a7fd5f806b
- Add lib/detection.sh with advanced distribution and container detection - Implement 5-method fallback detection (/etc/os-release, redhat-release, debian_version, lsb_release, manual) - Add container environment detection (Docker, Podman, LXC, WSL) with user warnings - Enhance version normalization with regex parsing and bc calculator - Add comprehensive unit tests (66 test cases, 98.5% success rate) - Update documentation (README, CHANGELOG, SECURITY, CONTRIBUTING) - Improve enterprise-grade error handling and logging - Add IPv6 and security considerations for 2025 compatibility
95 lines
3.1 KiB
Bash
95 lines
3.1 KiB
Bash
#!/bin/bash
|
|
|
|
# unattended-upgrades.sh - Configure automatic security updates (2025-enhanced)
|
|
|
|
configure_unattended_upgrades() {
|
|
log_info "Configuring automatic security updates..."
|
|
|
|
case $DISTRO in
|
|
ubuntu|debian)
|
|
handle_error sudo apt-get install -y unattended-upgrades apt-listchanges
|
|
sudo dpkg-reconfigure -plow unattended-upgrades
|
|
|
|
# Configure unattended-upgrades for security only
|
|
sudo tee /etc/apt/apt.conf.d/50unattended-upgrades > /dev/null <<EOF
|
|
Unattended-Upgrade::Allowed-Origins {
|
|
"\${distro_id}:\${distro_codename}-security";
|
|
"\${distro_id}ESMApps:\${distro_codename}-apps-security";
|
|
"\${distro_id}ESM:\${distro_codename}-infra-security";
|
|
};
|
|
|
|
Unattended-Upgrade::Package-Blacklist {
|
|
};
|
|
|
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
|
Unattended-Upgrade::MinimalSteps "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Automatic-Reboot "false";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
|
EOF
|
|
|
|
# Enable unattended-upgrades
|
|
sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null <<EOF
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
EOF
|
|
;;
|
|
fedora)
|
|
handle_error sudo dnf install -y dnf-automatic
|
|
sudo systemctl enable --now dnf-automatic-install.timer
|
|
|
|
# Configure for security updates only
|
|
sudo sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf
|
|
sudo sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
|
|
;;
|
|
arch)
|
|
log_info "Arch Linux: Automatic updates via pacman hooks recommended."
|
|
# Create a systemd timer for security updates
|
|
sudo tee /etc/systemd/system/pacman-security-update.service > /dev/null <<EOF
|
|
[Unit]
|
|
Description=Pacman Security Update
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/bin/pacman -Syu --noconfirm
|
|
EOF
|
|
|
|
sudo tee /etc/systemd/system/pacman-security-update.timer > /dev/null <<EOF
|
|
[Unit]
|
|
Description=Run security updates daily
|
|
|
|
[Timer]
|
|
OnCalendar=daily
|
|
Persistent=true
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|
|
EOF
|
|
|
|
sudo systemctl enable pacman-security-update.timer
|
|
;;
|
|
opensuse)
|
|
handle_error sudo zypper install -y yast2-online-update-configuration
|
|
# Configure for automatic security updates
|
|
sudo sed -i 's/AUTOMATICALLY_UPDATE_PATCHES="no"/AUTOMATICALLY_UPDATE_PATCHES="yes"/' /etc/sysconfig/automatic_online_update
|
|
sudo systemctl enable --now automatic-online-update.timer
|
|
;;
|
|
*)
|
|
log_error "Unsupported distribution: $DISTRO"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
log_success "Automatic security updates configured."
|
|
}
|
|
|
|
# Logging functions if not available
|
|
if ! command -v log_info &>/dev/null; then
|
|
log_info() { echo "[INFO] $1"; }
|
|
log_success() { echo "[SUCCESS] $1"; }
|
|
log_error() { echo "[ERROR] $1" >&2; }
|
|
fi
|
|
|
|
# Main execution
|
|
configure_unattended_upgrades |