Automatic Installation Of Security Updates On Ubuntu

A new OpenSSL vulnerability called heartbleed has been found and patched. Information on the vulnerability is available on the CVE Website and there is even a dedicated site for the issue.

While most of us keep our system regularly update our systems using apt or yum, it is best advised have an automatic update process in place. This is to ensure that systems don’t get missed out in the update process and that the updates are applied as soon as possible.

To this effect, Debian and Ubuntu users can use the unattended-upgrades package to simplify and automate the OS patching process. The instructions for installation and configuration of automatic updates is at https://help.ubuntu.com/community/AutomaticSecurityUpdates.

# /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Once you have automatic updates enabled, check /var/log/unattended-upgrades/unattended-upgrades.log regularly for security patches that have been applied. Below is a snippet from a Ubuntu 12.04 LTS server which has automatic updates enabled.

2014-04-04 06:49:03,029 INFO All upgrades installed
2014-04-05 06:36:17,186 INFO Initial blacklisted packages: 
2014-04-05 06:36:17,187 INFO Starting unattended upgrades script
2014-04-05 06:36:17,187 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-05 06:36:56,725 INFO No packages found that can be upgraded unattended
2014-04-06 07:01:53,398 INFO Initial blacklisted packages: 
2014-04-06 07:01:53,509 INFO Starting unattended upgrades script
2014-04-06 07:01:53,509 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-06 07:02:55,255 INFO No packages found that can be upgraded unattended
2014-04-07 06:41:37,420 INFO Initial blacklisted packages: 
2014-04-07 06:41:37,430 INFO Starting unattended upgrades script
2014-04-07 06:41:37,430 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-07 06:42:18,562 INFO No packages found that can be upgraded unattended
2014-04-08 06:47:36,358 INFO Initial blacklisted packages: 
2014-04-08 06:47:36,368 INFO Starting unattended upgrades script
2014-04-08 06:47:36,368 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-08 06:49:43,352 INFO Packages that are upgraded: file libmagic1 libssl1.0.0 openssh-client openssh-server openssl ssh
2014-04-08 06:49:43,463 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2014-04-08_06:49:43.461914.log'
2014-04-08 06:53:44,507 INFO All upgrades installed
2014-04-09 06:57:29,432 INFO Initial blacklisted packages: 
2014-04-09 06:57:29,458 INFO Starting unattended upgrades script
2014-04-09 06:57:29,458 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-09 06:58:12,098 INFO No packages found that can be upgraded unattended
2014-04-10 06:58:45,807 INFO Initial blacklisted packages: 
2014-04-10 06:58:45,824 INFO Starting unattended upgrades script
2014-04-10 06:58:45,824 INFO Allowed origins are: ['o=Ubuntu,a=precise-security']
2014-04-10 06:59:26,615 INFO No packages found that can be upgraded unattended

As you can see, the unattended-upgrades process runs every day around 7AM and on 2014-04-08, it has found and applied patches for the packages named “file“, “libmagic1“, “libssl1.0.0“, “openssh-client“, “openssh-server“, “openssl” and the “ssh“.

Please do keep in mind that for most security patches that affect core libraries (like SSL), a service restart or a system reboot will be needed. unattended-upgrades does not restart services or reboot systems by default. You would require to take follow-up actions manually.

Unattended-upgrades can trigger reboots without confirmation (caution) if the below is set to true.

Unattended-Upgrade::Automatic-Reboot "true";

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

Leave a Reply