Check for required reboot on Debian, Ubuntu and others

Check for required reboot on Debian, Ubuntu and others

Users of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot?

Screenshot of a system restart required needed on Ubuntu system

Required reboot

Tracking which servers need a required reboot is important to limit any vulnerabilities. Especially weaknesses in the kernel or related to important components (e.g. OpenSSL), should be solved as soon as possible. Therefore patching them is a great first step, checking for a required reboot is next.

If the file /var/run/reboot-required.pkgs exists, a reboot is usually required. If the file has any contents, it will list the related packages. Normally the file is being removed after rebooting.

root@system:/root# cat /var/run/reboot-required.pkgs

In this example we see the file exists and contains an update to the SSL library used by the Linux kernel. Since not all libraries can be reloaded that easily, the system has a reboot required.

Screenshot of /var/run/reboot-required.pkgs


Lynis will check for the presence of /var/run/reboot-required.pkgs and list which packages are inside the file. Since a kernel reboot is important, it will create a warning event and display this in the report. Monitoring which servers now need a reboot has become much easier. Another possibility is to add it to your network and system monitoring tools as well. With some basic scripting, the check can be implemented easily.

Automatic reboot

For people who really love automation (and love some risk), they could automatically schedule a reboot event. If the file has been found, create a one-time event to reboot the system with your favorite configuration management tool (like Cfengine, Chef or Puppet).

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.

Leave a Reply

Your email address will not be published. Required fields are marked *