Every system administrator faces the same question: when and how should security patches be applied? For a handful of servers, manual patching is manageable. For fleets of servers (or even just the machines you manage personally), automatic updates start to make sense for at least the security patch category.

The debate about automatic updates is well-covered elsewhere: Fedora maintains an opinionated list of reasons to use them and an equally opinionated list of reasons not to. The short version: automatic updates are appropriate for non-mission-critical systems where the cost of an unpatched vulnerability exceeds the risk of an update breaking something. For critical production systems, a proper patch management pipeline with testing is the right answer.

Here’s how to enable security-only automatic updates on the major Linux families.

openSUSE Link to heading

openSUSE uses Automatic Online Update, configured via YaST.

Install the configuration module:

zypper install yast2-online-update-configuration

Configure it:

yast2 online_update_configuration

Set it to check and install only Security updates weekly, and skip Interactive Patches (patches that require administrator confirmation, such as updates that restart critical services). Also enable delta RPMs to reduce bandwidth.

Updated 2026: If you’re running openSUSE Leap or Tumbleweed with transactional updates (e.g., on MicroOS or any immutable variant), use automatic transactional updates instead. rebootmgr handles automatic reboots when transactional updates are installed.

CentOS 7 / RHEL 7 Link to heading

Install yum-cron:

yum -y install yum-cron

Edit /etc/yum/yum-cron.conf to install only security updates:

update_cmd = security
apply_updates = yes

Enable and start the service:

systemctl enable --now yum-cron.service

Updated 2026: CentOS 8 reached end-of-life in December 2021. CentOS Stream, AlmaLinux, and Rocky Linux are the current successors. yum-cron is not available on EL8+; use dnf-automatic instead (see below).

Fedora and CentOS 8+ / RHEL 8+ / AlmaLinux / Rocky Linux Link to heading

Install dnf-automatic:

dnf install -y dnf-automatic

Edit /etc/dnf/automatic.conf to install security updates only:

upgrade_type = security

Enable the systemd timer:

systemctl enable --now dnf-automatic.timer

Debian and Ubuntu Link to heading

Install unattended-upgrades:

apt install unattended-upgrades

Enable automatic list updates and upgrades in /etc/apt/apt.conf.d/20auto-upgrades:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Configure the allowed repositories in /etc/apt/apt.conf.d/50unattended-upgrades. For security-only updates on Debian:

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

For Ubuntu, the default configuration already includes the security repository, so you may not need to change anything beyond enabling the package.

Final notes Link to heading

Each distribution offers additional options worth exploring: email notifications when updates are applied, package exclusion lists, and scheduling controls. The examples above are a starting point; read the documentation for your distribution to tune them to your situation.