This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu. If you are not living under a cave, then you probably know the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.
In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations running complex applications may need to do extensive testing before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.
First, install the unattended-upgrades
package.
sudo apt update
sudo apt install unattended-upgrades
You need to install the update-notifier-common
package in order to set up automatic reboot.
sudo apt install update-notifier-common
Then edit the 50unattended-upgrades
file.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
In this file, you can configure what packages should be automatically updated. By default, only security updates will be automatically installed, as indicated by the following lines. So there’s no need to change this section.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
"${distro_id}:${distro_codename}"
is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates.#ubuntu #security #ubuntu desktop #unattended upgrades