It is recommended that a patch management system is maintained and configured.
Verify that the system’s package repositories are configured.
sudo apt-cache policy
Sample Output:
tux@freelinux:~$ sudo apt-cache policy
[sudo] password for tux:
Package files:
100 /var/lib/dpkg/status
release a=now
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse i386 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=i386
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages
release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=amd64
origin security.ubuntu.com
Implement GPG keys signing to verify integrity of the packages during installation. This is make sure that it is obtained from valid source(s).
Verify if package manager’s GPG keys are correctly configured.
sudo apt-key list
Sample Output:
tux@freelinux:~$ sudo apt-key list
/etc/apt/trusted.gpg
——————–
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
pub 1024D/3E5C1192 2010-09-20
uid Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>
pub 4096R/991BC93C 2018-09-17
uid Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
Setting up Automatic Updates:
1.Install the “unattended-upgrades”package
sudo apt install unattended-upgrades
2. Edit the configuration /etc/apt/apt.conf.d/50unattended-upgrades. Remove the double slash (//) to enable
Before:
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
“${distro_id}:${distro_codename}”;
“${distro_id}:${distro_codename}-security”;
// Extended Security Maintenance; doesn’t necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
“${distro_id}ESMApps:${distro_codename}-apps-security”;
“${distro_id}ESM:${distro_codename}-infra-security”;
// “${distro_id}:${distro_codename}-updates”;
// “${distro_id}:${distro_codename}-proposed”;
// “${distro_id}:${distro_codename}-backports”;
};
After:
“${distro_id}:${distro_codename}-updates”;
Additional Options:
Unattended-Upgrade::Remove-Unused-Dependencies “true”;
Unattended-Upgrade::Mail “admin@freelinuxtutorials.com”;
Unattended-Upgrade::MailOnlyOnError “true”;
3. Configure /etc/apt/apt.conf.d/20auto-upgrades to enable
sudo vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “30”;
APT::Periodic::Unattended-Upgrade “1”;
where: Interval = days
Testing:
sudo unattended-upgrades –dry-run –debug
Verifying logs:
/var/log/unattended-upgrades/unattended-upgrades.log
