Keeping Ubuntu Secure with Unattended-Upgrades

Keeping your operating system up-to-date is crucial for maintaining security and stability. For Ubuntu/Debian users, the unattended-upgrades package offers a solution to automate this essential task

Unattended-upgrades is a package for Ubuntu and other Debian-based Linux distributions that automates the process of keeping your system up-to-date. Its primary purpose is to automatically install security updates without requiring manual intervention from the system administrator.

To install unattended-upgrades, run

sudo apt install unattended-upgrades

To configure, edit file

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment the line

//      "${distro_id}:${distro_codename}-updates";

To make it look like

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Uncomment the following line, this helps if you need a quick reboot while an upgrade is running, good for desktops/workstations.

//Unattended-Upgrade::MinimalSteps "true";

Another configuration file is /etc/apt/apt.conf.d/20auto-upgrades, default values are fine for this.

sudo vi /etc/apt/apt.conf.d/20auto-upgrades

To debug unattended upgrade, run

sudo unattended-upgrade --dry-run --debug

Back to Ubuntu