Consider enable automatic security updates

[fshmcallister]

We found that {devices} are not configured to automatically install security updates. Consider enabling this feature. Details for how to do this can be found here: {doc_url}.

part of #198

[AlEsmail]

Title grammar issue: Consider enabling ... or "Enable automatic security updates"

[fshmcallister]

TITLE
Automatic security updates not enabled

enable automatic security updates

TL;DR
Automatic security updates are not enabled on [DEVICE]. This leaves your machine vulnerable to security risks as software becomes outdated and open to attack. This is particularly relevant if you are running a server. Edit your /etc/apt/apt.conf.d/50unattended-upgrades and uncomment the line "${distro_id}:${distro_codename}-updates"; then set up automatic updates.

FAQ

Automatic security updates by default are not enabled on Linux distributions. However, not doing so could leave your [DEVICE/NODE] vulnerable as software exploits are found and not corrected for leaving them outdated and open to attack. While stability of a service may be affected by continual updates, in the instance where you are running a server with high amounts of egress and ingress, it is worth considering implementing automatic security updates after some time period.

Each Linux distribution has slightly different methods of setting up automatic security updates, however for many, including Debian and Ubuntu, you can use the unattended-upgrades package. To do so make sure the package is installed or install it by running sudo apt-get install unattended-upgrades apt-listchanges. You will need to play with the default configuration file by running # editor /etc/apt/apt.conf.d/50unattended-upgrades and uncomment the line "${distro_id}:${distro_codename}-updates";.

You will then need to create a /etc/apt/apt.conf.d/20auto-upgrades file or edit the pre-existing one, which is typically empty, to set up automatic updates. Paste the following, replacing the x values with the frequency at which you want updates:

APT::Periodic::Update-Package-Lists "x";
APT::Periodic::Download-Upgradeable-Packages "x";
APT::Periodic::AutocleanInterval "x";
APT::Periodic::Unattended-Upgrade "x";

We recommend setting most of these to 1 to get daily updates. AutocleanInterval can be done weekly, so set to 7.

^^ Codeblock? Or maybe its own tutorial

[fshmcallister]

I think this one might warrant a whole tutorial as it requires the UnattendedUpgrades package. It's not as straightforward as I thought.
Or rather, it doesn't 'fit' nicely into a FAQ

[vpetersson]

@fshmcallister There is a pretty good tutorial here that we can link to instead of writing our own.

I think we can remove the references to the file in the tl;dr version, as you don't really care about that when you just want to understand it. That should be saved for the FAQ version.

Also, I'd like to see the FAQ version reworked a bit as it doesn't read well with inline code blocks like that.

[fshmcallister]

TL;DR
Automatic security updates may not be enabled. This leaves your machine vulnerable to security risks as software becomes outdated and open to attack. This is particularly relevant if you are running a server. Please consider setting up automatic security updates.

FAQ

Automatic security updates by default are not enabled on most Linux distributions. However, not doing so could leave you vulnerable as software exploits are found and not corrected for leaving them outdated and open to attack. While stability of a service may be affected by continual updates, in the instance where you are running a server with high amounts of egress and ingress, it is worth considering implementing automatic security updates after some time period.

Each Linux distribution has slightly different methods of setting up automatic security updates, however for many, including Debian and Ubuntu, you can use the unattended-upgrades package. To do so make sure the package is installed:

sudo apt-get install unattended-upgrades apt-listchanges

You will need to edit the default configuration file /etc/apt/apt.conf.d/50unattended-upgrades using your preferred editor.
Note, the necessary changes vary by distribution. For more detail, you can see here for Debian or here for Ubuntu.

You will then need to create a /etc/apt/apt.conf.d/20auto-upgrades file or edit the pre-existing one, which is typically empty, to set up automatic updates.
Paste the following, replacing the x values with the frequency at which you want updates:

APT::Periodic::Update-Package-Lists "x";
APT::Periodic::Download-Upgradeable-Packages "x";
APT::Periodic::AutocleanInterval "x";
APT::Periodic::Unattended-Upgrade "x";

We recommend setting most of these to 1 to get daily updates. AutocleanInterval can be done weekly, so set to 7.

[vpetersson]

Automatic security updates by default are not enabled on Linux distributions.

On most Linux distributions.

Also, please test these instructions. I'm pretty sure you just need to run sudo apt-get install unattended-upgrades and it will take you through the wizard, rendering the remaining steps moot.

[fshmcallister]

at least on Debian it does not when I ran it before, I had to do the following steps manually.
I've updated the block above now to be more inclusive as instructions vary depending on distro

[vpetersson]

Got it. I think I've only used it on Ubuntu, for which it works out-of-the-box. Maybe we should use different links for Debian and Ubuntu.

Here's the Ubuntu one https://help.ubuntu.com/lts/serverguide/automatic-updates.html

[fshmcallister]

No worries, I've linked both Debian and Ubuntu tutorials in the main FAQ block.

[fshmcallister]

TL;DR

Automatic security updates may not be enabled. By enabling this feature, your node will automatically install security updates as they become available, which reduce the attack surface of your node.

FAQ

Automatic security updates by default are not enabled on most Linux distributions. However, not doing so could leave you vulnerable as software exploits are found and not corrected for leaving them outdated and open to attack.

While there is a chance that this will impact the stability of a service, it is generally considered worth the risk in order to improve the security posture.

Each Linux distribution has slightly different methods of setting up automatic security updates, however for many, including Debian and Ubuntu, you can use the `unattended-upgrades` package. To do so make sure the package is installed:

```
$ sudo apt-get install unattended-upgrades apt-listchanges
```

You will need to edit the default configuration file `/etc/apt/apt.conf.d/50unattended-upgrades` using your preferred editor.

Note, the necessary changes vary by distribution. For more detail, you can see [here](https://wiki.debian.org/UnattendedUpgrades) for Debian or [here](https://help.ubuntu.com/lts/serverguide/automatic-updates.html) for Ubuntu.

You will then need to create a `/etc/apt/apt.conf.d/20auto-upgrades` file or edit the pre-existing one, which is typically empty, to set up automatic updates.
Paste the following, replacing the `x` values with the frequency at which you want updates:

```
APT::Periodic::Update-Package-Lists "x";
APT::Periodic::Download-Upgradeable-Packages "x";
APT::Periodic::AutocleanInterval "x";
APT::Periodic::Unattended-Upgrade "x";
```
We recommend setting most of these to `1` to get daily updates. `AutocleanInterval` can be done weekly, so set to `7`.

Code Snippet

None at this time.

[a-martynovich]

@fshmcallister Title? Subtitle?

[fshmcallister]

TITLE
Automatic security updates not enabled

enable automatic security updates