DEV Community

loading...
Cover image for Enabling Automatic Unattended Security Updates on Ubuntu and Debian

Enabling Automatic Unattended Security Updates on Ubuntu and Debian

themreza profile image Mohammad Tomaraei Originally published at tomaraei.com ・2 min read

Staying up to date with the latest security patches is a crucial step to avoid getting hacked.

Google recently published an article showcasing a proof-of-concept attack based on the famous Spectre vulnerability, just to emphasize the possible consequences of leaving affected systems unpatched.

There is a constant flow of new vulnerabilities being discovered and, as a result, new security updates are getting published almost every day.

Luckily, this process has been made simple for Linux users running Debian distributions like Ubuntu. The unattended-upgrades package serves exactly what its name suggests, providing automatic unattended security updates.

Install the unattended upgrade utility:

sudo apt install unattended-upgrades apt-listchanges
Enter fullscreen mode Exit fullscreen mode

Reconfigure the package to ensure it will automatically perform updates (Choose <YES>):

sudo dpkg-reconfigure -plow unattended-upgrades
Enter fullscreen mode Exit fullscreen mode

Check /etc/apt/apt.conf.d/20auto-upgrades and make sure it has the following content:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Enter fullscreen mode Exit fullscreen mode

For more information regarding these variables take a look at this guide.

Check /etc/apt/apt.conf.d/50unattended-upgrades and make sure only lines corresponding to security packages are uncommented:

"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
Enter fullscreen mode Exit fullscreen mode

If you would like to exclude certain packages from being updated, list them in the same file under:

Unattended-Upgrade::Package-Blacklist {
  "docker";
  "nginx";
};
Enter fullscreen mode Exit fullscreen mode

To get a list of security packages that are ready to be upgraded:

apt-get upgrade -s | grep -i security
Enter fullscreen mode Exit fullscreen mode

To see what unattended-upgrade will do when it runs:

sudo unattended-upgrades --dry-run --debug
Enter fullscreen mode Exit fullscreen mode

To manually update the packages:

sudo unattended-upgrade
Enter fullscreen mode Exit fullscreen mode

To get the overall number of packages with available updates:

/usr/lib/update-notifier/apt-check --human-readable
Enter fullscreen mode Exit fullscreen mode

This post was originally published on my blog where I write all about tech.

Discussion (0)

pic
Editor guide