Friday, September 1, 2017
2 - Linux Security: secure update of package sources and repositories
SECURE UPDATE OF PACKAGE SOURCES AND REPOSITORIES
- In this exercise a Linux Debian server is used:
1 - Package sources and repositories
- From the security perspective it is very important to keep all pakckages updated to its most recent versions in order to reduce vulnerabilities.
- The sources.list file included in the folder /etc/apt/ lists the sources from where Linux (Debian in this case) updated packages can be obtained.
- The format for the entries in the file sources.list is as follows:
a) archive type: the first word on each line, deb or deb-src, indicates the type of archive. Deb indicates that the archive contains binary packages (deb), the pre-compiled packages that we normally use. Deb-src indicates source packages, which are the original program sources plus the Debian control file (.dsc) and the diff.gz containing the changes needed for packaging the program.
b) repository URL: the next entry on the line is a URL to the repository where to download the packages from. A Debian repository is a set of Debian binary or source packages organized in a special directory tree and with various infrastructure files - checksums, indices, signatures, descriptions translations, ... - added. Client computers can connect to the repository to download and install the packages using an Apt-based package management tool. The main list of Debian repository mirrors is here:
c) distribution: the 'distribution' can be either the release code name / alias (jessie, stretch, buster, sid) or the release class (oldstable, stable, testing, unstable) respectively. If you mean to be tracking a release class then use the class name, if you want to track a Debian point release, use the code name. For example, if you have a system running Debian 9.1 "stretch" and don't want to upgrade when Debian buster releases, use 'stretch' instead of 'stable' for the distribution. If you always want to help test the testing release, use 'testing'. If you are tracking buster and want to stay with it from testing to end of life, use 'buster'.
d) Component: there are three types of components:
i) main: All free software that follows the DFSG (Debian Free Software Guidelines). These are the only packages considered part of the Debian distribution.
ii) contrib: Free software that follows DFSG but depends on non-free software.
iii) non-free: All kinds of non-free software that doesn't follow the DFSG.
- For further information:
2 - Updating sources.list
- Now, let's add a trustful source just editing a line of /etc/apt/sources.list:
- It is important not to add packages from dubious or unreliable sources to the sources.list file because some malware could be included.
- As seen before, the sources included in the official website deb http://security.debian.org are completely safe, like the line included before.
- Finally, using apt-get and aptitude to update recent changes to the repository:
- apt-get and aptitude are quite similar command line interfaces. The main difference is that aptitude provides a terminal menu interface whereas apt-get does not. Also, aptitude actually performs the functions of not just apt-get, but also some of its companion tools, such as apt-cache and apt-mark.