Skip to content

Enabling Automatic Unattended Security Updates on Ubuntu and Debian

Staying up to date with the latest security patches is a crucial step to avoid getting hacked.

Google recently published an article showcasing a proof-of-concept attack based on the famous Spectre vulnerability, just to emphasize the possible consequences of leaving affected systems unpatched.

There is a constant flow of new vulnerabilities being discovered and, as a result, new security updates are getting published almost every day.

Luckily, this process has been made simple for Linux users running Debian distributions like Ubuntu. The unattended-upgrades package serves exactly what its name suggests, providing automatic unattended security updates.

Install the unattended upgrade utility:

sudo apt install unattended-upgrades apt-listchanges
Code language: Bash (bash)

Reconfigure the package to ensure it will automatically perform updates (Choose <YES>):

sudo dpkg-reconfigure -plow unattended-upgrades
Code language: Bash (bash)

Check /etc/apt/apt.conf.d/20auto-upgrades and make sure it has the following content:

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7";
Code language: PHP (php)

For more information regarding these variables take a look at https://debian-handbook.info/browse/stable/sect.regular-upgrades.html

Check /etc/apt/apt.conf.d/50unattended-upgrades and make sure only lines corresponding to security packages are uncommented:

"${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security";
Code language: JavaScript (javascript)

If you would like to exclude certain packages from being updated, list them in the same file under:

Unattended-Upgrade::Package-Blacklist { "docker"; "nginx"; };
Code language: PHP (php)

To get a list of security packages that are ready to be upgraded:

apt-get upgrade -s | grep -i security
Code language: Bash (bash)

To see what unattended-upgrade will do when it runs:

sudo unattended-upgrades --dry-run --debug
Code language: Bash (bash)

To manually update the packages:

sudo unattended-upgrade
Code language: Bash (bash)

To get the overall number of packages with available updates:

/usr/lib/update-notifier/apt-check --human-readable
Code language: Bash (bash)
Published inLinuxSecurity