diff --git a/docs/admin.rst b/docs/admin.rst index 32e24e834..37290effb 100644 --- a/docs/admin.rst +++ b/docs/admin.rst @@ -413,16 +413,10 @@ for how to enable error logging for the *Source Interface*. Immediately Apply a SecureDrop Update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -SecureDrop will update and reboot once per day. However, if after a SecureDrop -update `is announced`_ you wish to fetch the update immediately, you can SSH -into each server (via ``ssh app`` and ``ssh mon``) and run: - -.. code:: sh - - sudo cron-apt -i -s - -Depending on the nature of the update (e.g., if the ``tor`` package is upgraded -and you are using SSH-over-Tor), your SSH connection may be interrupted, and you +SecureDrop will update and reboot once per day. However, once a SecureDrop +update `is announced`_ , you can opt to fetch the update immediately. Depending +on the nature of the update (e.g., if the ``tor`` package is upgraded and you are +using SSH-over-Tor), your SSH connection may be interrupted, and you may have to reconnect to see the full output. .. important:: @@ -430,6 +424,31 @@ may have to reconnect to see the full output. Except where otherwise indicated, make sure to update both your *Application Server* and your *Monitor Server*. + +To update your servers immediately, you can SSH +into each server (via ``ssh app`` and ``ssh mon``) and run the following command, +noting the value of ``VERSION_CODENAME``: + +.. code:: sh + + cat /etc/os-release + +VERSION_CODENAME is "Focal" +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code:: sh + + sudo unattended-upgrades + + +VERSION_CODENAME is "Xenial" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code:: sh + + sudo cron-apt -i -s + + .. _`is announced`: https://securedrop.org/news diff --git a/docs/servers.rst b/docs/servers.rst index 8cf122768..a8a1d8737 100644 --- a/docs/servers.rst +++ b/docs/servers.rst @@ -236,9 +236,8 @@ Disk Encryption If the servers are ever powered down, FDE will ensure all of the information on them stays private in case they are seized or stolen. -.. warning:: The Ansible playbooks for SecureDrop will enable nightly reboots - after the ``cron-apt`` task runs for automatic updates. Using FDE - would therefore require manual intervention every morning. +.. warning:: The Ansible playbooks for SecureDrop will enable nightly reboots. + Using FDE would therefore require manual intervention every morning. Consequently **we strongly discourage the use of FDE.** While FDE can be useful in some cases, we currently do not recommend @@ -282,8 +281,8 @@ subsequent SecureDrop installation will include a task that handles regular software updates. .. note:: The Ansible playbooks for SecureDrop will configure automatic - updates via ``cron-apt``. As part of the automatic update process, - the servers will reboot nightly. See the + updates via ``unattended-upgrades``. As part of the automatic update + process, the servers will reboot nightly. See the :ref:`OSSEC guide ` for example notifications generated by the reboots.