Vulnarex | Elite Cybersecurity Learning Platform

#Unattended-Upgrades: Let Your Servers Patch Themselves While You Sleep#link

Manually patching 200 Linux servers with 'apt update && apt upgrade -y' every month is not scalable and leaves systems vulnerable between cycles. Automated patching with unattended-upgrades (Debian) or dnf-automatic (RHEL) can deploy security updates daily. But blind automation can break production. This lesson teaches you to configure, test, and monitor automated Linux patching while maintaining stability with staging repositories and pre/post scripts.

Package Manager Fundamentals: apt, yum/dnf, zypper

Each distro has its package manager. Debian/Ubuntu uses apt (with dpkg backend); RHEL/CentOS uses dnf (or yum); SUSE uses zypper. All support repository management, update listing, and install/remove. For security patching, focus on the security-specific repository (e.g., security.ubuntu.com for -security updates). List available security updates with 'apt list --upgradable | grep -security' or 'yum updateinfo list security'. Always verify GPG signatures on repos.

List security updates available on Ubuntu

root@vulnarex:~#apt list --upgradable 2>/dev/null | grep -i security

The output shows two security updates ready. A manual administrator would apply these, but an automated system can do it without human intervention.

Automated Patching: unattended-upgrades and dnf-automatic

unattended-upgrades is configured via /etc/apt/apt.conf.d/50unattended-upgrades. You specify which origins to allow (e.g., ${distro_id}:${distro_codename}-security), whether to automatically reboot if required, and email notifications. On RHEL, dnf-automatic provides similar functionality with a timer unit. Always enable automatic updates only for security repositories, not for all updates, to reduce the risk of introducing breaking changes.

bash

# Enable unattended-upgrades and configure only security updates
sudo dpkg-reconfigure -plow unattended-upgrades
# Edit /etc/apt/apt.conf.d/50unattended-upgrades:
# Unattended-Upgrade::Allowed-Origins {
#    "${distro_id}:${distro_codename}-security";
# };
# Unattended-Upgrade::Automatic-Reboot "true";
# Unattended-Upgrade::Automatic-Reboot-Time "02:00";

info

💡 Enable 'Unattended-Upgrade::Mail "you@example.com"' to receive a summary of installed packages and any errors. Monitor these emails for failures.

Distro	Automated Tool	Key Config File
Debian/Ubuntu	unattended-upgrades	/etc/apt/apt.conf.d/50unattended-upgrades
RHEL/CentOS/Fedora	dnf-automatic	/etc/dnf/automatic.conf
SUSE/openSUSE	zypper with cron	Script in /etc/cron.daily/

Staged Rollouts and Pre/Post Scripts

For critical systems, don't let automated updates hit production directly. Use a local mirror or staging repository where patches are tested before syncing to production repos. Tools like 'aptly' or 'pulp' can manage this. Integrate pre/post scripts in unattended-upgrades (DPkg::Pre-Install-Pkgs) to stop services, take backups, or run integration tests after patching. Automated patching with testing gates is the gold standard.

▪Enable automatic security updates on all non-critical servers; configure email alerts.
▪For production, use a staged repository: test patches on canary, then roll out.
▪Set automatic reboot with a defined maintenance window to apply kernel updates.
▪Monitor /var/log/unattended-upgrades/ and set up log shipping to SIEM.

STRICT SECURE AUDIT RULE

⚠️ Automatic reboots can cause outages if not coordinated. Ensure all services can recover gracefully after a reboot. Use cluster rolling reboots for high-availability setups.

quiz BLOCK (★ 50 XP)

You've enabled unattended-upgrades for security updates. A new kernel update is installed but not active. Why?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Automated Patching Setup