May 20, 2015

Automatic Security Updates

On Debian/Ubuntu servers, we can enable the automatic download and installation of security updates. Let's see how to protect our servers by enabling unattended upgrades!

On Debian/Ubuntu servers, we can enable the automatic download and installation of security updates. Let's see how to protect our servers by enabling unattended upgrades!You can enable unattended upgrades, but choose only security updates instead of all software updates.

To do so, install the following on Debian/Ubuntu:

sudo apt-get install -y unattended-upgrades

Then update /etc/apt/apt.conf.d/50unattended-upgrades. Ensure looks similar:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
//  "${distro_id}:${distro_codename}-updates";
//  "${distro_id}:${distro_codename}-proposed";
//  "${distro_id}:${distro_codename}-backports";
};

Note all are commented out but the security items.

Some updates can trigger a server reboot; You should decide if you want upgrades to be able to do so. Uncomment and set the following to true if you want your server to reboot automatically.

Unattended-Upgrade::Automatic-Reboot "true";

Finally, create or edit the /etc/apt/apt.conf.d/02periodic file to set the upgrade action to occur once per day. Ensure these lines are present:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Once that's complete, you're all set!

This will run once at set intervals. "Periodic" items are set to run once per day via the daily cron. If you're curious, you can find that configured in the /etc/cron.daily/apt file.

Upgrade information is logged within the /var/log/unattended-upgrades directory.

All Topics