Work Instruction: Setting Up Automatic Updates for Linux Systems (Debian/Ubuntu-Based)

Purpose:
This document outlines the steps to configure unattended upgrades on Debian-based Linux systems, ensuring that systems automatically receive and apply security updates.

---

Step 1: Install Unattended Upgrades

1. Open a terminal.

2. Run the following commands to ensure that unattended-upgrades is installed:

   sudo apt update
   sudo apt install unattended-upgrades

---

Step 2: Configure Unattended Upgrades

For Linux Mint Systems (based on Ubuntu):

1. Open the configuration file for unattended-upgrades:

   sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

2. Ensure the following lines are included in the file for Linux Mint Victoria (based on Ubuntu 22.04 Jammy):

   Unattended-Upgrade::Allowed-Origins {
       "Ubuntu:jammy";
       "Ubuntu:jammy-security";
       "Ubuntu:jammy-updates";
   };
   
   Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
   Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
   Unattended-Upgrade::Automatic-Reboot "true";
   Unattended-Upgrade::Automatic-Reboot-Time "02:00";
   Unattended-Upgrade::SyslogEnable "true";
   Unattended-Upgrade::MailReport "on-change";
   Unattended-Upgrade::OnlyOnACPower "true";
   Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

3. Save and exit the file.

For Non-Linux Mint Systems:

1. Find the distro_id and distro_codename:

   • Run the following commands to determine the system's distribution ID and codename:

   lsb_release -si  # This shows the distro_id (e.g., Ubuntu, Debian) 
   lsb_release -sc  # This shows the codename (e.g., buster, focal)

2. Update the Allowed-Origins block accordingly. For example, if using Debian Buster:

   Unattended-Upgrade::Allowed-Origins {
       "Debian:buster";
       "Debian:buster-security";
   };

---

Step 3: Verify and Configure APT Timers

1. Check the current timers for apt-daily and apt-daily-upgrade by running:

   systemctl list-timers --all | grep apt

2. Verify that the timers for the update check and upgrade services are running as expected. You should see entries like:

   • apt-daily.timer: Scheduled daily.
   • apt-daily-upgrade.timer: Scheduled daily.

   If the times are acceptable (e.g., 6:30 AM for upgrades), no further changes are needed.

---

Step 4: Test the Configuration

1. To simulate unattended upgrades and verify the configuration, run:

   sudo unattended-upgrade --dry-run

2. This command will simulate the upgrade process without making any actual changes, ensuring the setup works correctly.

---

Step 5: Monitor Automatic Updates

1. Logs for the unattended upgrades can be found in:

   /var/log/unattended-upgrades/

2. You can monitor the logs to ensure updates are being applied. Use the following command to view the log output:

   sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

---

Step 6: Handle Reboots (Optional)

1. If a reboot is required after an update (e.g., after a kernel update), the system will automatically reboot at 2:00 AM.

2. To change the reboot time, modify this line in /etc/apt/apt.conf.d/50unattended-upgrades:

   Unattended-Upgrade::Automatic-Reboot-Time "02:00";

---

Notes:

• Manual Upgrades:
  If you need to manually perform an upgrade at any time, use the following command:

  sudo apt update && sudo apt upgrade -y

• Automatic Updates Frequency:
  By default, updates are checked and applied daily. If you need to modify the frequency, adjust the settings in /etc/apt/apt.conf.d/20auto-upgrades.

• Email Notifications:
  If you wish to receive email notifications for problems or successful upgrades, configure the email in the unattended-upgrades configuration.

---

Summary:

This procedure ensures that your Linux systems are automatically updated with security patches and other necessary updates, reducing manual intervention and helping meet security compliance standards.

---

Prepared by: Daniel L. Van Den Bosch Date: September 4, 2024

---