Ubuntu Enable & Set up Automatic Unattended Security Updates

ADVERTISEMENTS



Ubuntu Enable & Setup Automatic Unattended Security Updates

I have minimal Ubuntu Linux 18.04 LTS server setup in the cloud. I read that one can configure Ubuntu Linux to download and install security updates when released automatically. How can I set up automatic security updates on Ubuntu Linux 18.04 or 16.04 LTS system?: It is true that the Linux server security is an essential task for sysadmins. One of the most fundamental ways to keep server or desktop secure is by installing security updates to patch vulnerabilities on time. One can use the apt-get command or apt command to install security updates. This page shows you how to configure Ubuntu Linux system to install security updates automatically when released by Ubuntu security team.

You may be wondering why do I need an unattended way and installs security updates? Applying updates on a frequent basis is an important part of keeping systems secure. By default, updates need to be applied manually using package management tools. However, you can choose to have Ubuntu automatically download and install important security updates.

Step 1. Install unattended-upgrades package

Warning: Some security risks associated with running unattended software upgrades without supervision do exists, but there are also benefits. Use your judgment when in doubt.

Type the following apt-get command or apt command to install unattended-upgrades package:

$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx



Step 2. Ubuntu enable unattended security updates

Run the following command:

$ sudo dpkg-reconfigure -plow unattended-upgrades



$ cat /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1" ; APT::Periodic::Unattended-Upgrade "1" ; APT::Periodic::AutocleanInterval "7" ; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7";

Step 3. Configuration file

You should see /etc/apt/apt.conf.d/20auto-upgrades file created due to above command. One can view the same with cat command Sample outputs (make sure it is as follows; if NOT update it manually):

You need to edit the file named /etc/apt/apt.conf.d/50unattended-upgrades using a text editor such as vim command or nano command:

$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

Make sure config is as follows:

Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}" ; "${distro_id}:${distro_codename}-security" ; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESM:${distro_codename}" ; // "${distro_id}:${distro_codename}-updates" ; // "${distro_id}:${distro_codename}-proposed" ; // "${distro_id}:${distro_codename}-backports" ; } ; Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESM:${distro_codename}"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };

One can skip packages to not update (optional):

// List of packages to not update ( regexp are supported ) Unattended-Upgrade::Package-Blacklist { "linux-image" ; "vim" ; "nginx" ; } ; // List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist { "linux-image"; "vim"; "nginx"; };

Set up alert email ID

You need to configure an email address to get email when there is a problem or package upgrades. Of course you must have working email setup to this work:

//Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "notify@server1.cyberciti.biz" ; //Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "notify@server1.cyberciti.biz";

Automatically reboot WITHOUT CONFIRMATION

If the file /var/run/reboot-required is found after the upgrade, reboot the box. For example, reboot the Linux server for kernel update:

Unattended-Upgrade::Automatic-Reboot "true";

Related: How to find out if my Ubuntu/Debian Linux server needs a reboot

Save and close the file. Finally edit the file named /etc/apt/listchanges.conf using a text editor such as vim command/nano command:

$ sudo vi /etc/apt/listchanges.conf

Set email address from:

email_address=root

To:

email_address=notify@server1.cyberciti.biz

Save and close the file.

Ubuntu automatic updates email alert

The unattended-upgrades package on Ubuntu sent an update report via email as follows:



How to view unattended upgrades logs on Ubuntu Linux

Now that you set up automatic updates on Ubuntu Server 18.04 LTS. It is time to see logs. Use the grep command or cat command or more command/grep command:

sudo grep 'linux-image' /var/log/unattended-upgrades/unattended-upgrades.log

sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

sudo tail -f /var/log/unattended-upgrades/unattended-upgrades-dpkg.log



Conclusion

You learned how to install and configure the unattended-upgrades package to automatically install updated packages, and can be configured to update all packages or install security updates. For more info see this page.



3 of 3 in the Applying Debian/Ubuntu Linux Security Updates/Patches series. Keep reading the rest of the series: How to apply Debian security patches How to keep Debian Linux patched with latest security updates automatically Ubuntu Enable & Setup Automatic Unattended Security Updates This entry isofin theseries. Keep reading the rest of the series: