OS auto-updates enabled

What this checks

Checks that the operating system is configured to receive and apply automatic security updates. On macOS, checks softwareupdate automatic update settings. On Linux (Debian/Ubuntu), checks that unattended-upgrades is installed and configured. A self-hosted AI server that doesn't apply OS security patches is exposed to known CVEs that are trivially exploitable.

Why it matters

Most self-hosted machines are set up once and left running. Without auto-updates, OS security patches are never applied and the gap between patch release and exploit availability has shrunk to days or hours. A Mac Mini or Ubuntu VPS running OpenClaw typically has SSH, a web server, and multiple services exposed. Any unpatched kernel or OpenSSL vulnerability on that host is a complete system compromise.

How to fix it

# Enable automatic updates and security responses:
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true

# Or via System Settings → General → Software Update → Automatic Updates (toggle on)

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Verify:
cat /etc/apt/apt.conf.d/20auto-upgrades
# Should contain:
# APT::Periodic::Update-Package-Lists "1";
# APT::Periodic::Unattended-Upgrade "1";

sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer

Technical details

False positive notes

Suppress this finding

clawvitals exclude NC-OS-001 reason "updates managed via Ansible playbook on weekly schedule"