this, so that is a very rough sketch of where my thoughts are currently. There are missing pieces, but I was looking at Watir for the browser test suite component.

I would be interested to hear from anyone who has looked at this before, or if anyone knows of any interesting similar projects I haven’t found!

Automatic Update Script for Flash Player for Mac

Since version 10.3 of Flash Player for the Mac, there has been an automatic update feature for the plugin, as part of a System Preferences pane. Unfortunately, I have not had much luck with it actually doing updates automatically!

I have, then, found it necessary to either check for updates manually, or devise a custom script to do an automatic check for updates.

Based on this MacOSXHints post, here is the script I am using to keep Flash Player on Mac OS X up-to-date. Combined with an OS X LaunchAgent to check every two hours, this is an automatic update solution that actually is automatic!

Download Flash Player Automatic Update Script
Download Flash Checker Script

Installation

  • Copy the ‘Flash Checker’ folder into /Library/Application Support.
  • Make sure the execute permissions are set on /Library/Application Support/Flash Checker/flash_checker.
    (From Terminal, run: sudo chmod +x /Library/Application\ Support/Flash Checker/flash_checker.)
  • Copy the ‘uk.org.upfold.FlashChecker.plist’ file into ~/Library/LaunchAgents.
  • Optionally, edit the RunAtLoad directive in the plist to true to check for updates each time you log on, or edit the StartInterval to check more or less frequently than the default of two hours.

Disable without Uninstalling

  • Set the Disabled directive to true in the ~/Library/LaunchAgents/uk.org.upfold.FlashChecker.plist.

Uninstallation

  • Remove the ‘uk.org.upfold.FlashChecker.plist’ file from ~/Library/LaunchAgents.
  • Delete the folder /Library/Application Support/Flash Checker.