Automatic security updates on Debian-based server

[^rooker]

Here's a small link collection, regarding how to perform automatic updates of packages with security-relevant changes.
My current favorite is the "unattended-upgrades" package approach.

• Ubuntu Documentation: Automatic Security Updates
• Ubuntu Documentation: Automatic Updates

Although these tutorials are written for Ubuntu, they should apply to Debian pretty much without big changes.

In a nutshell, it should work like this:

1) Install the "unattended-upgrades" package:

Code: Select all

$ sudo apt-get install unattended-upgrades

Then open the "/etc/apt/apt.conf.d/50unattended-upgrades" config file in your favorite text editor.

2) Only security updates:
I want only security packages to be installed (no updates of other packages, even if considered "stable"):

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

In my setup (Ubuntu Server 12.04.1), that was already the default.

3) Mail notification:
Tell it where to send mails to:

Unattended-Upgrade::Mail "your_address@example.org";

This is very useful (=necessary) for you to keep aware of what's happening (or causing trouble) on your system.

4) Enable automatic updates:

Code: Select all

$ sudo dpkg-reconfigure -plow unattended-upgrades

This will create "/etc/apt/apt.conf.d/20auto-upgrades" with the following contents:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Some sources suggest putting this manually in "/etc/apt/apt.conf.d/10periodic", but I think it's cleaner to use the dpkg-reconfigure function.

5) Set update interval:
If will find short notes about the "APT::Periodic::Unattended-Upgrade" option (and others) in "/etc/cron.daily/apt".
There it says:

# APT::Periodic::Unattended-Upgrade "0";
# - Run the "unattended-upgrade" security upgrade script
# every n-days (0=disabled)
# Requires the package "unattended-upgrades" and will write
# a log in /var/log/unattended-upgrades

This means, by default unattended-upgrades are run once every day, but if you increase the value above to, for example "3", it will only run every 3 days.

6) Verify your configuration:
You can manually execute unattended-upgrades with the argument "--dry-run", to see if everything "would" be the way you want it:

Code: Select all

$ sudo unattended-upgrade -d --dry-run

That includes very verbose debug output. You can omit the "-d" switch, if you find this too "loud"
Output will be stored in "/var/log/unattended-upgrades/unattended-upgrades.log".


Enjoy your new, auto-security-updated system!