System Updates and Package Management: Keeping Your System Safe - Part 2 of 5 of the Terminal Techniques for You (TTY): Making Linux Security Accessible Blog Series

Welcome to part two our TTY series! In our first blog, we explored how to navigate the Linux file system using the terminal. Now that you can find your way around, let's focus on one of the most fundamental aspects of system security: keeping your software updated.

Unlike Windows or macOS, where updates usually come from a single source, Linux uses a package management system that helps you install, update, and remove software safely. Understanding this system is crucial for maintaining security, as outdated software is one of the most common entry points for attackers.

Why Updates Matter for Security

Before diving into commands, let's understand why updates are so important:

1. Security Patches: Developers regularly fix vulnerabilities in their software. Without updates, a system remains vulnerable to known exploits.
2. Bug Fixes: Updates often fix stability issues that might cause system crashes.
3. Feature Improvements: Updates can add new capabilities or improve existing ones.
4. Dependency Management: Linux software often relies on shared libraries and components. Updates ensure everything works together.

A real-world analogy: if you drive a car (or ride in one), without regular oil changes and tune-ups, it won’t run efficiently or safely. Similarly, updates keep the software on your system running smoothly and securely.

Understanding Linux Package Management

Unlike manually downloading programs from websites (as is common in Windows), Linux uses centralized software repositories; trusted collections of software managed by your distribution's maintainers.

This approach provides several security benefits:

1. Verified Sources: Official repositories are checked for malware and backdoors.
2. Digital Signatures: Package hashes are cryptographically signed, and the package manager verifies them.
3. Dependency Resolution: The package manager automatically installs other required components.
4. Centralized Updates: One command can update all installed software.

Different Linux distributions use different package managers. The most common are:

• `apt` and `dpkg`: Debian-based distributions (Ubuntu and Linux Mint)
• `dnf`, `yum`, and/or `rpm`: Fedora, Red Hat, CentOS, Alma, Rocky
• `pacman`: Arch-based distributions
• `zypper` and `rpm`: openSUSE
• `apk`: Alpine

Since Ubuntu and its derivatives are the most popular for beginners, we'll focus on the `apt` package manager, but the concepts apply to all distributions.

Checking for Updates

The first step in maintaining your system is checking for available updates. In Ubuntu/Debian systems, this involves two commands:

$ sudo apt update

Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease

Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease

Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease

Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

All packages are up to date.

This command doesn't install anything, it just updates your system's information about available packages. Think of it like refreshing a web page to check for new inventory before shopping.

The `sudo` prefix gives the command temporary administrative privileges required for system-wide changes. You'll be prompted for the password of the account executing the `sudo` command.

After updating the package information, you can see what packages need updating:

$ apt list --upgradable

Listing... Done

firefox/focal-updates 89.0+build2-0ubuntu0.20.04.1 amd64 [upgradable from: 88.0+build2-0ubuntu0.20.04.1]

libssl1.1/focal-updates 1.1.1f-1ubuntu2.4 amd64 [upgradable from: 1.1.1f-1ubuntu2.3]

Installing Updates

Once you know what updates are available, you can install them:

$ sudo apt upgrade

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Calculating upgrade... Done

The following packages will be upgraded:

firefox libssl1.1

2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 79.8 MB of archives.

After this operation, 6,144 B of additional disk space will be used.

Do you want to continue? [Y/n]

The system shows what will be upgraded and asks for confirmation. Press 'Y' and ENTER to proceed.

For a more thorough upgrade that can also remove obsolete packages or install new dependencies, use:

$ sudo apt full-upgrade

This is particularly important for major system upgrades.

Combining Update Commands

To make things more efficient, you can combine the update and upgrade command steps in a single line:

$ sudo apt update && sudo apt upgrade

The `&&` means "run the second command only if the first one succeeds."

Installing New Software

When you need to install new software, always use the package manager rather than downloading from websites:

$ apt search firewall

$ apt show ufw

$ sudo apt install ufw

Let's install the Uncomplicated Firewall (ufw) as an example, which we’ll explore in a futute post:

$ sudo apt install ufw

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

ufw

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 144 kB of archives.

After this operation, 768 kB of additional disk space will be used.

Do you want to continue? [Y/n]

Press 'Y' and Enter to install.

Removing Software Safely

Removing unused software reduces the attack surface and the number of potential vulnerability points in a system:

$ sudo apt remove package_name

$ sudo apt purge package_name

$ sudo apt autoremove

For example, if you installed a game but don't play it anymore:

$ sudo apt remove supertuxkart

$ sudo apt autoremove

The `autoremove` command is particularly useful as it cleans up dependencies that were installed automatically but are no longer needed.

Understanding Software Sources

Package managers use "sources" or "repositories" to know where to get software. These are configured in files like `/etc/apt/sources.list`.

By default, your distribution includes official repositories that are maintained and vetted for security. These typically include:

• Main/Core Repositories: Essential software maintained by the distribution maintainer
• Updates Repositories: Regular updates to packages
• Security Repositories: Critical security patches

There are also third-party repositories called Personal Package Archives (PPAs) in Ubuntu or similar concepts in other distributions. While these can provide newer software versions, they come with security considerations:

1. They may not be as thoroughly vetted.
2. They might not maintain the same security standards.
3. They could potentially distribute malicious software.

* Security Best Practice: Be selective about adding configuring or using third-party repositories. Only use those with a good reputation and come from trusted sources.

Automatic Security Updates

For critical security updates, it's a good idea to set up automatic updates. In Ubuntu/Debian:

$ sudo apt install unattended-upgrades

$ sudo dpkg-reconfigure unattended-upgrades

You'll be asked if you want to automatically download and install updates. For a desktop system, this is generally a good idea.

Verifying Package Integrity

When you install software through official repositories, the package manager automatically verifies digital signatures and/or hashes. However, if you download packages manually (with the `.deb` extension for Debian/Ubuntu), you should verify them:

$ dpkg-deb --info downloaded-package.deb

$ md5sum downloaded-package.deb

$ sha256sum downloaded-package.deb

Always compare the hash output from the appropriate command and ensure it matches the one provided by the official source.

Managing Package Vulnerabilities

Understanding Update Frequency

How often should you update? It depends on your security needs, the risk profile of the system, threat intelligence, and potentially many other factors. These are only examples, and my best suggestion for you is to get with your security team and follow their patch cycle.

If this is on your personal system, you own that risk and responsible for making these decisions:

• Security Updates: Install immediately (or set up automatic updates)
• Regular Updates: Weekly for desktop users and potentially daily, weekly, or monthly for stable servers
• Distribution Upgrades: Follow the distribution maintainer's support timeline

For Ubuntu LTS releases, you typically have multiple years of support, giving you plenty of time to plan major version upgrades.

Updates are Your Security Foundation

Keeping your system updated is one of the most effective security practices. With the commands and concepts we've covered, you now have the tools to:

• Keep your software up-to-date with the latest security patches
• Install new software from trusted sources
• Remove unnecessary software to reduce your attack surface (and save disk space)
• Automate security updates
• Troubleshoot common update problems

Remember, security is a continuous process, not a one-time setup. Regular updates are your first line of defense against known and emerging threats.

Practice Questions

To reinforce your understanding, answer these questions:

1. What command updates your system's package lists without installing anything?
2. How can you check if your system needs a reboot after updates?
3. What command removes unnecessary packages installed as dependencies?
4. What's the difference between `apt remove` and `apt purge`?
5. Why is it generally safer to install software using the package manager?

Header for two images

From the figures below you can see that we've conquered the world!

Package Management Best Practices

Here are some best practices to keep your system secure:

1. Update regularly: Set a schedule (weekly is good for most users)
2. Use official repositories when possible
3. Be selective about PPAs and third-party sources
4. Remove software you don't use
5. Check for needed reboots after kernel updates
6. Stick with long-term support (LTS) versions for better stability, security, and support

Security Tips for Software Installation

Beyond the basic package management, consider these security tips:

1. Never run scripts directly from the internet without reviewing what the script will do on your system:

# Risky practice to avoid (NOT RECOMMENDED):

$ curl https://example.com/script.sh | bash

2. Check software requirements before installing:

$ apt show package_name

3. Use virtual machines or containers to test unknown software before installing it on your main system.

4. Be cautious with snap packages (a newer packaging system):

# List installed snap packages

$ snap list

Snaps have different security properties than traditional packages.

Troubleshooting Common Update Issues

Sometimes you might encounter issues during updates. Here are some common problems and solutions.

#### Locked Package Database

E: Could not get lock /var/lib/dpkg/lock-frontend

This usually means another package management process is running. It's generally a good idea to wait for it to finish.

While not typically recommended. Sometimes things happen and you know there is no other package management process running, then you could try:

$ sudo killall apt apt-get

$ sudo rm /var/lib/apt/lists/lock

$ sudo rm /var/cache/apt/archives/lock

$ sudo rm /var/lib/dpkg/lock*

$ sudo apt update

#### Failed Updates Due to Disk Space

E: You don't have enough free space

Clear package cache and remove unnecessary files:

$ sudo apt clean

$ sudo apt autoremove

#### Package Dependency Issues

E: Unable to correct problems, you have held broken packages.

Try fixing with:

$ sudo apt --fix-broken install

If that doesn't work, more advanced troubleshooting might be needed.