Failing to keep your Ubuntu operating system packages up-to-date risks overall security.
Managing the process manually, wastes valuable resources and can even lead to overlooking essential security updates. There is a better solution. In this tutorial, we will explain how to Enable automatic security updates in Ubuntu 18.04.
- A command-line/terminal window (Ctrl-Alt-T)
- A user account with sudo or root privileges
- The apt package manager, included by default
Step 1: Install unattended-upgrades Package
1. Install the unattended-upgrade package by running the following command:
sudo apt install unattended-upgrades
2. Verify the installation:
systemctl status unattended-upgrades
The output that confirms a successful installation and active status appears as below:
Step 2: Configure unattended-upgrades File
Now that you have completed the installation, we need to configure individual elements and define the parameters for the auto updates.
This example uses the nano text editor. However, any other text editor will work.
Accessing the Configuration File
The unattended-upgrades configuration file is found in the /etc/apt/apt.conf.d directory.
Access the configuration file with the following command:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
The unattended-upgrades package ignores lines that start with // as that line is considered to be a comment.
If you want a repository to update automatically, you need to remove // from that line.
For our purposes, we only need to remove // from the “security” line.
The Unattended-Upgrade::Package-Blacklist section of the config file allows you to block upgrades for specific packages.
1. To block upgrades for specific packages, add the desired package name to the list. Remember to remove // to uncomment the line. In this example, vim and nginx.
2. Save the changes you made and exit the file.
Automatic updates can run into issues. If an error does occur, the system can be set up to notify you via email. To enable this option remove // and edit the following lines:
Step 3: Enable Automatic Upgrades
The final step to enable Ubuntu automatic updates is to edit the auto-upgrades file with the command:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
This file allows you to define how often the auto updates take place.
- Update-Package-Lists: 1 enables auto-update, 0 disables.
- Unattended-Upgrade: 1 enables auto-upgrade, 0 disables.
- AutocleanInterval: Enables auto clean packages for X days. This configuration displays 7 days
For example, APT::Periodic::AutocleanInterval “7”; means that the system will clear the download archive every seven (7) days.
Step 4: Testing Automatic Upgrades
To verify that the automatic upgrades are set up correctly perform a dry run. The dry run command ensures that the update is only a simulation and that no actual changes will take place. Use the command:
sudo unattended-upgrades --dry-run --debug
Another option to check if the settings are applied correctly is to access the unattended-upgrades log. The log provides a detailed overview of previous upgrades:
By following this guide, you have successfully installed, configured and enabled automatic security updates on Ubuntu.
Your system is now protected by the latest security packages at all times, making the whole process fully automated.