
If you use/administer a Debian/Ubuntu system, you can automate the security update process by using the program unattended-upgrades. This tool provides a simple way to manage this task.
To install it :
apt-get install unattended-upgrades dpkg-reconfigure unattended-upgrades
After selecting “Yes”, a configuration file will be created ( /etc/apt/apt.conf.d/20auto-upgrades ) with this content :
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
The first line of this file do an “apt-get update” command. The “1” at the end of the line is to indicate it is enabled (0 to disable it).
The second line run the “unattended-upgrade” security upgrade script.
The schedule is managed by :
- the location of the
apt
script file. The default is /etc/cron.daily/apt
- the datetime configured in the file /etc/crontab. For the daily setting, the line is :
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )
You can update the configuration file /etc/apt/apt.conf.d/50unattended-upgrades to :
- allow other update types (updates, proposed, backports)
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; "${distro_id}:${distro_codename}-proposed"; "${distro_id}:${distro_codename}-backports"; };
- exclude some packages (regex are supported)
Unattended-Upgrade::Package-Blacklist { "vim"; "libc6"; "libc6-dev"; "libc6-i686"; };
- configure an automatic reboot
Unattended-Upgrade::Automatic-Reboot "false";
- schedule a reboot
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
- receive an email
Unattended-Upgrade::Mail "youremail@local.domain";
- limit the download bandwidth
Acquire::http::Dl-Limit "70";
More options can be configured. It is well-documented.
References
Debian and Ubuntu Automatic Security Updates
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare