Skip to main content
How To

Install Security Updates Automatically in Ubuntu

Keep your Ubuntu system more secure by letting it automatically install the security updates.

Sagar Sharma

While updating a specific package to a newer version is the user's personal choice as it won't break your system and you will only miss out on new features, security patches are different.

Any experienced user will always advise you to install security patches as soon as possible as they contain patches to the current vulnerability you have in your system.

But users often forget to install new security patches so to tackle this situation, I will walk you through how you can automate installation of security patches in Ubuntu.

How to install security patches automatically in Ubuntu

To install security patches automatically, you need to install two packages unattended-upgrades and update-notifier-common.

And to install those packages, simply use the following command:

sudo apt update && sudo apt install unattended-upgrades update-notifier-common

Once done, enable it using the following command:

sudo dpkg-reconfigure --priority=low unattended-upgrades

You'll see a prompt asking if you want to automatically download and install updates or not. Use the Tab button, and press the Yes button:

Enable automatic updates in Ubuntu

Now, let's take a look at how you can configure it.

How to configure auto updates in Ubuntu

In this section, I will walk you through some basic steps to configure the unattended-upgrades package including:

  • Enable email notifications
  • Set time reboot to take effect from security patches
  • Test configuration

Enable email notifications

You may want to receive notifications regarding the automatic updates. For that, first, you need to install one package called malix using the following:

sudo apt install mailutils

Now, open the configuration file using the following command:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find the following line in the file and remove two forward slashes (//)to uncomment the line:

//Unattended-Upgrade::Mail "";

Make sure you write your email address between "". For example, my email address is [email protected], then, I will be using the following:

Unattended-Upgrade::Mail "[email protected]";
Get mails for auto updates in Ubuntu

Additionally, if you want to receive email if something goes wrong with updates, first, find the following line:

//Unattended-Upgrade::MailReport "on-change";

Now, remove uncomment the line by removing the first two forward slashes and change "on-change" to "only-on-error" as shown here:

Unattended-Upgrade::MailReport "only-on-error";
Receive mail when something is wrong with the auto update

Save changes and exit from the nano text editor.

Set time to reboot to take effect from security patches

First, you need to enable automatic reboot. To do so, find the following line in the configuration file:

//Unattended-Upgrade::Automatic-Reboot "false";

Uncomment the above line by removing // and change it to "true" as shown:

Unattended-Upgrade::Automatic-Reboot "true";
Enable auto reboot after applying security patches automatically in Ubuntu

If you have multiple users logged in and you still want to reboot, then find the following line and uncomment it:

// Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

When uncommented, it should look like this:

Enable auto reboot even if multiple users are logged in to apply security patches automatically in Ubuntu

If you skip this step and go away with the above configuration, it will reboot once it installs security patches which is super random.

So setting up a specific time when no one is working and your server is sitting in an idle position to reboot the system is the best way to opt for.

To do so, find the following line in the configuration file:

//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Uncomment the file by removing // and define the time when you want to reboot your system.

For example, here, I want to reboot my system at 1:00 so I used the following:

Unattended-Upgrade::Automatic-Reboot-Time "01:00";
Define time to automatic reboot to take effect from the automatically applied security patches in Ubuntu

Test the configuration you've done so far

Once you are done with the configuring auto updates of your liking, it is time to test if it is configured properly or not.

First, open the 20auto-upgrades file using the following command:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

And you should see the following two lines:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The first line indicates how often the package list is going to be updated and 1 means it will be done once every day.

The second line indicates how often it will use the Unattended-Upgrade package to install security patches without the intervention of the user and 1 means once every day.

To query the current configuration, use the following command:

apt-config dump APT::Periodic::Unattended-Upgrade

Here's the expected output:

Test configuration of auto installing security patches in Ubuntu

That's it!

Here's how you live patch Ubuntu

Did you know that you can apply security patches without rebooting your system? Yep, that's one of the best features of Ubuntu.

While it looks pretty complex process, it is pretty easy, and here's how you can configure live patching of Ubuntu:

How to Enable Livepatching on Ubuntu Server
Tired of rebooting your Ubuntu server after every security upgrade? You may enable live kernel patching and forget about reboots altogether.

I hope you will find this guide helpful.

Sagar Sharma