Configure Automatic Software Updates on Ubuntu Linux

It is recommended that a patch management system is maintained and configured.

Verify that the system’s package repositories are configured.

sudo apt-cache policy

Sample Output:

tux@freelinux:~$ sudo apt-cache policy
[sudo] password for tux:
Package files:
100 /var/lib/dpkg/status
release a=now
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse i386 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=i386
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=amd64
origin security.ubuntu.com

Implement GPG keys signing to verify  integrity of the packages during installation. This is make sure that it is obtained from valid source(s).

Verify if package manager’s GPG keys are correctly configured.

sudo apt-key list

Sample Output:

tux@freelinux:~$ sudo apt-key list
/etc/apt/trusted.gpg
——————–
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
pub 1024D/3E5C1192 2010-09-20
uid Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>
pub 4096R/991BC93C 2018-09-17
uid Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Setting up Automatic Updates:

1.Install the “unattended-upgrades”package

sudo apt install unattended-upgrades

2. Edit the configuration /etc/apt/apt.conf.d/50unattended-upgrades. Remove the double slash (//) to enable
Before:
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
“${distro_id}:${distro_codename}”;
“${distro_id}:${distro_codename}-security”;
// Extended Security Maintenance; doesn’t necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
“${distro_id}ESMApps:${distro_codename}-apps-security”;
“${distro_id}ESM:${distro_codename}-infra-security”;
// “${distro_id}:${distro_codename}-updates”;
// “${distro_id}:${distro_codename}-proposed”;
// “${distro_id}:${distro_codename}-backports”;
};

After:
“${distro_id}:${distro_codename}-updates”;

Additional Options:
Unattended-Upgrade::Remove-Unused-Dependencies “true”;
Unattended-Upgrade::Mail “admin@freelinuxtutorials.com”;
Unattended-Upgrade::MailOnlyOnError “true”;

3. Configure /etc/apt/apt.conf.d/20auto-upgrades to enable

sudo vi /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “30”;
APT::Periodic::Unattended-Upgrade “1”;

where: Interval = days

Testing:

sudo unattended-upgrades –dry-run –debug

Verifying logs:

/var/log/unattended-upgrades/unattended-upgrades.log

About the author

Free Linux

View all posts

Leave a Reply