19

There's obviously a way to check to see when an update is a security update. I often get greeted by a motd that says "there are N security updates."

What I'd like to do is have my server email me a list of what packages need updating for security reasons.

To take it a step further, the email would link to the applicable security notification from Ubuntu.

Basically, each server is somewhat unique. I've received several emails on the security mailing list for packages I do not have install on any/all servers. So I'd like each individual server to tell me what it needs. That way I can apply updates in a timely manner, while avoiding restarting services like Apache that would cause users to have some downtime.

How could I do this?

David R.
  • 547
  • 1
    Have you thought about setting up unattended upgrades and tell it to only automatically install security pocket updates? – Thomas Ward May 07 '13 at 20:29
  • 1
    I want to avoid installing updates that might break something or cause services to restart. Unattended upgrades could do both of those things. – David R. May 08 '13 at 00:40
  • But security upgrades won't do that, security upgrades are usually cherrypicked fixes that are tested before being uploaded. If you configure unattended-upgrades to ONLY do security updates it will likely not break anything. – Thomas Ward May 08 '13 at 00:56
  • A security update to Apache would require that Apache be restarted, right? – David R. May 08 '13 at 17:51
  • I am not an expert in the Apache package but I believe it automatically issues a restart command after upgrading. I'd have to check its init scripts and its install scripts to figure that one out, but a restart just means a momentary restart and everything's back to normal quickly, usually within a few seconds, sometimes within a minute max. But if you don't keep it updated, you will be stuck with bugs and a lot of vulnerabilities – Thomas Ward May 08 '13 at 19:18
  • Security upgrades frequently cause daemon restarts which in addition to a short or not so short pause occasionally have side effects. Although rarely, some security updates do cause trouble. I use automatic upgrades on non-critical servers, but not on critical ones. – Hontvári Levente Mar 18 '18 at 05:39

3 Answers3

9

You can use tool called apticron to notify you when new updates are available. It sends you e-mail about pending upgrades, also giving you a choice to only send you e-mail about updates not previously notified.

To setup apticron edit /etc/apticron/apticron.conf and change line containing e-mail address: 

EMAIL="admin@example.com"

Enter the e-mail address you wish to receive notifications to.

For more information see man apticron.

Mike
  • 5,691
  • I could not setup apticron to send only security updates. It sends notifications about all updates, including non-security updates, which cause too much noise to be useful for me. – Hontvári Levente Mar 18 '18 at 05:43
2

From a previous post. you can run security upgrades via command line with. 

sudo unattended-upgrade

I checked it out and you can also use the command line option 

 sudo unattended-upgrade --dry-run

To download but not install updates.

When running the program I am not getting any output, I think this is because I have my system set to auto-update. If you can get output from this just figure out what the updated vs. pending updates look like and write a shell script to send you an email containing of the output of the pending updates.

Then run this script as a cron job.

Note: use crontab -e to run jobs as root.

Community
  • 1
tweirick
  • 152
  • I'm not asking how to install upgrades. That's easy. Nor am I asking how to tell if security upgrades are needed. I'm asking how to be notified WHAT security upgrades need to be applied for individual servers without me having to log in. – David R. May 08 '13 at 00:42
  • Shouldn't the email of the pending but not installed updates accomplish this? – tweirick May 08 '13 at 04:28
  • Ah, pardon, I'm going to blame the allergies I've been fighting for my not seeing the text you bolded... – David R. May 08 '13 at 17:54
1

According to: https://ubuntu.com/server/docs/package-management

Configuring Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades will enable unattended-upgrades to email an administrator detailing any packages that need upgrading or have problems.

I would assume that this would combine with your setting of scoping security updates only.

Andreas Huttenrauch
  • 139