How To Setup Automatic Security Updates on Ubuntu
We explain in detail how to configure automatic security updates in Ubuntu.
Step 1: Install Unattended Upgrades
The first step is to update the packages installed in the system by executing the following command:
sudo apt update
Once the system packages are updated, we proceed to install the unattended updates using the apt command of the following:
sudo apt install unattended-upgrades
Step 2: Edit Config Directory
After installation, it will be necessary to edit the configuration in the /etc/apt/apt.conf.d configuration directory.
The configuration of unattended updates is available in the mentioned directory, so we must edit the configuration to define the type of update, the updates of the blacklist and configure any additional setting that is present in the process.
For this we will go to the /etc/apt/apt.conf.d directory and edit the 50unattended-upgrades configuration file using the nano editor:
cd /etc/apt/apt.conf.d/sudo nano 50unattended-upgrades
This will be the appearance of the file:
Step 3: Define Type of Updates
It will be necessary to define a type of update and upgrade to the operating system.
The unattended update package provides some automatic updates, including the update of all packages and only security updates. In this case, we're just going to enable the security update for Ubuntu 17.10.
In the configuration of the first block “Allowed-Origins,” we will comment on all the lines and leave only the security line in the following way:
Step 4: Configure Blacklist Packages
In the second block, there is the packet configuration of the blacklist.
There we can define which packages are allowed for an update and which are not.
This is useful when we do not want specific packages to be updated within the operating system.
In this section, just as an example, we will not allow ‘vim', ‘mysql-server' and ‘mysql-client' to be updated, in this case, our blacklist configuration should be similar to the following structure:
Additional Configuration
It will then be possible to add and enable some features provided by unattended updates. For example, we can set up an email notification for each update, allow automatic removal of unused packages (apt autoremove automatically) and enable automatic restart if necessary.
For email notifications, remove the comment from the following line:
Unattended-Upgrade::Mail "root";
If we choose to receive notifications by email, we must ensure that the mailx or Sendmail packages are installed in the operating system. These can be installed using the following command:
sudo apt install -y sendmail
To enable automatic removal of unused packages, we will remove the comment from the next line and change its value to true:
Unattended-Upgrade::Remove-Unused-Dependencies "true";
And if we want an automatic restart after the update, if necessary, we will remove the comment from the Automatic-Reboot ‘and change the value to' true ‘:
Unattended-Upgrade::Automatic-Reboot "true";
After configuring this automatic restart, the server will restart automatically after all update packages have been installed. However, we can set the server restart time by uncommenting the corresponding configuration line and changing the restart value as follows:
Unattended-Upgrade::Automatic-Reboot-Time "00:00";
Save the changes using the following key combination Ctrl + O and exit the editor using Ctrl + X.
Step 5: Enable Automatic Updates
To enable automatic updates of packages in Ubuntu 17.10, we must edit the configuration of automated updates by accessing the following directory:
cd /etc/apt/apt.conf.d/
Once we access, we will use an editor to access the following file:
sudo nano 20auto-upgrades
In the expanded file we will add the following:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "3"; APT::Periodic::Unattended-Upgrade "1";
Save the changes.
Check Logs of Unattended Updates
To identify all updated packages, we must verify the unattended update records located in the /var/log/unattended-upgrades directory.
We can go to the /var/log/unattended-upgrades directory and verify the available records:
cd /var/log/unattended-upgrades ls -lah
There we can see three logs:
With these practical options, we can configure according to the needs that are currently in the organization.