Updates
ROLE common, upgrades.yml, logwatch.yml
We set up the unattended upgrades package to install security
patches once a day. The unattended-upgrades package
installs the updates, the needrestart package bounces
services with changed libraries, and the apt-listchanges
package emails changelogs to the admin_email address.
We configure the logwatch package to send a daily
summary of activity to the admin_email address. The
report contains basic information about SSH logins, disk usage, mail
traffic, web traffic, and fail2ban activity.
Occasionally a kernel update or other change will require a reboot.
The email report will note this. Log in and run sudo shutdown
-r now at your convenience. Patches to postfix or dovecot may
not restart the servers properly, so if you don't see the normal
backula and logwatch messages on a particular morning, you may need to
manually restart them (or just reboot and then run mailboot).
Very rarely, an update may need operator input. These will be deferred and you will get a message about it. To manually install an update to a package:
% sudo apt update # fetch latest package index % sudo apt list --upgradable # list available upgrades % sudo apt install <pkg> # update just foobar pkg % sudo apt --only-upgrade install <pkg> # same, won't install new packages
This is specific to Debian and its derivitives. For Red Hat, Gentoo, etc. you'll need to figure out how they handle automatic security updates.
Copyright © 2020-2023 David Loffredo, licensed under CC BY-SA 4.0.