Whether you are able to check your server on a daily basis or not to see if there are any security updates to install, it could be a good idea to put some automatic process in place. Doing so depends on the system, so let's have a quick look at the most popular ones:
CentOS, RHEL and Fedora (v21 or earlier)The package of choice here is "yum-cron". First install it with "yum -y install yum-cron", then check '/etc/yum/yum-cron.conf' file. Make sure that at least the following lines are present:
update_cmd = security update_messages = yes download_updates = yes apply_updates = yes
If you want to run the update only when critical issues are to be patched, then use "update_cmd = security-severity:Critical". You might also want to configure how the notifications about the updates are sent. To do so, set "emit_via" parameter to "stdio", "email" or "none". If set to "stdio", messages will be put into '/var/log/cron' and cron might also send them. If set to "email", then yum-cron will attempt to send an email by itself, using the values you set for "email_from", "email_to" and "email_host". Finally start the service with "service yum-cron start" or "systemctl start yum-cron.service".
First install "dnf-automatic" with "dnf -y install dnf-automatic". Then check '/etc/dnf/automatic.conf' file. Make sure that at least the following lines are present:
upgrade_type = security download_updates = yes apply_updates = yes
As you can see, the syntax is very similar to that of yum-cron and you can also configure notifications in a similar manner. For more details, see DNF Automatic documentation. Once you have finished with the configuration, enable and start the service:
systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer
Debian and Ubuntu
In this case we will be using "unattended-upgrades" package. First install it with "apt-get install -y unattended-upgrades". Then run:
That will bring you an interface with just one question, to which you should answer "Yes". As a result, the '/etc/apt/apt.conf.d/20auto-upgrades' file will be created. Check it and make sure the following lines are there:
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
You can also add
APT::Periodic::Verbose "2"; to have more details logged into logs under '/var/log/unattended-upgrades/'.
Finally edit '/etc/apt/apt.conf.d/50unattended-upgrades'. The file is rather well-commented, and normally you would want to just make sure that mail notifications are enabled (look for "Unattended-Upgrade::Mail" line) and reboot is disabled (unless you're really into allowing your system to reboot without anyone monitoring the process).