KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

feat(unattended-upgrades): add automatic security update configuration

Browse Source 
Add Debian unattended-upgrades configuration files for automatic
security patch deployment:

- 50unattended-upgrades: Main configuration specifying allowed
  origins (distro, security, ESM), package blacklist, cleanup
  settings for unused kernels/dependencies, syslog logging, and
  configurable reboot behavior

- auto-upgrades: Enablement settings for the automatic update
  service

This ensures servers receive security patches promptly without
manual intervention, reducing the window of vulnerability.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-auto-upgrade.sh
This commit is contained in:
Charles N Wyble
2026-02-17 16:31:53 -05:00
parent 43d6003128
commit 429454ebc9
2 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
initializers/unattended-upgrades/configs/50unattended-upgrades Normal file
View File

@@ -0,0 +1,46 @@
// KNEL Unattended-Upgrades Configuration
// Automatically install security updates
Unattended-Upgrade {
// Automatically upgrade packages from these origins
Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
// Package blacklist - never auto-upgrade these
Package-Blacklist {
};
// Send email to this address for problems or packages upgrades
// Uncomment and set to a valid email address for notifications
//Unattended-Upgrade::Mail "admin@knownelement.com";
// Remove unused automatically installed kernel-related packages
Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Remove-New-Unused-Dependencies "true";
// Remove unused dependencies
Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if the file
// /var/run/reboot-required is found after the upgrade
Automatic-Reboot "false";
// If automatic reboot is enabled and the system needs to reboot,
// reboot at the specific time instead of immediately
//Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog
SyslogEnable "true";
// Syslog facility
SyslogFacility "daemon";
};

7
initializers/unattended-upgrades/configs/auto-upgrades Normal file
View File

@@ -0,0 +1,7 @@
// KNEL Auto-Upgrades Configuration
// Enable unattended-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";