Morioh
Login
Annalise Hyatt

Annalise Hyatt

3 years ago

Set up Automatic Security Update (Unattended Upgrades) on Ubuntu

This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu. If you are not living under a cave, then you probably know the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.

In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations running complex applications may need to do extensive testing before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.

Configure Automatic Security Update (Unattended Upgrades) on Ubuntu Server

First, install the unattended-upgrades package.

sudo apt update

sudo apt install unattended-upgrades

You need to install the update-notifier-common package in order to set up automatic reboot.

sudo apt install update-notifier-common

Then edit the 50unattended-upgrades file.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

In this file, you can configure what packages should be automatically updated. By default, only security updates will be automatically installed, as indicated by the following lines. So there’s no need to change this section.

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};
  • The first origin "${distro_id}:${distro_codename}" is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates.
  • The second origin is for regular security updates.
  • The third and fourth origins (ESMApps and ESM) are for extended security maintenance, i.e. for those who run an Ubuntu release that reached end-of-life. You can leave it as is.

#ubuntu #security #ubuntu desktop #unattended upgrades

2.95 GEEK