unattended-upgrades, making security a priority

img

One of the little white lies that we tell ourselves is that ‘security is a priority’. It’s not. If it were, we would spend more time on it. Because what is the single most important thing that we can do to secure our systems? Keep them up to date. Not only the patches marked as security updates, but all of them, rebooting the system when necessary.

For me personally this is a bit of a pain. I have a lot of systems, and I don’t want to have to log into each one to update them. I want to automate this. Not by launching an ansible playbook (or similar), but by having the system do it itself.

This is where unattended-upgrades comes in. It’s a package that you can install on your system that will automatically install updates for you. It’s not perfect, but it’s a good start. Fetch, install, and reboot. That’s it.

In this post I will show you how to install and configure unattended-upgrades on your system. I will also show you how to test it, and how to check if it’s working.

Installing unattended-upgrades

The first thing that you need to do is install the package. You can do this with the following command:

sudo apt-get install unattended-upgrades

Configuring unattended-upgrades

/etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
    "${distro_id}:${distro_codename}-proposed";
    "${distro_id}:${distro_codename}-backports";
};

// Automatically reboot *WITHOUT* confirmation if a restart is required
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if users are logged in
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// Delay the reboot by 5 minutes to allow any services to shut down cleanly
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

/etc/apt/apt.conf.d/20auto-upgrades

// Tells the system to automatically run apt update (which refreshes the list of available packages) every N days, where “1” means it will run every day.
APT::Periodic::Update-Package-Lists "1"; 

// It instructs the system to automatically download (but not install) the available updates for packages every N days. Here, “1” means it will check and download updates every day.
APT::Periodic::Download-Upgradeable-Packages "1";

// It tells the system to run the apt autoclean command every N days, where “7” means it will clean up every 7 days.
APT::Periodic::AutocleanInterval "7";

// It configures the system to perform automatic installation of upgrades every N days, with “1” meaning upgrades are installed daily.
APT::Periodic::Unattended-Upgrade "1";

Testing unattended-upgrades

Ensure the service is running properly with:

sudo systemctl status unattended-upgrades

*Manually trigger an unattended upgrade to test it:

sudo unattended-upgrade --dry-run --debug

Logs for unattended upgrades can be found in the /var/log/unattended-upgrades directory

sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

Leave a Reply

Your email address will not be published. Required fields are marked *