How to Set up Automatic Security Updates on Ubuntu

How to Set up Automatic Security Updates on Ubuntu (Complete Guide)

This guide shows how to automatically set up updates on the Ubuntu system, also known as unattended upgrades.

We know the Linux operating system is considered secure “by design.” However, regular maintenance by applying released security updates ensures that it will remain such. In addition, they address pre-existing vulnerabilities that malicious users can use to compromise the system.

One of the most common approaches used by Linux system administrators is manually installing security updates. The problem with this approach is that it cannot ensure consistent regularity.

It is not unusual to forget to carry out this step. Furthermore, if we are responsible for many servers, manually applying security updates on each would consume a significant amount of our time.

Fortunately, if you’re using Ubuntu, there’s a simple way to ensure that security updates are automatically applied, which we’ll show in this guide. It uses the purpose-built unattended-upgrades package to automatically keep your Ubuntu system up to date with the most recent security and feature updates.

The approach in this guide is demonstrated using an Ubuntu 22.04 Server, but it may be used with any other version of Ubuntu. So, without further ado, let us walk you through the steps required to achieve this functionality.

1. Install unattended-upgrades Package

To configure the automated updates on our Ubuntu system, we must first install (if not already installed) the unattended-upgrades package. To achieve this, use the following APT command:

sudo apt install unattended-upgrades

If you get the screen below, highlight that you want to restart the service and confirm with the “Ok” button.

Install unattended-upgrades Package

When the installation is finished, the unattended-upgrades daemon should start automatically. Let us get confirmation.

sudo systemctl status unattended-upgrades
Check if unattended-upgrades service is up and running

As you can see, the service is up and running.

2. Configure Automatic Updates on Ubuntu

The following step is to enable and configure automatic updates. Execute the following command:

sudo dpkg-reconfigure --priority=low unattended-upgrades

An interactive dialog will appear, asking you to confirm that you want to allow automatic updates on your Ubuntu system. Select “Yes” to confirm.

Confirm allowing automatic security updates

As a result of the above action, the file /etc/apt/apt.conf.d/20auto-upgrades with the following content will be created:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

After agreeing to install updates automatically, we need to configure them. Specifically, which types of updates do we want to install on our Ubuntu system automatically.

Let me clarify, so you don’t get confused. There are several types of updates for your Ubuntu system. The most important are security updates. Consider these to be critical and must-install items.

They protect against vulnerabilities malicious users can use to perform undesirable actions against your Linux system.

The second type is the standard updates. They are related to additional software that has been installed on your system.

For example, if a new version of the Python programming language is released, you would most likely receive it as a standard update to take advantage of its new features.

By default, installing the unattended-upgrades package on your Ubuntu system pre-configures and enables only security updates. However, if you want to allow automatic installation of standard updates, you need to modify the configuration file.

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
Configure security updates on Ubuntu

The lines that start with double slashes (//) are commented. So remove the comment characters from the beginning of the "${distro_id}:${distro_codename}-updates"; line if you want to enable automatic installation of standard updates as well.

We strongly advise you to avoid using the last two types, “proposed” and “backports,” as they are software that can disrupt the normal operation of your system.

3. Configure Automatic Reboot After Applying Updates

Let us now take a step further. As you know, some security updates require a system restart after the software has been updated. As an example, take the Linux kernel update.

In Ubuntu, the automatic security updates contain a mechanism that detects whether any automatic updates that have been received require a system restart. And if there are any, you can instruct the system to restart automatically.

Of course, this functionality is disabled by default, but if you wish to use it, let us show you how to enable this helpful feature easily.

It’s all in our well-known /etc/apt/apt.conf.d/50unattended-upgrades file. So let’s start editing.

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

We are particularly interested in the following three lines:

//Unattended-Upgrade::Automatic-Reboot "false";
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

The first line enables our Ubuntu system to restart automatically after installing updates that require it. The second line confirms the reboot even users are logged in at the time. Otherwise, the machine will not reboot if there are any. The last third line specifies the time at which the restart should occur.

Of course, remove the comments before the lines. The final version should look like the one below.

Configure automatic reboot after applying updates

Save the file with the modifications you’ve made, and then exit. Finally, restart the unattended-upgrades service to apply the changes.

sudo systemctl restart unattended-upgrades

Keep an Eye on the Log File

All automated updates performed on your Ubuntu system are recorded in the log file /var/log/unattended-upgrades/unattended-upgrades.log. By viewing its contents, you will know what updates have been applied to your system.

cat /var/log/unattended-upgrades/unattended-upgrades.log
Unattended upgrades log file

Disable Automatic Updates

You may disable automatic updates on your Ubuntu system at some point. For example, if you manage a many servers, you may have automated the entire process with an automation tool such as Ansible.

Whatever the reason stopping automatic updates is relatively simple. Execute the following command:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Choose “No” from the interactive dialog that opens and confirms by pressing “Enter.”

Disable automatic unattended security updates on Ubuntu

Conclusion

This post taught you how to configure the automatic installation of the security update on your Ubuntu system. The unattended-upgrades utility keeps your system updated and secure by installing the most recent updates and security patches as soon as they become available.

By doing so, you substantially ensure your system’s security and that it will be permanently protected from vulnerabilities that have emerged.

We hope you found this guide useful. Any suggestions and comments are welcome in the section below.

Leave a Reply

Your email address will not be published.