I've had some of my servers report that something has been running updates off-schedule, and it's taken me a good while to figure it out.
Some flavours of Debian - including Raspbian - have no unattended-upgrades service but do apply a cron job which triggers silent package updates.
I run all updates on a specific schedule so I can easily tell the difference in logs & reporting between a breach and an actual update so this isn't appropriate for our use at work. So the first advice I'd supply before using the configuration below is that ensure you have a valid and automated update mechanism to ensure your servers are kept up-to-date.
For example, I often use a custom script which not only does the update but then sends an encrypted message containing information about the update (or other types of jobs).
So with that in mind - and rather than altering package deployed cron scripts - I'd suggest changing (or creating) the /etc/apt/apt.conf.d/10periodic config to add or modify the Periodic apt setting to "disabled like this:
APT::Periodic::Enable "0";
I suppose I could have put this on Stack Overflow but it's not really a question.
Some flavours of Debian - including Raspbian - have no unattended-upgrades service but do apply a cron job which triggers silent package updates.
I run all updates on a specific schedule so I can easily tell the difference in logs & reporting between a breach and an actual update so this isn't appropriate for our use at work. So the first advice I'd supply before using the configuration below is that ensure you have a valid and automated update mechanism to ensure your servers are kept up-to-date.
For example, I often use a custom script which not only does the update but then sends an encrypted message containing information about the update (or other types of jobs).
So with that in mind - and rather than altering package deployed cron scripts - I'd suggest changing (or creating) the /etc/apt/apt.conf.d/10periodic config to add or modify the Periodic apt setting to "disabled like this:
APT::Periodic::Enable "0";
I suppose I could have put this on Stack Overflow but it's not really a question.
