This page describes what to do in case of an
Icinga alert.
For more information you could
search the govuk-puppet repo for the source of the alert
Last updated: 22 Dec 2020
Outstanding security updates
Machines are configured to automatically install security updates on a daily basis.
- This is triggered by the
/etc/cron.daily/aptscript. - Relevant config can be found in
/etc/apt/apt.conf.d.
This alert indicates automatic updates have stopped working. While this is not normally a critical issue, it becomes so if we start missing out on security patches.
Check the output of the last automatic upgrade:
less /var/log/unattended-upgrades/unattended-upgrades.log
If you get No such file or directory, it’s likely this is a new instance that has not been triggered to update via cron yet.
You could acknowledge it until it is next scheduled to run, or you could try running the upgrade manually:
sudo unattended-upgrade -d --dry-run
If the unattended upgrades log looks okay, check which security updates are outstanding:
apt-get upgrade -s | grep -i security
You may find that the upgrades are on a deny list in govuk-puppet
(for example, mysql-server-5.5 which needs upgrading manually).