Automatically download and install Raspberry Pi security updates
Upgrading a system is an important measure to maintain the security of the system. Outdated software often contains bugs and vulnerabilities that an attacker misuses for its own purposes. For example, to penetrate into a system.By default, updates must be done manually. Alternatively, there is the possibility that a system automatically downloads and installs the security updates. Unattended upgrades is software that can automatically and unattended download and install security updates.
task
- Install and configure unattended upgrades.
Solution: Automatically set up security updates with unattended upgrades
Unattended upgrades can automatically and unattended download and install security updates. The packages of the pre-set APT source are installed.
First the package is installed:
sudo apt-get install unattended-upgrades
Then you have to make a tiny configuration. This is the activation of the automatic security update. There is a package configuration for this:
sudo dpkg-reconfigure -plow unattended-upgrades
This opens a graphical user interface in which the automatic security update is activated with “Yes” and deactivated with “No”.
The package configuration creates the file “20auto-upgrades” in the directory “/etc/apt/apt.conf.d/”.
cat /etc/apt/apt.conf.d/20auto-upgrades
The file contains two lines by way of example:
APT :: Periodic :: Update Package Lists "1";
APT :: Periodic :: Unattended Upgrade "1";
The first line indicates how often “apt-get update” should be executed automatically. The “1” in the case stands for “every day”, which is fine for an automatism. A “0” would disable this automatism.
The second line shows how often an “upgrade” should be done automatically. The “1” stands for “every day,” which is fine. A “0” would turn off the automatism.
What exactly should be updated can be defined in the following configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
By default, only security updates are made. That should be enough for the beginning. If that works well, you can also extend the updates. But then you have to learn more about the configuration and should know what you are doing there.
Then we want to test if the automatic download and install really works. To do this, we execute the following command:
sudo unattended-upgrades --dry-run
In general, the command line will return after a few minutes. It takes as long as a manually executed “apt-get update” and “apt-get upgrade” also takes.
Then we look in the corresponding log file, what exactly happened:
tail /var/log/unattended-upgrades/unattended-upgrades.log
If you want to disable the automatic security updates, then call the package configuration:
sudo dpkg-reconfigure -plow unattended-upgrades
There you just choose “No”. Thus the automatism is switched off. If you want to remove it completely, you have to uninstall the package “unattended-upgrades”.
Note about the automatic update
If the risk of damaging a stable system through an automatic update is lower than the risk posed by a security vulnerability, then an automatic update might be considered. In that case, the automatic update would close the vulnerability and prevent any possible damage by an attacker.
Leave a Reply