Check for required reboot on Debian, Ubuntu and others

Check for required reboot on Debian, Ubuntu and others

Users of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot?

Screenshot of a system restart required needed on Ubuntu system

Required reboot

Tracking which servers need a required reboot is important to limit any vulnerabilities. Especially weaknesses in the kernel or related to important components (e.g. OpenSSL), should be solved as soon as possible. Therefore patching them is a great first step, checking for a required reboot is next.

If the file /var/run/reboot-required.pkgs exists, a reboot is usually required. If the file has any contents, it will list the related packages. Normally the file is being removed after rebooting.

root@system:/root# cat /var/run/reboot-required.pkgs
libssl1.0.0

In this example we see the file exists and contains an update to the SSL library used by the Linux kernel. Since not all libraries can be reloaded that easily, the system has a reboot required.

Screenshot of /var/run/reboot-required.pkgs

Automation

Lynis will check for the presence of /var/run/reboot-required.pkgs and list which packages are inside the file. Since a kernel reboot is important, it will create a warning event and display this in the report. Monitoring which servers now need a reboot has become much easier. Another possibility is to add it to your network and system monitoring tools as well. With some basic scripting, the check can be implemented easily.

Automatic reboot

For people who really love automation (and love some risk), they could automatically schedule a reboot event. If the file has been found, create a one-time event to reboot the system with your favorite configuration management tool (like Cfengine, Chef or Puppet).

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *