Apps Linux Windows How-To

How to Enable Automatic Security Updates with Unattended-Upgrades on Ubuntu 24.04

Automate security patching and package updates on Ubuntu 24.04 using unattended-upgrades to keep your system secure with minimal manual intervention.

Automate security patching and package updates on Ubuntu 24.04 using unattended-upgrades to keep your system secure with minimal manual intervention.

by Pallav Pathak

Automating security updates on Ubuntu 24.04 minimizes the risk of vulnerabilities going unpatched and saves time on manual maintenance. By configuring unattended-upgrades, you ensure the system regularly installs critical security updates and, if desired, other package updates without requiring user input. This approach optimizes server uptime and reliability while keeping your system protected against emerging threats.

Enable Automatic Security Updates Using Unattended-Upgrades

Install the unattended-upgrades package if it is not already present. This utility manages the automatic installation of security and other package updates. Open a terminal and run:
sudo apt update
sudo apt install unattended-upgrades

This command refreshes your package list and installs the unattended-upgrades utility. The package is often pre-installed on Ubuntu 24.04, but running the command ensures it’s available and up to date.

Verify the unattended-upgrades service is running. This service handles the background update process. Check its status with:
systemctl status unattended-upgrades

If the service is not active, start it using:

sudo systemctl start unattended-upgrades
Configure the update schedule and enable automatic updates. The file /etc/apt/apt.conf.d/20auto-upgrades controls how often package lists are updated and whether unattended-upgrades run automatically. Edit this file with:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Ensure it contains the following lines:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The value "1" means the action occurs daily. Adjust the numbers as needed (e.g., "2" for every other day). Save and close the file.

Fine-tune which updates are installed and configure notifications. The main configuration file for unattended-upgrades is /etc/apt/apt.conf.d/50unattended-upgrades. Open it with:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

By default, only security updates are enabled. To include regular package updates, remove the // at the beginning of the line containing "${distro_id}:${distro_codename}-updates";. If you want to exclude certain packages from automatic updates, add their names under the Unattended-Upgrade::Package-Blacklist section, using the format:

Unattended-Upgrade::Package-Blacklist {
    "package-name";
};

To receive email notifications about update results or errors, locate the line:

//Unattended-Upgrade::Mail "";

Uncomment it and add your email address inside the quotes:

Unattended-Upgrade::Mail "[email protected]";

Adjust the reporting frequency by setting Unattended-Upgrade::MailReport to "always", "on-change", or "only-on-error" as needed.

To automatically reboot after updates that require it (such as kernel upgrades), uncomment and set:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

This schedules a reboot at 2:00 AM if required by updates. You can adjust the time as needed. To avoid reboots when users are logged in, set Unattended-Upgrade::Automatic-Reboot-WithUsers "false";.

Save and exit the configuration file after making your changes.

Restart the unattended-upgrades service to apply the new settings:
sudo systemctl restart unattended-upgrades
Test your configuration to ensure it works as expected. Run a dry run with debug output:
sudo unattended-upgrades --dry-run --debug

This command simulates the upgrade process and reports any issues, allowing you to confirm that updates will be applied as configured without making changes to your system.

Review logs to monitor update activity. The unattended-upgrades process logs its actions in /var/log/unattended-upgrades/. To check recent activity, run:
sudo tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log

This provides insight into which updates have been applied and any errors encountered.

Alternative Methods: Using the GUI and Custom Scripts

Configuring Automatic Updates via Ubuntu Desktop GUI

For desktop users, Ubuntu offers a graphical way to manage automatic updates. Open the Software & Updates application and navigate to the Updates tab. Set When there are security updates to Download and install automatically. This approach is straightforward for those who prefer not to edit configuration files manually.

Automating Updates with a Custom Shell Script

Some administrators prefer to control updates using custom scripts, which can be scheduled with cron or added to startup tasks. For example, you can create a script containing:

#!/bin/bash
sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y

Make the script executable:

chmod +x ~/autoupd.sh

Schedule it to run periodically by adding it to crontab or your desktop environment’s startup applications. This method gives you granular control but lacks the safety and reporting features of unattended-upgrades.

Automating security updates with unattended-upgrades on Ubuntu 24.04 streamlines system maintenance, reduces risk, and keeps your server or desktop secure with minimal effort.

Keep reading

More from Apps

All Apps guides →