Computer security is an issue of paramount importance. More even so whenever we are running services exposed to the internet. Much more even so when those services can compromise sensitive data.

The first piece of advice you will always get is “keep your system up to date with the latest security patches”, and my favourite way of keeping my Debian systems safe is through the unattended-upgrades package.

Automatic security updates are handy when we are managing a considerable number of servers but we want to be careful as things can break for users or our coworkers, so choosing the right configuration and having a predefined procedure can save us some headaches.

This is included in the latest release of NextCloudPi.

Installation

Generic Installer

You can easily install it and configure it in your running server through the generic installer

git clone https://github.com/nextcloud/nextcloudpi.git ./installer.sh unattended-upgrades.sh <server_IP>

Raspbian offline

Alternatively, you can install it offline into a Raspbian SD card using QEMU.

Extract the SD card and copy the image to your computer (adjust sdx).

sudo dd if=/dev/sdx of=my_rpi.img bs=4M

Then,

./installer.sh unattended-upgrades.sh 192.168.0.130 my_rpi.img

Once done, you can copy it back (adjust sdx).

sudo dd if=my_rpi.img if=/dev/sdx bs=4M

Manual

If you want to do it step by step, install with

sudo apt-get install unattended-upgrades

Easy configuration

If you are using the generic installer or issue nextcloudpi-config in NextCloudPi it will only come down to two simple settings

ACTIVE: type yes to enable automatic updates

AUTOREBOOT: type yes to allow automatic reboots when needed.

In this setup, automatic reboots will only be run when needed, and will be run at 4:00 am.

Also, some settings will be configured for you: .deb packages will be cached for 2 weeks, and a periodic apt-get autoclean will be run every week to prevent the autoupdate setup to take up too much storage.

See the code below for details. If you have different needs, continue reading.

Detailed Configuration

If you want to go in more detail, issue

sudo dpkg-reconfigure --priority=low unattended-upgrades

This will create /etc/apt/apt.conf.d/20auto-upgrades with the following simple configuration

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";

, which will update package lists and perform security updates daily ( see parameter “1” ).

You can check all options on /etc/apt/apt.conf.d/50unattended-upgrades

Your updates will be run from /etc/cron.daily/apt. That file is also worth a reading if you like tweaking things, like for instance scheduled apt-get autoremove.

More on usage

You can run it yourself with

sudo unattended-upgrades -d

If you have mailing setup, use this option

Unattended-Upgrade::Mail "root";

The operations are written to

/var/log/unattended-upgrades

Raspbian

[update] Raspbian does not support the Raspbian-Security label. For Raspbian, it is either update nothing or everything, security or not. See this forum thread.

Code

#!/bin/bash # Unattended upgrades installation on Raspbian # Tested with 2017-03-02-raspbian-jessie-lite.img # # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com> # GPL licensed (see end of file) * Use at your own risk! # # Usage: # # ./installer.sh unattended-upgrades.sh <IP> (<img>) # # See installer.sh instructions for details # ACTIVE_=yes AUTOREBOOT_=yes DESCRIPTION="unattended upgrades: automatically install security updates. Keep your cloud safe" install() { apt-get update apt install -y --no-install-recommends unattended-upgrades } configure() { [[ $ACTIVE_ == "yes" ]] && local AUTOUPGRADE=1 || local AUTOUPGRADE=0 [[ $AUTOREBOOT_ == "yes" ]] && local AUTOREBOOT=true || local AUTOREBOOT=false cat > /etc/apt/apt.conf.d/20nextcloudpi-upgrades <<EOF APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "$AUTOUPGRADE"; APT::Periodic::MaxAge "14"; APT::Periodic::AutocleanInterval "7"; Unattended-Upgrade::Automatic-Reboot "$AUTOREBOOT"; Unattended-Upgrade::Automatic-Reboot-Time "04:00"; EOF } cleanup() { apt-get autoremove -y apt-get clean rm /var/lib/apt/lists/* -r rm -f /home/pi/.bash_history systemctl disable ssh } # License # # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This script is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this script; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, # Boston, MA 02111-1307 USA

github

References

https://help.ubuntu.com/community/AutomaticSecurityUpdates