#!/bin/bash # ============================================================================= # Automatic updates configuration module # ============================================================================= # Set script directory SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Source common functions and variables source "./common.sh" # Function to configure unattended-upgrades configure_auto_updates() { log_message "INFO" "Configuring automatic security updates" # Install unattended-upgrades if not already installed if ! is_package_installed "unattended-upgrades"; then log_message "INFO" "Installing unattended-upgrades" apt-get install -y unattended-upgrades apt-listchanges if [ $? -ne 0 ]; then log_message "ERROR" "Failed to install unattended-upgrades" return 1 fi else log_message "INFO" "unattended-upgrades is already installed" fi # Configure unattended-upgrades local UNATTENDED_CONF="/etc/apt/apt.conf.d/50unattended-upgrades" log_message "INFO" "Creating unattended-upgrades configuration" backup_file "$UNATTENDED_CONF" cat > "$UNATTENDED_CONF" << EOF // Unattended-Upgrades configuration // Generated by security hardening script // Automatically upgrade packages from these (origin:archive) pairs Unattended-Upgrade::Allowed-Origins { "\${distro_id}:\${distro_codename}"; "\${distro_id}:\${distro_codename}-security"; "\${distro_id}ESMApps:\${distro_codename}-apps-security"; "\${distro_id}ESM:\${distro_codename}-infra-security"; "\${distro_id}:\${distro_codename}-updates"; }; // Package blacklist - packages that should never be automatically upgraded Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; }; // Split the upgrade into smaller chunks to minimize downtime Unattended-Upgrade::MinimalSteps "true"; // Install security updates automatically Unattended-Upgrade::DevRelease "false"; // Automatically reboot if necessary Unattended-Upgrade::Automatic-Reboot "true"; // Reboot time Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Send email notifications if available Unattended-Upgrade::Mail ""; // Only send mail on errors Unattended-Upgrade::MailOnlyOnError "true"; // Remove unused kernel packages Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Remove unused dependencies Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Verbose logging Unattended-Upgrade::Verbose "true"; // Enable automatic updates APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF log_message "SUCCESS" "unattended-upgrades configuration created at $UNATTENDED_CONF" # Create a configuration file to enable automatic updates local AUTO_UPGRADES="/etc/apt/apt.conf.d/20auto-upgrades" log_message "INFO" "Creating auto-upgrades configuration" cat > "$AUTO_UPGRADES" << EOF // Auto-upgrade configuration // Generated by security hardening script APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF log_message "SUCCESS" "auto-upgrades configuration created at $AUTO_UPGRADES" # Configure apt-listchanges local LISTCHANGES_CONF="/etc/apt/listchanges.conf" log_message "INFO" "Creating apt-listchanges configuration" backup_file "$LISTCHANGES_CONF" cat > "$LISTCHANGES_CONF" << EOF [apt] frontend=pager email_address=root confirm=0 save_seen=/var/lib/apt/listchanges.db which=both EOF log_message "SUCCESS" "apt-listchanges configuration created at $LISTCHANGES_CONF" # Enable and start unattended-upgrades service log_message "INFO" "Enabling unattended-upgrades service" service enable unattended-upgrades service restart unattended-upgrades if [ $? -eq 0 ]; then log_message "SUCCESS" "unattended-upgrades service enabled and restarted successfully" else log_message "ERROR" "Failed to enable or restart unattended-upgrades service" return 1 fi } # Main execution for automatic updates configure_auto_updates log_message "SUCCESS" "Automatic updates configuration completed"