Last active
February 2, 2017 13:23
-
-
Save perpetual-hydrofoil/af55838ff36584c13a69 to your computer and use it in GitHub Desktop.
Upgrade and force reboot if kernel changed as an hourly cron job for security-sensitive requirements.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cat << EOF > /etc/cron.hourly/local-system-upgrade | |
#! /bin/bash | |
# | |
# hourly server upgrade | |
logger -t local-system-upgrade Upgrading server. | |
sha1sum /vmlinuz > /vmlinuz.sha1sum | |
apt-get update | |
apt-get -qy dist-upgrade | |
apt-get -qy autoclean | |
# reboot when kernel upgraded | |
sha1sum -c /vmlinuz.sha1sum || ( | |
# or | sendmail root | |
echo "Kernel updated; rebooting now." | logger -t local-system-upgrade | |
/sbin/reboot | |
) | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just a quick script that we use on all servers. The last line will occasionally and semi-randomly reboot your server. This is aggressive protection against zero-day attacks in your distro for when you prioritize security over utility, but you could cron it once a day or once a week (same script in cron.daily or cron.weekly) or a more convenient time if desired, or you could move just that sha1sum -c reboot portion to a separate script, or front-end it with a load-balancer to smooth out any missing servers.