Automated Linux Patching with Cron

 in System Administration by

Configuring cron jobs for automated Linux patching is surprisingly easy; as I recently discovered when I wanted to make sure that some of the systems I built stayed fully patched without needing to login and update them manually. I therefore thought I’d share how to automatically update your Linux system here, in case anybody else was wondering how to do it.

As always, patching can break things; but I’ve generally not had too many issues, and I usually just blindly patch anyway – if you read the patch notes before deploying updates, and check for compatibility, this probably isn’t for you :-).

Anyway – to configure automatic updates in Linux, you need to create the cron jobs as root, so the easiest way is to either login as root (typically a bad idea) or su to root from your usual user account. In my case, this was done with:

sudo su -

You can then add your automatic update command by editing the crontab file with the following command:

crontab -e

If you are given a choice,  Nano is typically easier to use for novices. With vi, you will need to use the following steps:

  1. Press”i” to begin editing
  2. Enter the desired Values
  3. Press “Esc” to stop editing
  4. Type “:wq” and press Enter to exit.

RedHat/CentOS

RedHat, CentOS, Fedora and other RedHat derived operating systems use RPM as their package manager, with the “yum” tool used to manage the updates. For automated Linux patching on these systems, you can use the following entry:

@reboot yum update
0 09,21 * * * yum update -y

This will run “yum update” at every reboot, and at 09:00 and 21:00 each day. Updating every 12 hours should be frequent enough for most systems.

Debian/Ubuntu

Debian based operating systems, such as Ubuntu and Linux Mint, use DPKG as their package manager, with the “apt” tool used to manage the updates. To automatically update your Debian/Ubuntu system, you can use the following entry:

@reboot apt-get update && apt-get upgrade -y
50 09,21 * * * apt-get update && apt-get upgrade -y

This will update the apt package manager software list, and then install any updates at every reboot, and at 09:50 and 21:50 each day.

About Adam Hiscocks

I'm an IT security consultant working for one of the UK's leading IT security consultancies. My main focus is on penetration testing, but am likely to write about anything computer related here. All thoughts are my own, not those of my employer. More Information