Check for a required reboot on Debian and Ubuntu systems
Required restart required?
Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot?
Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software. Other bugs are special in the way that they may leak sensitive data or allow unauthorized access to the software or system. These type of bugs are called vulnerabilities.
Tracking which servers need a required reboot is important to properly solve vulnerabilities. Installing a software update is a first good step, but sometimes more is needed. For most software the restart of the related software processes is sufficient. For others, a system reboot is needed. Especially with weaknesses in the kernel or related to global components (e.g. Glibc, OpenSSL).
Fortunately, we can check if a reboot is needed. If the file /var/run/reboot-required.pkgs exists, then one or more processes require a full reboot. The file won’t show process names, but the related packages.
root@system:/root# cat /var/run/reboot-required.pkgs
In this example we see the file exists and contains an update to the SSL library used by the Linux kernel. Since not all libraries can be reloaded that easily, the system has a reboot required.
Both files will be automatically deleted by the system after a reboot.
Most system administrators love to automate everything. This process of monitoring can be automated as well. Tools like Lynis will check for the presence of /var/run/reboot-required.pkgs and list which packages are inside the file. Since a kernel reboot is important, it will create a warning event and display this in the report. Monitoring which servers now need a reboot has become much easier.
Another possibility is to add this check to your network and system monitoring tools as well. With some basic scripting, the check can be implemented easily.
For people who really love the next level of automation (and love some risk), they could automatically schedule a reboot event. If the file has been found, create a one-time event to reboot the system with your favorite configuration management tool (like Cfengine, Chef or Puppet).