$linuxjunkies
>

How to Enable Automatic Security Updates

Enable automatic security updates on Debian, Ubuntu, Fedora, and RHEL using unattended-upgrades and dnf-automatic — configured to patch safely without manual effort.

BeginnerUbuntuDebianFedoraArch8 min readUpdated June 7, 2026

Before you start

  • Root or sudo access on the target system
  • A working internet connection or internal package mirror
  • A mail transfer agent installed if you want email notifications

Unpatched systems are the most common entry point for attackers. Enabling automatic security updates closes that gap without requiring daily manual attention. This guide covers unattended-upgrades (Debian/Ubuntu) and dnf-automatic (Fedora/RHEL family), with sensible defaults that apply security patches only — leaving major upgrades under your control.

Debian and Ubuntu: unattended-upgrades

Install the package

Most Ubuntu installs include unattended-upgrades already. Install or confirm it is present:

sudo apt install unattended-upgrades apt-listchanges -y

Run the configuration wizard (Ubuntu shortcut)

Ubuntu ships a helper that writes sane defaults and enables the systemd timer in one step:

sudo dpkg-reconfigure -plow unattended-upgrades

Answer Yes at the prompt. On Debian this creates the required config file but you should still review it as shown below.

Review and tighten the configuration

The main config file is /etc/apt/apt.conf.d/50unattended-upgrades. Open it in your editor and confirm the security origin blocks are uncommented. A minimal, correct set for Ubuntu looks like this:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Key lines to verify or set (leave other origins commented out unless you need them):

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // "${distro_id}:${distro_codename}-updates";  // optional: general updates
};

// Automatically remove unused kernel packages after upgrade
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Remove packages that are no longer needed
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Reboot automatically if a kernel update requires it (set false to disable)
Unattended-Upgrade::Automatic-Reboot "false";

// If you enable auto-reboot, set the time (default 02:00)
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

For Debian, the security origin line uses a different format:

"origin=Debian,codename=${distro_codename},label=Debian-Security";

Set the update schedule

The schedule is controlled by /etc/apt/apt.conf.d/20auto-upgrades. Create or edit it:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";      // run apt update daily
APT::Periodic::Unattended-Upgrade "1";        // run upgrades daily
APT::Periodic::AutocleanInterval "7";         // clean cache weekly

The number is days between runs. Setting Unattended-Upgrade to 0 disables automatic installation while keeping list updates active.

Enable and start the systemd timer

sudo systemctl enable --now apt-daily-upgrade.timer
sudo systemctl enable --now apt-daily.timer

Verify it is working (Debian/Ubuntu)

Do a dry run to confirm the configuration is valid and see what would be upgraded:

sudo unattended-upgrade --dry-run --debug 2>&1 | head -60

Check recent logs — output will vary based on available updates:

cat /var/log/unattended-upgrades/unattended-upgrades.log

Fedora, RHEL, Rocky Linux, AlmaLinux: dnf-automatic

Install dnf-automatic

sudo dnf install dnf-automatic -y

Configure it for security updates only

Edit /etc/dnf/automatic.conf:

sudo nano /etc/dnf/automatic.conf

The critical section is [commands]. Set it to apply security patches and nothing else:

[commands]
# What to upgrade. Options: default, security, security-severity:Critical, minimal, minimal-security
upgrade_type = security

# Download and apply updates automatically
download_updates = yes
apply_updates = yes

# Emit a message if updates are available (even if none applied)
random_sleep = 360

random_sleep adds up to 360 seconds of jitter so all machines on a network don't hammer your mirror simultaneously. For a single machine you can set it to 0.

In the [emitters] section, configure how you receive notifications. The simplest option is system logging:

[emitters]
emit_via = stdio
# emit_via = email   # enable and configure [email] section for email alerts

Choose the right systemd timer

dnf-automatic ships three timers for different workflows:

  • dnf-automatic.timer — uses your automatic.conf settings; this is normally what you want.
  • dnf-automatic-install.timer — always downloads and installs regardless of config.
  • dnf-automatic-download.timer — downloads only; you install manually.

Enable the standard timer:

sudo systemctl enable --now dnf-automatic.timer

Verify it is working (Fedora/RHEL family)

Check timer status:

sudo systemctl status dnf-automatic.timer

Run a one-shot test immediately (this applies updates if any are available):

sudo systemctl start dnf-automatic.service

Review the journal for results:

sudo journalctl -u dnf-automatic.service -e

Arch Linux

Arch is a rolling release and does not ship an official automatic update tool because partial upgrades can break the system. The project explicitly discourages unattended full upgrades. For security-conscious Arch users, subscribe to the Arch Linux Security Tracker RSS feed and apply updates manually after reading the news. If you run Arch in a context where automation is required, consider switching to a distribution with a stable release cycle for production servers.

Reboot handling

Security updates to the kernel, glibc, or OpenSSL require a reboot to take effect. Handle this in one of three ways:

  • Scheduled maintenance window: Set Automatic-Reboot "true" with a safe Automatic-Reboot-Time on Debian/Ubuntu. RHEL family requires a separate tool like kured or a custom systemd unit.
  • Live patching: Red Hat offers kernel live patching on RHEL 8+; Canonical offers Livepatch on Ubuntu LTS.
  • Manual reboots: Check for a pending reboot indicator: on Debian/Ubuntu look for /var/run/reboot-required; on RHEL use dnf needs-restarting -r.
# Debian/Ubuntu: check if a reboot is needed
[ -f /var/run/reboot-required ] && cat /var/run/reboot-required.pkgs
# RHEL/Fedora: check if a reboot is needed
sudo dnf needs-restarting -r; echo "Exit code $? (1 = reboot needed)"

Troubleshooting

  • Updates not applying on Debian/Ubuntu: Run sudo unattended-upgrade --dry-run --debug and look for Packages blacklist or Origin does not match messages. The most common cause is a mismatched origin string in 50unattended-upgrades.
  • dnf-automatic does nothing: Confirm apply_updates = yes in automatic.conf and check journalctl -u dnf-automatic.service. If upgrade_type = security is set and there are no security advisories outstanding, a no-op run is expected and correct.
  • Timer not firing: Check systemctl list-timers to see the next scheduled run. If the timer shows inactive, re-enable it with systemctl enable --now.
  • Conflicts or broken packages: Automatic updates should not introduce conflicts for security-only runs, but if they do, the tools log the error and abort rather than leaving the system in a broken state. Review the log and resolve manually with sudo apt --fix-broken install or sudo dnf distro-sync.
tested on:Ubuntu 24.04Debian 12Fedora 40Rocky 9

Frequently asked questions

Will automatic security updates break my system?
Security-only updates carry very low risk because distributions test them extensively before releasing. Restricting to security origins (not all updates) minimises the chance of unexpected changes. Major version upgrades are never included.
What is the difference between unattended-upgrades and apt-get upgrade run from cron?
unattended-upgrades filters by origin and package blacklists, handles lock files correctly, logs results, and integrates with systemd timers. A raw cron apt-get upgrade applies all available updates indiscriminately and can fail silently when another apt process holds the lock.
How do I receive email notifications when updates are applied?
On Debian/Ubuntu set Unattended-Upgrade::Mail "[email protected]" in 50unattended-upgrades and ensure a mail transfer agent like postfix is installed. On Fedora/RHEL set emit_via = email in the [emitters] section of automatic.conf and fill in the [email] block.
Do security updates cover third-party repositories like Docker or NGINX?
Only if those repositories publish security advisories in the standard format and you add their origin strings to your allowed-origins list. Most third-party repos do not integrate with unattended-upgrades or dnf-automatic advisory metadata, so those packages need manual attention.
How do I temporarily pause automatic updates for maintenance?
On Debian/Ubuntu run sudo systemctl stop apt-daily-upgrade.timer and re-enable it after your work. On Fedora/RHEL use sudo systemctl stop dnf-automatic.timer. Both commands are safe to run at any time and do not affect already-applied updates.

Related guides

Security & Hardening· 9 min read

Manage Secrets with Ansible Vault

Encrypt Ansible secrets with AES-256 using ansible-vault: encrypt files and inline vars, automate with password files, and isolate group-level secrets with vault IDs.

IntermediateUbuntuDebianFedoraArch
Security & Hardening· 9 min read

AppArmor Explained

Learn how AppArmor profiles work, how to switch between enforce and complain mode, create new profiles, and diagnose access denials on Ubuntu, Debian, and Arch.

IntermediateUbuntuDebianFedoraArch
Security & Hardening· 10 min read

Apply CIS Benchmarks with OpenSCAP

Use OpenSCAP and scap-security-guide to evaluate, report on, and remediate Linux systems against CIS Benchmarks — covering install, eval, and automation.

AdvancedUbuntuDebianFedoraArch
Security & Hardening· 12 min read

How to Audit a Linux System with auditd

Set up auditd on Linux to track file access, syscalls, and privilege use. Covers persistent rules, file watches, ausearch, and aureport across major distros.

AdvancedUbuntuDebianFedoraArch
← More Security & Hardening guides