145 lines
4.2 KiB
Bash
145 lines
4.2 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# Automatic updates configuration module
|
|
# =============================================================================
|
|
|
|
# Set script directory
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# Source common functions and variables
|
|
source "./common.sh"
|
|
|
|
# Function to configure unattended-upgrades
|
|
configure_auto_updates() {
|
|
log_message "INFO" "Configuring automatic security updates"
|
|
|
|
# Install unattended-upgrades if not already installed
|
|
if ! is_package_installed "unattended-upgrades"; then
|
|
log_message "INFO" "Installing unattended-upgrades"
|
|
apt-get install -y unattended-upgrades apt-listchanges
|
|
|
|
if [ $? -ne 0 ]; then
|
|
log_message "ERROR" "Failed to install unattended-upgrades"
|
|
return 1
|
|
fi
|
|
else
|
|
log_message "INFO" "unattended-upgrades is already installed"
|
|
fi
|
|
|
|
# Configure unattended-upgrades
|
|
local UNATTENDED_CONF="/etc/apt/apt.conf.d/50unattended-upgrades"
|
|
|
|
log_message "INFO" "Creating unattended-upgrades configuration"
|
|
backup_file "$UNATTENDED_CONF"
|
|
|
|
cat > "$UNATTENDED_CONF" << EOF
|
|
// Unattended-Upgrades configuration
|
|
// Generated by security hardening script
|
|
|
|
// Automatically upgrade packages from these (origin:archive) pairs
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"\${distro_id}:\${distro_codename}";
|
|
"\${distro_id}:\${distro_codename}-security";
|
|
"\${distro_id}ESMApps:\${distro_codename}-apps-security";
|
|
"\${distro_id}ESM:\${distro_codename}-infra-security";
|
|
"\${distro_id}:\${distro_codename}-updates";
|
|
};
|
|
|
|
// Package blacklist - packages that should never be automatically upgraded
|
|
Unattended-Upgrade::Package-Blacklist {
|
|
// "vim";
|
|
// "libc6";
|
|
// "libc6-dev";
|
|
// "libc6-i686";
|
|
};
|
|
|
|
// Split the upgrade into smaller chunks to minimize downtime
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
|
|
// Install security updates automatically
|
|
Unattended-Upgrade::DevRelease "false";
|
|
|
|
// Automatically reboot if necessary
|
|
Unattended-Upgrade::Automatic-Reboot "true";
|
|
|
|
// Reboot time
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
|
|
// Send email notifications if available
|
|
Unattended-Upgrade::Mail "";
|
|
|
|
// Only send mail on errors
|
|
Unattended-Upgrade::MailOnlyOnError "true";
|
|
|
|
// Remove unused kernel packages
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
|
|
// Remove unused dependencies
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
|
|
// Verbose logging
|
|
Unattended-Upgrade::Verbose "true";
|
|
|
|
// Enable automatic updates
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
EOF
|
|
|
|
log_message "SUCCESS" "unattended-upgrades configuration created at $UNATTENDED_CONF"
|
|
|
|
# Create a configuration file to enable automatic updates
|
|
local AUTO_UPGRADES="/etc/apt/apt.conf.d/20auto-upgrades"
|
|
|
|
log_message "INFO" "Creating auto-upgrades configuration"
|
|
|
|
cat > "$AUTO_UPGRADES" << EOF
|
|
// Auto-upgrade configuration
|
|
// Generated by security hardening script
|
|
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
EOF
|
|
|
|
log_message "SUCCESS" "auto-upgrades configuration created at $AUTO_UPGRADES"
|
|
|
|
# Configure apt-listchanges
|
|
local LISTCHANGES_CONF="/etc/apt/listchanges.conf"
|
|
|
|
log_message "INFO" "Creating apt-listchanges configuration"
|
|
backup_file "$LISTCHANGES_CONF"
|
|
|
|
cat > "$LISTCHANGES_CONF" << EOF
|
|
[apt]
|
|
frontend=pager
|
|
email_address=root
|
|
confirm=0
|
|
save_seen=/var/lib/apt/listchanges.db
|
|
which=both
|
|
EOF
|
|
|
|
log_message "SUCCESS" "apt-listchanges configuration created at $LISTCHANGES_CONF"
|
|
|
|
# Enable and start unattended-upgrades service
|
|
log_message "INFO" "Enabling unattended-upgrades service"
|
|
service enable unattended-upgrades
|
|
service restart unattended-upgrades
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_message "SUCCESS" "unattended-upgrades service enabled and restarted successfully"
|
|
else
|
|
log_message "ERROR" "Failed to enable or restart unattended-upgrades service"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
#
|
|
log_message "SCRIPT" "auto_updates.sh"
|
|
|
|
# Main execution for automatic updates
|
|
configure_auto_updates
|
|
|
|
log_message "SUCCESS" "Automatic updates configuration completed" |