Important: Use checkrestart on Debian after installing security updates

By | 2014/08/13

The app checkrestart should be run after installing security updates on Debian. Incorporate this into your maintenance and security tasks right away!


1. Install the package debian-goodies

$ sudo apt-get install debian-goodies

2. Run sudo checkrestart

$ sudo checkrestart

For example, below is a Debian Wheezy system that is completely up to date with apt-get updates. Most admins would assume all is well when actually their system still has unpatched code or services running. Eek.

For processes that do not have any init or other script to restart, checkrestart will list the PID so you can investigate that process on how to best restart it.

$ sudo checkrestart
Found 84 processes using old versions of upgraded files
(23 distinct programs)
(15 distinct packages)

Of these, 13 seem to contain init scripts which can be used to restart them:
The following packages seem to have init scripts that could be used
to restart them:
newrelic-sysmond:
        1777    /usr/sbin/nrsysmond
        18114   /usr/sbin/nrsysmond
nslcd:
        1754    /usr/sbin/nslcd
postfix:
        2028    /usr/lib/postfix/qmgr
        3806    /usr/lib/postfix/tlsmgr
        2009    /usr/lib/postfix/master
openntpd:
        1870    /usr/sbin/ntpd
        1869    /usr/sbin/ntpd
udev:
        289     /sbin/udevd
php5-fpm:
        15985   /usr/sbin/php5-fpm
        31018   /usr/sbin/php5-fpm
        31406   /usr/sbin/php5-fpm
        26885   /usr/sbin/php5-fpm
cron:
        1844    /usr/sbin/cron
openssh-server:
        5265    /usr/sbin/sshd
        32166   /usr/sbin/sshd
        32164   /usr/sbin/sshd
        32203   /usr/sbin/sshd
        32201   /usr/sbin/sshd
nginx-full:
        7860    /usr/sbin/nginx
        7856    /usr/sbin/nginx
        7857    /usr/sbin/nginx
        7858    /usr/sbin/nginx
        7859    /usr/sbin/nginx
rsyslog:
        1698    /usr/sbin/rsyslogd
redis-server:
        1895    /usr/bin/redis-server
memcached:
        1826    /usr/bin/memcached
dbus:
        1781    /usr/bin/dbus-daemon

These are the init scripts:
service newrelic-sysmond restart
service nslcd restart
service postfix restart
service openntpd restart
service udev-mtab restart
service udev restart
service php5-fpm restart
service cron restart
service ssh restart
service nginx restart
service rsyslog restart
service redis-server restart
service memcached restart
service dbus restart

These processes do not seem to have an associated init script to restart them:
python2.7-minimal:
        7739    /usr/bin/python2.7

Stay safe,

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.