Staying up to date with the latest security patches is a crucial step to avoid getting hacked.
Google recently published an article showcasing a proof-of-concept attack based on the famous Spectre vulnerability, just to emphasize the possible consequences of leaving affected systems unpatched.
There is a constant flow of new vulnerabilities being discovered and, as a result, new security updates are getting published almost every day.
Luckily, this process has been made simple for Linux users running Debian distributions like Ubuntu. The unattended-upgrades
package serves exactly what its name suggests, providing automatic unattended security updates.
Install the unattended upgrade utility:
sudo apt install unattended-upgrades apt-listchanges
Reconfigure the package to ensure it will automatically perform updates (Choose <YES>
):
sudo dpkg-reconfigure -plow unattended-upgrades
Check /etc/apt/apt.conf.d/20auto-upgrades
and make sure it has the following content:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
For more information regarding these variables take a look at this guide.
Check /etc/apt/apt.conf.d/50unattended-upgrades
and make sure only lines corresponding to security packages are uncommented:
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
If you would like to exclude certain packages from being updated, list them in the same file under:
Unattended-Upgrade::Package-Blacklist {
"docker";
"nginx";
};
To get a list of security packages that are ready to be upgraded:
apt-get upgrade -s | grep -i security
To see what unattended-upgrade will do when it runs:
sudo unattended-upgrades --dry-run --debug
To manually update the packages:
sudo unattended-upgrade
To get the overall number of packages with available updates:
/usr/lib/update-notifier/apt-check --human-readable
This post was originally published on my blog where I write all about tech.
Top comments (0)