Ubuntu automated security updates

Automated security updates is a great way to ensure your system automatically installs all security updates.

Step 1: package installation

Install the unattended-upgrades package:

sudo apt install unattended-upgrades

Step 2: configure automatic updates

Edit the configuration file with your favourite text editor:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

There will be alot of other information, but the lines you want to uncomment are:

"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";

That tells Ubuntu to automatically perform security updates. Your file will look similar to this after making the changes,

Unattended-Upgrade::Allowed-Origins {
  "${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	// Extended Security Maintenance; doesn't necessarily exist for
	// every release and this system may not have it installed, but if
	// available, the policy for updates is such that unattended-upgrades
	// should also install from here by default.
	"${distro_id}ESM:${distro_codename}";
//	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

Step3 - Enabling Unattended Automatic Updates

To enable automatic updated, you need to ensure that the apt configuration file /etc/apt/apt.conf.d/20auto-upgrades contains at least the following two lines. It's usually included by default.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The above configuration updates the package list, and installs available updates every day.

For bonus points and a cleaner machine, add this to to anove file to clean your download cache every 7 days. 

APT::Periodic::AutocleanInterval "7";

Bonus step - You can test whether it works by doing a dry run.

sudo unattended-upgrades --dry-run --debug

Your output will look similar to this.

pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                                                                                                            
fetch.run() result: 0
blacklist: []
whitelist: []
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: 
InstCount=0 DelCount=0 BrokenCount=0
PreviousInstall Wiregaurd on Ubuntu 18.04NextGetting passwords of logged in users

Last updated

Was this helpful?