Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. To keep current with security fixes, I often find it useful to configure servers to perform automatic security updates. If properly configured, automatic updates can mitigate risk and keep any service interruptions to a minimum.
## Are Automatic Upgrades a Good Choice?
Most servers I work with are good candidates for automatic security updates; they aren’t running applications sensitive to the minor changes introduced by security updates. Additionally, quick service interruptions at off-hours aren’t an issue. For example, a quick restart of Apache or MySQL at 2am will not be a problem. If a server is particularly sensitive, I will only setup notification of security updates, so that I can control the what and when of any update installation.
## Installing the Unattended Upgrades Package
The easiest way to get started with automatic updates is with the `unattended-upgrades` package. It can be installed with `apt-get install unattended-upgrades`.
After installation, you’ll need to run `dpkg-reconfigure unattended-upgrades` and select ‘yes’, or manually place a configuration file at `/etc/apt/apt.conf.d/20auto-upgrades` with the contents:
This allows the system to run the `unattended-upgrades` utility regularly. The actual timing is normally determined by `cron`, which has a daily cron file for doing `apt` maintenance located at `/etc/cron.daily/apt`.
## Configuring the Unattended Upgrades Package
After installation, you get to configure what operations the `unattended-upgrade` utility will actually perform. By default, it will simply install updates tagged as ‘security’, but will not automatically reboot the system if any updates require a reboot.
The typical configuration file, located at `/etc/apt/apt.conf.d/50unattended-upgrades`, is well documented and can be edited to suit your needs.
Here are some configuration highlights:
###Allowed-Origins / Origins-Pattern:
Depending on whether your distro is Debian or Ubuntu, the method of filtering origins may differ. On Debian, the section is `Unattended-Upgrade::Origins-Pattern`, and on Ubuntu, the section is `Unattended-Upgrade::Allowed-Origins`. This section allows you to determine which origins `unattended-upgrades` will consult when installing updates. By default, only security updates are allowed. If you’d like to add other updates, uncomment or add the appropriate origins.
This filters specific packages from being considered when installing updates. For example, you may wish to avoid automatically installing any updates for MySQL server to prevent it from being automatically restarted. Add appropriate package names as desired.
This specifies the e-mail address that `unattended-upgrades` will send a message to when updates are being installed, or if problems are encountered. A valid `mail` command will need to be operational on the system for this to work (a simple `apt-get install bsd-mailx` will provide this).
By default, `unattended-upgrades` will send an e-mail when any updates are installed. If you only want to receive a message if there is a problem, you can set this to true.
By default, `unattended-upgrades` will _not_ automatically reboot the system if a reboot is required to complete the update (kernel updates, for instance). This could be potentially disruptive, but could be enabled if desired.
## Only Notifications
If automatic security updates aren’t a good candidate for your system, you’ll still probably want to be notified when updates are available. `apticron` is a good package for this. After installing with `apt-get install apticron`, configure the mailing address in `/etc/apticron/apticron.conf`. Whenever updates are available for packages on your system, you will receive an e-mail with details.
Keeping servers patched with the latest security updates can be a bit of a hassle. However, in many cases, making use of automatic security updates can save time and mitigate the risk associated with having systems which aren’t patched on a regular basis. If nothing else, notifications of available updates should keep you apprised of any actions that you need to take in keeping your systems secure.