Keeping Ubuntu Secure with Unattended-Upgrades
Keeping your operating system up-to-date is crucial for maintaining security and stability. For Ubuntu/Debian users, the unattended-upgrades package offers a solution to automate this essential task
Unattended-upgrades is a package for Ubuntu and other Debian-based Linux distributions that automates the process of keeping your system up-to-date. Its primary purpose is to automatically install security updates without requiring manual intervention from the system administrator.
To install unattended-upgrades, run
sudo apt install unattended-upgrades
To configure, edit file
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment the line
// "${distro_id}:${distro_codename}-updates";
To make it look like
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Uncomment the following line, this helps if you need a quick reboot while an upgrade is running, good for desktops/workstations.
//Unattended-Upgrade::MinimalSteps "true";
Another configuration file is /etc/apt/apt.conf.d/20auto-upgrades, default values are fine for this.
sudo vi /etc/apt/apt.conf.d/20auto-upgrades
To debug unattended upgrade, run
sudo unattended-upgrade --dry-run --debug
Back to Ubuntu