How to Setup Automatic Security Updates on Ubuntu 16.04

Security updates are an integral part of the IT-world. Linux may be regarded as one of the securest computer operating systems, but that doesn't take away the fact that it too has vulnerabilities that need to be fixed through timely security updates. In general, we need to apply Linux security updates within 30 days of being released.

We've already discussed how to setup automatic security updates on CentOS. And now, in this tutorial, we will show you how to step-by-step configure Ubuntu 16.04 server for automatic security updates. So when there is an update about security packages, the system will automatically download packages and apply the update.

What we will do

  1. Install unattended-upgrades on Ubuntu 16.04
  2. configure unattended-upgrades
  3. Enable automatic updates
  4. Check updated packages

Prerequisites

  • Ubuntu 16.04 Server
  • Root privileges

Step 1 - Install unattended-upgrades on Ubuntu 16.04

The first thing we must do is to install the 'unattended-upgrades' package in the system. It's available in the Ubuntu repository, and we can install it using the apt command.

Login to your server using SSH login.

ssh root@hakase-labs

Update all repositories and install 'unattended-upgrades' using the apt command below.

sudo apt update
sudo apt install unattended-upgrades

After the installation, we need to edit the configuration in the '/etc/apt/apt.conf.d' configuration directory.

Step 2 - Configure unattended-upgrades

The unattended-upgrades configuration is available in the '/etc/apt/apt.conf.d' directory. We need to edit the configuration to define the update/upgrade type, blacklist updates, and configure some additional configuration.

Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '50unattended-upgrades' using the vim editor.

cd /etc/apt/apt.conf.d/
vim 50unattended-upgrades

Define upgrade type

We need to define a type of update/upgrade for the system. The unattended-upgrades package provides some automatic upgrades type, including updating all packages and just security updates. For this guide, we only want to enable the 'security' update for Ubuntu 16.04 system.

On the first block configuration 'Allowed-Origin', comment all lines and leave only the security line, as shown below.

Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
//      "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Configure unattended-upgrades

Blacklist Packages

For the second block, it's blacklisted packages configuration. We can define which packages are allowed for an update and which are not. Sometimes, we do not want some packages to be updated because it's critical to the system for whatever reason.

In this section, we just want to give an example of blacklist packages configuration. So, suppose we do not want 'vim', 'mysql-server' and 'mysql-client' to be upgraded, in that case, our blacklist configuration should similar to the one shown below.

Unattended-Upgrade::Package-Blacklist {
        "vim";
        "mysql-server";
        "mysql-client";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

Additional Configuration

Next, we want to add and enable some features provided by unattended-upgrades. We want an email notification for every update, enable auto remove unused packages (apt autoremove automatically), and enable automatic reboot if needed.

For email notification, uncomment the following line.

Unattended-Upgrade::Mail "root";

Note:

Make sure mailx or sendmail packages are installed on your system. You can use the following command to install the mail application.

sudo apt install -y sendmail

To enable auto remove unused packages, uncomment the following line and change the value to 'true'.

Unattended-Upgrade::Remove-Unused-Dependencies "true";

And for an automatic reboot after upgrade (if needed), uncomment the 'Automatic-Reboot' and change value to 'true'.

Unattended-Upgrade::Automatic-Reboot "true";

After setting up 'Automatic-Reboot', the server will automatically reboot after all updates packages installed. We can, however, configure the reboot time of the server by uncommenting the corresponding configuration line and change the reboot value. Here is my configuration.

Unattended-Upgrade::Automatic-Reboot-Time "00:00";

Save and exit.

The unattended-upgrades package is installed, and all configuration has been completed.

Step 3 - Enable automatic updates

To enable automatic updates of packages, we need to edit the auto-upgrades configuration.

Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '20auto-upgrades' using vim.

cd /etc/apt/apt.conf.d/
vim 20auto-upgrades

Make the configuration as below.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "1";

Save and exit.

Note:

  • Update-Package-Lists: 1 enable auto update, 0 for disable.
  • Download-Upgradeable-Packages: 1 enables auto download package, 0 for disable.
  • AutocleanInterval: Enable auto clean packages for X days. The configuration shows 3 days auto clean packages.
  • Unattended-Upgrade: 1 enables auto upgrade, 0 for disable.

At this stage, all of the security updates will be automatically downloaded and then installed in the system.

Step 4 - Check updated packages

Checking unattended-upgrades logs

To identify all updated packages, we need to check unattended-upgrades logs located in the '/var/log/unattended-upgrades' directory.

Go to the '/var/log/unattended-upgrades' directory and check available logs.

cd /var/log/unattended-upgrades
ls -lah

Check updated packages

You will get 3 log files.

  1. unattended-upgrades-dpkg.log - Unattended-upgrades action logs for updating, upgrading or removing packages.
  2. unattended-upgrades.log - Unattended log file. List of update/upgrade packages, list blacklist packages, and the unattended error message (if there is an error).
  3. unattended-upgrades-shutdown.log file.

Update Notification

Another way to identify updated packages is by looking for the update notification on SSH login.

The following screenshot shows server notification before security updates are applied.

Update notification

And when all security packages get updated, the following message is displayed.

Security package update notification

Email Notification

For email notifications, we've setup notification to root email.

Go to the '/var/mail' directory and check the root email file.

cd /var/mail/
cat root

Email notification

We can identify things like blacklisted packages, updated packages, and removed packages.

Reboot check

For reboot check, you can use the following command.

last reboot

Following is the result before all security packages are upgraded.

Pending security updates

And here's the result after upgrades.

Upgrade result

The unattended-upgrades package has been installed and configured for automatic security updates. And it's working with auto reboot enabled as well as email notification enabled.

Reference

Share this page:

0 Comment(s)