9 Comments

Debian and Ubuntu Automatic Security Updates

Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. To keep current with security fixes, I often find it useful to configure servers to perform automatic security updates. If properly configured, automatic updates can mitigate risk and keep any service interruptions to a minimum.

Are Automatic Upgrades a Good Choice?

Most servers I work with are good candidates for automatic security updates; they aren’t running applications sensitive to the minor changes introduced by security updates. Additionally, quick service interruptions at off-hours aren’t an issue. For example, a quick restart of Apache or MySQL at 2am will not be a problem. If a server is particularly sensitive, I will only setup notification of security updates, so that I can control the what and when of any update installation.

Installing the Unattended Upgrades Package

The easiest way to get started with automatic updates is with the unattended-upgrades package. It can be installed with apt-get install unattended-upgrades.

After installation, you’ll need to run dpkg-reconfigure unattended-upgrades and select ‘yes’, or manually place a configuration file at /etc/apt/apt.conf.d/20auto-upgrades with the contents:

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";

This allows the system to run the unattended-upgrades utility regularly. The actual timing is normally determined by cron, which has a daily cron file for doing apt maintenance located at /etc/cron.daily/apt.

Configuring the Unattended Upgrades Package

After installation, you get to configure what operations the unattended-upgrade utility will actually perform. By default, it will simply install updates tagged as ‘security’, but will not automatically reboot the system if any updates require a reboot.

The typical configuration file, located at /etc/apt/apt.conf.d/50unattended-upgrades, is well documented and can be edited to suit your needs.

Here are some configuration highlights:

Allowed-Origins / Origins-Pattern:

Depending on whether your distro is Debian or Ubuntu, the method of filtering origins may differ. On Debian, the section is Unattended-Upgrade::Origins-Pattern, and on Ubuntu, the section is Unattended-Upgrade::Allowed-Origins. This section allows you to determine which origins unattended-upgrades will consult when installing updates. By default, only security updates are allowed. If you’d like to add other updates, uncomment or add the appropriate origins.

Package-Blacklist

This filters specific packages from being considered when installing updates. For example, you may wish to avoid automatically installing any updates for MySQL server to prevent it from being automatically restarted. Add appropriate package names as desired.

Mail

This specifies the e-mail address that unattended-upgrades will send a message to when updates are being installed, or if problems are encountered. A valid mail command will need to be operational on the system for this to work (a simple apt-get install bsd-mailx will provide this).

MailOnlyOnError

By default, unattended-upgrades will send an e-mail when any updates are installed. If you only want to receive a message if there is a problem, you can set this to true.

Automatic-Reboot

By default, unattended-upgrades will not automatically reboot the system if a reboot is required to complete the update (kernel updates, for instance). This could be potentially disruptive, but could be enabled if desired.

Only Notifications

If automatic security updates aren’t a good candidate for your system, you’ll still probably want to be notified when updates are available. apticron is a good package for this. After installing with apt-get install apticron, configure the mailing address in /etc/apticron/apticron.conf. Whenever updates are available for packages on your system, you will receive an e-mail with details.

Conclusion

Keeping servers patched with the latest security updates can be a bit of a hassle. However, in many cases, making use of automatic security updates can save time and mitigate the risk associated with having systems which aren’t patched on a regular basis. If nothing else, notifications of available updates should keep you apprised of any actions that you need to take in keeping your systems secure.