Check for a required reboot on Debian and Ubuntu systems

Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot?

Required restart required?

Screenshot of a system restart required needed on Ubuntu system

This Ubuntu system needs a restart

Required reboot

Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software. Other bugs are special in the way that they may leak sensitive data or allow unauthorized access to the software or system. These type of bugs are called vulnerabilities.

Tracking which servers need a required reboot is important to properly solve vulnerabilities. Installing a software update is a first good step, but sometimes more is needed. For most software the restart of the related software processes is sufficient. For others, a system reboot is needed. Especially with weaknesses in the kernel or related to global components (e.g. Glibc, OpenSSL).

Fortunately, we can check if a reboot is needed. If the file /var/run/reboot-required.pkgs exists, then one or more processes require a full reboot. The file won’t show process names, but the related packages.

# cat /var/run/reboot-required.pkgs  
libssl1.0.0

In this example we see the file exists and contains an update to the SSL library used by the Linux kernel. Since not all libraries can be reloaded that easily, the system has a reboot required.

Screenshot of /var/run/reboot-required.pkgs

The /var/run/reboot-required.pkgs file

Both files will be automatically deleted by the system after a reboot.

Automation

Most system administrators love to automate everything. This process of monitoring can be automated as well. Tools like Lynis will check for the presence of /var/run/reboot-required.pkgs and list which packages are inside the file. Since a kernel reboot is important, it will create a warning event and display this in the report. Monitoring which servers now need a reboot has become much easier.

Another possibility is to add this check to your network and system monitoring tools as well. With some basic scripting, the check can be implemented easily.

Automatic reboot

For people who really love the next level of automation (and love some risk), they could automatically schedule a reboot event. If the file has been found, create a one-time event to reboot the system with your favorite configuration management tool (like Cfengine, Chef or Puppet).

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon