Skip to content

tldr-devops/auto-security-patching

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

unattended-upgrades

unattended-upgrades

 
 

Repository files navigation

auto-updates

Stand with Belarus against dictatorship Voices From Belarus Stand With Ukraine

Apply updates to your servers automatically and securely

Warning: I'm living in Belarus - country between EU and Russia. And today we are fighting for our freedom against 'the last dictator of the Europe'. So I can't guarantee that I'll be able to maintain this repo scrupulously. Sorry, guys

Motivation: I manage hundreds of hosts and I know that manually patching is hard even with automation like ansible or puppet or whatever. Infrastructure can work for months or even years without properly security updates. Docker containers with planned rebuilding and delivery can solve the problem, but most of the internet still work not in docker :) So in my opinion limited automatic updates with monitoring, notifications and canary tests on the stage environment is the less evil, than unpatched servers :)

I added into stop list databases and services like docker, which restart can seriously affect your production. However, I left web servers and programming languages as I think that it should be patched anyway even with restart. Anyway, you should review stop list, pin necessary packages and choose date and time for your servers based on roles. I prefer automatic updates during the daytime on Monday for test and on Wednesday and Thurday for prod, when whole team can response to the problems.

Time track:

Support

You can support this or any other of my projects

  • by sending your PRs with improving my configs or english texts 😂
  • by sending me donations:

DEB based

  1. apt update && apt install unattended-upgrades
  2. nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
  1. systemctl disable --now apt-daily{,-upgrade}.{timer,service}
  2. cp unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades
  3. crontab -e
# update list of packages on all servers at the same time
0 12 * * 1 /usr/bin/apt update
# install updates on the TEST
10 12 * * 1 /usr/bin/unattended-upgrades
# install updates on the half of PROD
10 12 * * 3 /usr/bin/unattended-upgrades
# install updates on the other half of PROD
10 12 * * 4 /usr/bin/unattended-upgrades

RPM based

https://serverfault.com/questions/567195/how-can-i-exclude-a-package-from-yum-cron-but-not-from-manual-yum-upgrade

About

Apply updates to your servers automatically and securely

Topics

security automation updates patching

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

6 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published