Please enter at least 3 characters
Apr 30, 2024 5 min read

Installing Security Updates ONLY in Linux

Dave Prowse
Installing Security Updates ONLY in Linux

Sometimes you don't want to install every update to your Linux system. Instead, you might desire only the security updates—these are the most important ones.

The following is one of the videos from the upcoming Linux Security - Basics and Beyond video course. It shows how to install security updates only in Fedora and Debian. The corresponding lab document is included below.

VIDEO

📹
The video course includes 10 hours of content, 32 labs, and tons of fun! Check it out!

Lab 13 - Installing Security Updates Only ⚙️

Let's show how to install just the security updates in Fedora-based systems and Debian-based systems. In this lab we will:

  • Show the dnf update --security option in Fedora.
  • Demonstrate how to install individual security advisories in Fedora.
  • Show how to install individual updates in Debian.
  • Demonstrate how to install security updates only in Debian with the apt-get command.
  • Show how to work wth Unattended Updates in Debian.

Fedora-based Systems

Note: When I say "Fedora-based systems" I mean the entire tree of Fedora including Fedora Server and Workstation, CentOS Stream, Red Hat Enterprise Linux (RHEL), and all of the RHEL binary copies (Rocky Linux, AlmaLinux, Oracle Linux, etc...)

It's fairly simple to install security updates only, and disregard the rest of the application updates. To do so, add the --security option to your dnf command.

For example, to check for security updates only:

sudo dnf check-update --security

To install the security updates:

sudo dnf update --security

Try those on your system now...

Note: Remember, if you do not add the --security option to the end of the command, the operating system will automatically install all updates including patches, application updates, bug fixes, and so on.

Easy enough right? But what if you want to install a single security update?

First of all, you have to become aware of them. I recomemnd signing up for the various Linux mailing lists that you support. For example:

https://access.redhat.com/security/security-updates/

If you find that there is a specific security update that you need to get (and only that update) you can install it in the following manner:

sudo dnf update --advisory=<Update_ID>

For example:

sudo dnf update --advisory=RHSA-2024:0773

This is an "important", or high-severity, fix for the squid server running on Red Hat. The year it was released was 2024 and the actual ID is "0773".

Of course, you could install individual updates with the basic dnf install <package_name> command as well, but that is designed more for applications and less critical files as opposed to actual security updates.

Debian-based Systems

In Debian (as of the writing of this lab) there is no simple option that you can use to install security updates only (as is the case with Fedora). But we do have some alternatives.

Install Single Packages

For example, if we only wanted to upgrade Apache, we could issue a command such as this:

sudo apt install apache2 (accepted method)

or

sudo apt install --only-upgrade apache2

This will upgrade the Apache web server only, and avoid causing any issues with other applications or portions of Linux.

Note: Something I see often in the field is when a technician simply issues the command: sudo apt update && apt upgrade -y. Scary, because this downloads and installs all available updates. This can be problematic (at best) because it could cause conflicts, the breaking of packages, and so on, especially on a server system. Be very careful with this command!

As always, you should keep abreast of the latest security vulnerabilities and updates for your distro of Linux. For example, check out this Debian link:

https://www.debian.org/security/#DSAS

This shows the latest security advisories. For example, on Feb. 9th, 2024, there was a security update for the libgit2 package.

If need be, you could update a single package such as this one in the following manner:

sudo apt install libgit2

Note: We use the install option even when upgrading in Debian/Ubuntu.

IMPORTANT! Knowledge is power, right? Keep on top of those security updates!

Search for and Install all Security Updates with apt-get

Note: Now, we're going to get into a little bit of the "beyond" for this course!

List all available security updates (only) from the command line:

sudo apt-get -s dist-upgrade | grep "^Inst" | grep -i security

In Debian, this will show all available security updates that come from the "stable-security" repository. You could then install individual updates from the list as shown earlier, or install them all with something similar to:

apt-get -s dist-upgrade | grep "^Inst" | grep -i security | awk -F " " {'print $2'} | xargs apt-get install

Note: You will have to do this as root in a Debian system.

This should install the security updates only. Fantastic! But what happened here? Well, we used the grep command to filter for security-based installation files and the awk command to specify the second element of each result (which are the names of the packages to be updated). Then it ran the apt-get install to actually install them via xargs.

Note: We are using apt-get here instead of apt. This is one of those times when it is recommended to do so because apt is considered less stable within scripts (though it can work).

Use the unattended upgrades Program

The unattended-upgrades program can be used to automatically update the system. It can also be used to simplify the above process of installing security updates only.

  • First, check if it is already loaded on the system. (It is not installed by default with Debian bu might be available on Ubuntu.)

  • Then, if necessary, install it:

    sudo apt install unattended-upgrades

  • Now, configure it:

    sudo dpkg-reconfigure unattended-upgrades

    Select "Yes" to configure unattended upgrades so that it will automatically update the system.

    Warning! This will now automatically update the system. In many cases, this is not desired in a professional work environment.

    Warning: Installing Unattended Upgrades will start a service of the same name (unattended-upgrades.service) which will run automatically and uses at least 13 MB of RAM. This may be unacceptable for many server installations.

  • Now, modify Unattended Upgrades so that it will install security updates only.

    • Open /etc/apt/apt.conf.d/50unattended-upgrades
    • Locate the "origin..." line items.
    • Comment out (//) all origins except for the security-based ones. If the main "Debian" origin is not commented out, the program will attempt to install all updates, which is not desired, and will be time consuming.
    • Open /etc/apt/apt.conf.d/10periodic and modify the periodic updates as you see fit.

  • Run the program as a dry run to see if it works:

    sudo unattended-upgrade --dry-run -d

  • Then, run it for real by removing the --dry-run option.

👍 Fantastic work!! You Rule! 👍

Note: You might also be interested in using Bash, Cron, Ansible, or a third-party program called Debsecan to configure the installation of security updates to your liking. Personally, I prefer the apt-get method above. But to each their own!

Linux
Dave Prowse
Dave Prowse
I'm Dave, a tech and a teacher. My focus is on sysadmin/devops work including Linux, IaC, Bash, automation tools, networking, and security. Enjoy this site!
You might also like
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Prowse Tech.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.