Device Inventory
Your fleet represented in thousands of data points
Security & Compliance Checks
Monitor your entire Linux, Mac, and Windows fleet
Self-Remediation via Slack App
Engage end-users on Slack to self-remediation issues
Get Compliant
Measure, achieve, and maintain your compliance goals
Gain Fleet Visibility
Become "all knowing" across Linux, Mac, and Windows PCs
Implement Honest Security
Make security a core value in your company's culture
Help Center Product Changelog App Security Company: We're Hiring!
From the blog
View Other Checks

Contents

View Other Checks

How to Ensure Ubuntu’s Unattended Upgrades Are Turned On

Enabling Unattended Upgrades ensures critical software on Ubuntu remains patched automatically. It's a must-have.

What Are Unattended Upgrades?

The Unattended Upgrades feature of Ubuntu (and other Debian-based distros) ensures that important security patches for installed packages are automatically downloaded and installed without needing any manual intervention from an end-user (hence the word unattended).

A common misconception about this feature, is that when enabled, it will cause your device to regularly automatically restart. This is not true unless you specifically opt-in to that behavior by going through the following steps:

  1. Opening the /etc/apt/apt.conf.d/50unattended-upgrades config file
  2. Explicitly setting Unattended-Upgrade::Automatic-Reboot "true"
  3. Installing the optional update-notifier-common package.

For more information, please read Ubuntu's Documentation.

Do I Really Need Unattended Upgrades?

Like most things on Linux, there are strong debates for and against enabling Ubuntu's unattended upgrades package.

The primary argument against a solution like unattended-upgrades is that by automatically upgrading packages on a Linux device, one day, a less stable package may install and cause stability or user-experience issues. While this argument is technically valid, the fact remains that without this package installed and enabled, it's more far more likely that a Linux device will host software with severe and remotely exploitable security vulnerabilities. This is especially true for end-user devices running Linux.

Further bolstering the argument for turning it on, Canonical (the creators of Ubuntu) has opted to pre-install the unattended-upgrades package and enable it across the Ubuntu operating system. We highly recommend users keep this setting on.

How To Enable Unattended Upgrades

From the User Interface (Gnome Desktop)

By default, Ubuntu Desktop installations include an app called Software & Updates (internally referred to as update-manager). This program is capable of modifying the requisite files on your device to ensure Unattended Upgrades are correctly enabled.

To use it, simply follow these steps.

  1. Launch the Software & Updates app (you can also run update-manager from the terminal).

  2. Once opened, select the Updates tab.

  3. Ensure the When there are security updates option is set to Download and install automatically. Complete any authentication prompts if they are displayed.

  4. Click Close.

From the Terminal

  1. Verify the package is installed with sudo apt-get install unattended-upgrades -y

  2. Run sudo dpkg-reconfigure -plow unattended-upgrades which will then display the following interactive prompt:

  3. Select yes. Once completed, the app will create the file /etc/apt/apt.conf.d/20auto-upgrades with the correct settings. There may be an existing/conflicting installation screen that looks like the screenshot below. If you see that screen, simply replace the file with the new version to get the default behavior.

How To Determine If Unattended Upgrades Is Enabled with Osquery

Osquery (an open-source tool for querying the state of the OS) is capable of reading the contents of specific configuration files like /etc/apt/apt.conf.d/20auto-upgrades using an integration with the Augeas configuration parsing project.

Osquery uses SQL to query the system's current state. Assuming you have the correct lense installed, you can use Osquery SQL you can use the following query to get the determine if Unattended upgrades is configured correctly.

SELECT
  MAX(CASE WHEN label='Update-Package-Lists' THEN value END) as update_package_list,
  MAX(CASE WHEN label='Unattended-Upgrade' THEN value END) as unattended_upgrade,
FROM augeas
WHERE path = '/etc/apt/apt.conf.d/20auto-upgrades'

How Does Kolide Remediate This Problem?

This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to reach out to users who have devices that fail this check, and then give them precise instructions on how to resolve the problem.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's Ubuntu PC • ubuntu-razer
Failing Check: Unattended Upgrades Configured Properly
Reason: Unattended Upgrades Improperly Configured
Why is this a Problem?

One of the easiest and best ways to protect your computer, is by keeping current with security software updates. The unattended-upgrades package helps by automatically keeping your computer up to date with the latest security updates.

Required Action:

The unattended-upgrades package is not configured correctly. Please use your preferred text editor and open /etc/apt/apt.conf.d/20auto-upgrades

Once opened, ensure the following values are present and both are set to 1 APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";

Alternately, you can do this via sudo dpkg-reconfigure unattended-upgrades and select yes.

If you're not comfortable with or do not fully understand these instructions, please reach out to your system administrator or IT Help Desk for assistance.

I've fixed it. Check again
Contact Admin for help
Want to start delivering this notification automatically to your end-users?
Add to Slack

Share this story:

Related Device Checks:

Find Unencrypted SSH Keys and Encrypt Them

ssh, developers, unencrypted-credentials, no-mdm-resolution

Find Macs With SIP Disabled and Enable It

startup-security, os-integrity, no-mdm-resolution

Find and Secure Plain-Text GitHub 2FA Backup Codes

github, two-factor-codes, unencrypted-credentials, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Endpoint Security
for Teams That Slack
Try Kolide Free