Improve the security of your server with unattended updates

Whether you are able to check your server on a daily basis or not to see if there are any security updates to install, it could be a good idea to put some automatic process in place. Doing so depends on the system, so let's have a quick look at the most popular ones:

CentOS, RHEL and Fedora (v21 or earlier)

The package of choice here is "yum-cron". First install it with "yum -y install yum-cron", then check '/etc/yum/yum-cron.conf' file. Make sure that at least the following lines are present:

update_cmd = security
update_messages = yes
download_updates = yes
apply_updates = yes

If you want to run the update only when critical issues are to be patched, then use "update_cmd = security-severity:Critical". You might also want to configure how the notifications about the updates are sent. To do so, set "emit_via" parameter to "stdio", "email" or "none". If set to "stdio", messages will be put into '/var/log/cron' and cron might also send them. If set to "email", then yum-cron will attempt to send an email by itself, using the values you set for "email_from", "email_to" and "email_host". Finally start the service with "service yum-cron start" or "systemctl start yum-cron.service".

Fedora v22+

First install "dnf-automatic" with "dnf -y install dnf-automatic". Then check '/etc/dnf/automatic.conf' file. Make sure that at least the following lines are present:

upgrade_type = security
download_updates = yes
apply_updates = yes

As you can see, the syntax is very similar to that of yum-cron and you can also configure notifications in a similar manner. For more details, see DNF Automatic documentation. Once you have finished with the configuration, enable and start the service:

systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer

Debian and Ubuntu

In this case we will be using "unattended-upgrades" package. First install it with "apt-get install -y unattended-upgrades". Then run:

dpkg-reconfigure unattended-upgrades

That will bring you an interface with just one question, to which you should answer "Yes". As a result, the '/etc/apt/apt.conf.d/20auto-upgrades' file will be created. Check it and make sure the following lines are there:

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

You can also add APT::Periodic::Verbose "2"; to have more details logged into logs under '/var/log/unattended-upgrades/'.

Finally edit '/etc/apt/apt.conf.d/50unattended-upgrades'. The file is rather well-commented, and normally you would want to just make sure that mail notifications are enabled (look for "Unattended-Upgrade::Mail" line) and reboot is disabled (unless you're really into allowing your system to reboot without anyone monitoring the process).