Staying up to date with the latest security patches is a crucial step to avoid getting hacked.
Google recently published an article showcasing a proof-of-concept attack based on the famous Spectre vulnerability, just to emphasize the possible consequences of leaving affected systems unpatched.
There is a constant flow of new vulnerabilities being discovered and, as a result, new security updates are getting published almost every day.
Luckily, this process has been made simple for Linux users running Debian distributions like Ubuntu. The unattended-upgrades
package serves exactly what its name suggests, providing automatic unattended security updates.
Install the unattended upgrade utility:
Code language: Bash (bash)sudo apt install unattended-upgrades apt-listchanges
Reconfigure the package to ensure it will automatically perform updates (Choose <YES>
):
Code language: Bash (bash)sudo dpkg-reconfigure -plow unattended-upgrades
Check /etc/apt/apt.conf.d/20auto-upgrades
and make sure it has the following content:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Code language: PHP (php)
For more information regarding these variables take a look at https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
Check /etc/apt/apt.conf.d/50unattended-upgrades
and make sure only lines corresponding to security packages are uncommented:
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
Code language: JavaScript (javascript)
If you would like to exclude certain packages from being updated, list them in the same file under:
Unattended-Upgrade::Package-Blacklist {
"docker";
"nginx";
};
Code language: PHP (php)
To get a list of security packages that are ready to be upgraded:
Code language: Bash (bash)apt-get upgrade -s | grep -i security
To see what unattended-upgrade will do when it runs:
Code language: Bash (bash)sudo unattended-upgrades --dry-run --debug
To manually update the packages:
Code language: Bash (bash)sudo unattended-upgrade
To get the overall number of packages with available updates:
Code language: Bash (bash)/usr/lib/update-notifier/apt-check --human-readable