KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
dbe9e729697ba8fd2ba57157aa5a8723d12d32fc
KNELConfigMgmt-FetchApply/initializers/unattended-upgrades/configs/50unattended-upgrades
Charles N Wyble 429454ebc9 feat(unattended-upgrades): add automatic security update configuration 
Add Debian unattended-upgrades configuration files for automatic
security patch deployment:

- 50unattended-upgrades: Main configuration specifying allowed
  origins (distro, security, ESM), package blacklist, cleanup
  settings for unused kernels/dependencies, syslog logging, and
  configurable reboot behavior

- auto-upgrades: Enablement settings for the automatic update
  service

This ensures servers receive security patches promptly without
manual intervention, reducing the window of vulnerability.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-auto-upgrade.sh
2026-02-17 16:31:53 -05:00

47 lines
1.5 KiB
Plaintext
Raw Blame History

// KNEL Unattended-Upgrades Configuration
// Automatically install security updates
Unattended-Upgrade {
// Automatically upgrade packages from these origins
Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
// Package blacklist - never auto-upgrade these
Package-Blacklist {
};
// Send email to this address for problems or packages upgrades
// Uncomment and set to a valid email address for notifications
//Unattended-Upgrade::Mail "admin@knownelement.com";
// Remove unused automatically installed kernel-related packages
Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Remove-New-Unused-Dependencies "true";
// Remove unused dependencies
Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if the file
// /var/run/reboot-required is found after the upgrade
Automatic-Reboot "false";
// If automatic reboot is enabled and the system needs to reboot,
// reboot at the specific time instead of immediately
//Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog
SyslogEnable "true";
// Syslog facility
SyslogFacility "daemon";
};
View Git Blame Copy Permalink