Skip to content
daniel@cosenza:~/blog
LinuxHow-To July 11, 2026 2 min read

How to Set Up Automatic Security Updates on Linux

A complete walkthrough configuring unattended-upgrades (Debian/Ubuntu) and dnf-automatic (RHEL/Fedora) to apply security patches automatically, with sane limits on what gets updated unattended.

Automatically applying security-only patches — while leaving feature updates for deliberate, reviewed maintenance windows — is a well-supported, standard practice across major Linux distributions. This covers both major package-manager families.

Step 1 (Debian/Ubuntu): install unattended-upgrades

sudo apt install unattended-upgrades apt-listchanges

Step 2 (Debian/Ubuntu): configure which updates apply automatically

// /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";

Restricting Allowed-Origins to the security repository specifically — not the general updates repository — is what keeps this “security patches only,” rather than silently pulling in feature updates unattended.

Step 3 (Debian/Ubuntu): enable the periodic timer

// /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Step 4 (Debian/Ubuntu): do a dry run before trusting it

sudo unattended-upgrade --dry-run --debug

Step 5 (RHEL/Fedora): install dnf-automatic

sudo dnf install dnf-automatic

Step 6 (RHEL/Fedora): configure for security-only, apply-don’t-just-notify

# /etc/dnf/automatic.conf
[commands]
upgrade_type = security
apply_updates = yes

[emitters]
emit_via = stdio

upgrade_type = security mirrors the Debian-side origin restriction; apply_updates = yes actually installs rather than merely notifying (the tool’s default is notify-only).

Step 7 (RHEL/Fedora): enable the timer

sudo systemctl enable --now dnf-automatic.timer

Step 8 (both): decide on reboot policy deliberately

# Debian/Ubuntu
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Kernel security patches often require a reboot to take effect — leaving Automatic-Reboot off means patches are downloaded and installed but not fully active until a manual reboot; enabling it with a scheduled time trades that gap for an automatic, unattended restart at a chosen low-traffic hour.

Step 9 (both): monitor that it’s actually running

# Debian/Ubuntu
cat /var/log/unattended-upgrades/unattended-upgrades.log

# RHEL/Fedora
journalctl -u dnf-automatic

Confirming these logs show recent, successful runs — not just that the service is configured — catches a silently-broken automatic update pipeline before it matters.

Why “security-only, automatic” is the sensible default and “everything, automatic” usually isn’t

Security patches are narrowly scoped and tested specifically for safe, low-risk application; general feature updates carry a meaningfully higher chance of an unexpected behavior change landing unattended in production. Restricting automation to the security channel specifically — while still handling feature updates through a deliberate, reviewed process — captures nearly all of the safety benefit of automatic patching with much less of the risk.