Check for a required reboot on Debian and Ubuntu systems

Required restart required?

Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot?

Screenshot of a system restart required needed on Ubuntu system

Required reboot

Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software. Other bugs are special in the way that they may leak sensitive data or allow unauthorized access to the software or system. These type of bugs are called vulnerabilities.

Tracking which servers need a required reboot is important to properly solve vulnerabilities. Installing a software update is a first good step, but sometimes more is needed. For most software the restart of the related software processes is sufficient. For others, a system reboot is needed. Especially with weaknesses in the kernel or related to global components (e.g. Glibc, OpenSSL).

Fortunately, we can check if a reboot is needed. If the file /var/run/reboot-required.pkgs exists, then one or more processes require a full reboot. The file won’t show process names, but the related packages.

root@system:/root# cat /var/run/reboot-required.pkgs
libssl1.0.0

In this example we see the file exists and contains an update to the SSL library used by the Linux kernel. Since not all libraries can be reloaded that easily, the system has a reboot required.

Screenshot of /var/run/reboot-required.pkgs

Both files will be automatically deleted by the system after a reboot.

Automation

Most system administrators love to automate everything. This process of monitoring can be automated as well. Tools like Lynis will check for the presence of /var/run/reboot-required.pkgs and list which packages are inside the file. Since a kernel reboot is important, it will create a warning event and display this in the report. Monitoring which servers now need a reboot has become much easier.

Another possibility is to add this check to your network and system monitoring tools as well. With some basic scripting, the check can be implemented easily.

Automatic reboot

For people who really love the next level of automation (and love some risk), they could automatically schedule a reboot event. If the file has been found, create a one-time event to reboot the system with your favorite configuration management tool (like Cfengine, Chef or Puppet).

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.


Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *