Do Manual Apt Upgrades via sys_update.sh

README.md

@@ -16,6 +16,7 @@ cp config.json.example /etc/execguard/config.json
 go build -o execguard
 sudo mv execguard /usr/local/bin/
 sudo execguard --update $(pwd)/update_bins.sh 
+sudo execguard --update $(pwd)/sys_update.sh
 sudo ./update_bins.sh
 sudo execguard --init
 ```
@@ -53,3 +54,17 @@ ExecStart=/usr/local/bin/execguard --init
 REMOVE the --init from ExecStart command
 ```
 Reboot.
+
+# Disable Auto-Updates
+```
+sudo systemctl disable --now apt-daily.timer
+sudo systemctl disable --now apt-daily-upgrade.timer
+sudo nano /etc/apt/apt.conf.d/20auto-upgrades
+APT::Periodic::Update-Package-Lists "0";
+APT::Periodic::Unattended-Upgrade "0";
+sudo apt remove unattended-upgrades
+```
+# Manual System Updates via Apt
+```
+./sys_update.sh
+```

sys_update.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+sudo service execguard stop
+sudo apt update
+apt list --upgradable 2>/dev/null | tail -n +2 | cut -d/ -f1 | while read pkg; do
+    dpkg -L "$pkg" | grep --color=never -E '^\.?/usr/bin|^\.?/bin|^\.?/usr/sbin' >> sys-updates.list
+done
+# Check if file exists
+if [[ ! -f sys-updates.list ]]; then
+  echo "Error: sys-updates.list not found."
+  exit 1
+fi
+sudo apt upgrade -y
+# Loop through each line
+while IFS= read -r line; do
+  # Trim whitespace
+  line="${line#"${line%%[![:space:]]*}"}"
+  line="${line%"${line##*[![:space:]]}"}"
+  # Skip empty lines and comments
+  [[ -z "$line" || "$line" == \#* ]] && continue
+  # Skip exact matches to base binary directories
+  case "$line" in
+    "/usr/bin" | "/usr/sbin" | "/bin")
+        continue
+      ;;
+  esac
+  echo "Updating: $line"
+  sudo execguard --update "$line"
+
+done < sys-updates.list
+rm sys-updates.list
+echo "You may want to run, for a while: sudo execguard --init"
+echo "Then re-enable it: sudo service execguard start"