Automatic Updates in Ubuntu Server 18.04.1 LTS with Apt and unattended-upgrades package

In this post we look at how we can automate our security updates and packages that can be updated for a Ubuntu Server 18.04.1 LTS including scheduled reboots. Automatic Updates in Ubuntu Server are a real win.

This is a fairly straight forward affair, we will be working in the unattended-upgrades package, this can used to automatically install updates to the system. We have granular control, being able to configure updates to all packages or just security updates, blacklisting packages, notifications and auto reboot. A very useful set of features.

Lets look at the main configuration file /etc/apt/apt.conf.d/50unattended-upgrades.

A couple of key lines in this file will want our attention. Firstly this will depending on what type of updates you want to automate. If you know the software that runs on the server well enough, and depending on the criticality of the service it provides you have the following options for the type of updates to automate, uncommenting ‘//’ the various lines will give you those type of updates:

Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";

This next section of the file dictates what packages should not be upgraded, ie if you have a certain set of dependencies and don’t want to the software to upgrade due to comparability issues list them here:

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";

To get notifications for any problems or package upgrades add your email address to the below section:

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. ""
Unattended-Upgrade::Mail "";

The next two sections dictate when the server should be rebooted and without confirmation. Here we have the Unattended-Upgrade::Automatic-Reboot option set to ‘true‘, and unattended-Upgrade::Automatic-Reboot-Time set to ‘02:00‘ am.

// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
unattended-Upgrade::Automatic-Reboot-Time "02:00";

To then enable the automatic updates edit the file /etc/apt/apt.conf.d/20auto-upgrades. Create the file if it doesn’t exist, add the below text, the frequency of the update procedure is dictated by the number in quotes next to each item. For example everything with a 1 in it will happen everyday and the 7 represents once a week.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

A couple of useful log files to keep an eye on are: /var/log/unattended-upgrades/unattended-upgrades.log. This will give you information about the updates and whether a reboot is required. /var/log/unattended-upgrades/unattended-upgrades-shutdown.log and also issuing the command last reboot will also give you information about any restarts that are required or have happened.

I hope this been helpful and keeps you current with your patching!

Advanced Persistent Threats

Advanced Persistent Threats are becoming an increasingly prevalent threat to organisations and the information they hold. Advanced Persistent Threats are a type of attack that are defined by the National Institute of Standards and Technology (2011) as being a highly sophisticated attack, well-orchestrated, well-funded and are targeted at specific organisations or people. These type of attacks seek to gain a foothold inside an organisation, remain undetected and over a specific time frame from Advanced Persistent Threats
hours to months laterally move across the network and exfiltrate data, the specific information assets they desire undetected, often more than once. This is as opposed to the more conventional opportunist attacker who isn’t interested in any particular target or any specific data. If the attacker doesn’t succeed the first time they will simply move onto the next weakest victim, these types of attack have often in the passed been used only to heighten the profile of a hacker. Attack vectors include Spear fishing attempts with either email content or attachments carrying the payload through to malware and more commonly malvertising.

Evidence of high profile targeted Advanced Persistent Threats are being reported in the press more than ever. Some examples of such being Target’s 2013 breach, Sony 2014 breach and more recently Ashley Madison 2015 this list goes on. Upholding the confidentiality, availability and integrity of information that these sites and companies hold is possible through the use of good IT Governance. With an effective and current Information Security Management System in place and utilizing good strong controls organisations can better protect themselves from Advanced Persistent Threats.

Ensuring user awareness training is provided. Ensuring the desktop is appropriately secured. Keeping software up to date. Ensuring strong Authentication mechanisms are in place. Ensuring Antivirus, Firewalls and Host Intrusion Detection/Prevention systems are appropriately configured and kept up to date are all only some of the controls that should be in place as a standard to help mitigate the risk.

All too often perimeter defenses are in place and appropriately secured from the outside, however from inside out, the desktop and the actual user are all attack vectors that are left open to threats.  The threat landscape is constantly evolving, we need to stay on top in order to try and evade APTs.