Keeping a Linux server up to date is one of the most fundamental system administration tasks. Outdated packages are the number one attack vector for server compromise, yet manually running apt update && apt upgrade on every server is tedious and error-prone. This guide compares three distinct approaches to automating Debian/Ubuntu system update management: apticron (email notification), unattended-upgrades (automatic installation), and debsecan (security vulnerability tracking).

Each tool serves a different role in the update management pipeline — from alerting you about available updates, to automatically installing them, to identifying which installed packages have known security vulnerabilities. Understanding how they differ and how they can complement each other is key to building a robust server maintenance strategy.

How Linux Package Update Management Works

Before diving into the tools, it is important to understand the problem they solve. On Debian-based systems, the APT (Advanced Package Tool) package manager handles software installation and updates. The typical manual workflow involves:

  1. apt update — Refreshes the local package index from configured repositories
  2. apt list --upgradable — Shows which packages have newer versions available
  3. apt upgrade — Downloads and installs the newer versions

For a single server, this takes seconds. For dozens of servers, it becomes a time sink. Worse, administrators may forget to check, leaving security patches unapplied for weeks. Automated update management tools solve this by running on a schedule (typically via systemd timers or cron jobs) and either notifying you or taking action directly.

Apticron: Email Notification for Available Updates

Apticron is a simple but effective shell script that checks for available package updates and sends an email summary to the system administrator. It does not install anything — it only reports what is available.

GitHub: No dedicated GitHub repo (Debian package maintained via Debian Git)
Stars: N/A (Debian repository package)
License: GPL-2.0

Key Features

  • Runs daily via cron/systemd timer
  • Sends formatted email listing all upgradable packages
  • Highlights security updates separately
  • Supports custom email recipients and subjects
  • Lightweight — no daemon, no dependencies beyond standard Debian tools
  • Can exclude specific packages from notifications

Installation and Configuration

1

sudo apt install apticron

Configuration is in /etc/apticron/apticron.conf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Email address for notifications
EMAIL="admin@example.com"

# System name in email subject
SYSTEM="production-web-server"

# Include package descriptions in email
LISTCHANGES_PROFILE="apticron"

# Only notify about security updates (set to true for security-only mode)
# SECURITY_UPDATES_ONLY="false"

# Custom subject line
CUSTOM_SUBJECT="[APT] Updates available on $(hostname)"

To configure the systemd timer for daily checks:

1
2

sudo systemctl enable --now apticron.timer
sudo systemctl status apticron.timer

Docker Deployment (Containerized Notification Service)

While apticron is typically installed directly on the host, you can containerize it for centralized update monitoring:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

version: "3.8"
services:
  apticron:
    image: debian:bookworm-slim
    volumes:
      - /var/lib/dpkg:/host/var/lib/dpkg:ro
      - /var/lib/apt:/host/var/lib/apt:ro
      - ./apticron.conf:/etc/apticron/apticron.conf:ro
    command: >
      bash -c "
        cp -r /host/var/lib/dpkg /var/lib/ &&
        cp -r /host/var/lib/apt /var/lib/ &&
        apt-get update > /dev/null 2>&1 &&
        UPGRADABLE=$(apt list --upgradable 2>/dev/null | grep -v '^Listing') &&
        if [ -n "$UPGRADABLE" ]; then
          echo "$UPGRADABLE" | mail -s "Updates on $(hostname)" admin@example.com
        fi
      "
    restart: "no"

Unattended-Upgrades: Automatic Security Patch Installation

Unattended-upgrades takes a more aggressive approach: it automatically downloads and installs security updates without requiring administrator intervention. This is the tool recommended by Debian and Ubuntu for production servers where timely security patching is critical.

Repository: https://salsa.debian.org/installer-team/unattended-upgrades
License: GPL-2.0

Key Features

  • Automatically installs security updates on a schedule
  • Configurable — can include non-security updates, too
  • Automatic reboot detection (configurable)
  • Email notification on errors or successful runs
  • Blacklist/whitelist support for specific packages
  • Download-only mode for staging updates before installation
  • Automatic cleanup of obsolete kernels and packages

Installation and Configuration

1
2

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

The main configuration file is /etc/apt/apt.conf.d/50unattended-upgrades:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

// Blacklist specific packages from automatic upgrade
Unattended-Upgrade::Package-Blacklist {
    // "linux-image-generic";
    // "linux-headers-generic";
};

// Automatically reboot if required (set to "true" for full automation)
Unattended-Upgrade::Automatic-Reboot "false";

// Send email notification on errors
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "on-change";

Enable the systemd timer:

1
2

sudo systemctl enable --now apt-daily-upgrade.timer
sudo systemctl status apt-daily-upgrade.timer

Dry Run and Logging

Before enabling automatic upgrades in production, test with a dry run:

1

sudo unattended-upgrade --dry-run -v

View logs of past unattended upgrades:

1
2

cat /var/log/unattended-upgrades/unattended-upgrades.log
cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Debsecan: Security Vulnerability Tracking

Debsecan is a tool that checks installed packages against the Debian Security Advisory database and reports which packages have known vulnerabilities. Unlike apticron (which tells you updates are available) or unattended-upgrades (which installs them automatically), debsecan tells you which installed packages are actually vulnerable — even if no update is yet available.

Repository: https://salsa.debian.org/security-tools/debsecan
License: GPL-2.0+

Key Features

  • Checks installed packages against CVE databases
  • Reports severity ratings (low, medium, high, critical)
  • Can generate reports in multiple formats (plain text, HTML, machine-readable)
  • Works even when no update is available yet (zero-day awareness)
  • Integrates with monitoring systems via exit codes
  • Supports custom vulnerability source URLs

Installation and Configuration

1

sudo apt install debsecan

Run a vulnerability scan:

1

sudo debsecan

Generate an HTML report:

1

sudo debsecan --format html > /var/www/reports/vulnerabilities.html

Machine-readable output for automation:

1

sudo debsecan --format machine > /tmp/vulns.csv

Schedule daily scans via cron:

1
2
3
4
5
6

# /etc/cron.daily/debsecan-check
#!/bin/bash
VULNS=$(debsecan 2>/dev/null)
if [ -n "$VULNS" ]; then
    echo "$VULNS" | mail -s "[SECURITY] Vulnerable packages on $(hostname)" admin@example.com
fi

Comparison Table

FeatureApticronUnattended-UpgradesDebsecan
Primary purposeEmail notificationAuto-install updatesVulnerability tracking
Automatic installationNoYesNo
Security-only modePartialYes (default)Yes
Email alertsYes (always)Yes (on change/error)Manual setup
CVE awarenessNoNoYes
Package blacklistYesYesNo
Zero-day detectionNoNoYes
Reboot handlingNoConfigurableNo
Report formatsEmail onlyLog filesText, HTML, CSV
Resource usageMinimalModerateLow
Best forStaging/dev serversProduction serversSecurity audits

Choosing the Right Update Strategy

Development and Staging Servers

For non-production servers, apticron is ideal. It notifies you about available updates without making changes, allowing you to test updates before rolling them out to production. Pair it with a manual apt upgrade after reviewing the email notification.

Production Servers

For production, unattended-upgrades is the recommended approach. Configure it to install security updates automatically, with email notifications on failure. This ensures critical patches are applied within hours of release, not days or weeks later.

Security-Compliant Environments

In regulated environments (PCI-DSS, SOC 2, HIPAA), debsecan provides the vulnerability audit trail that compliance frameworks require. Run it weekly and archive the reports. It also catches vulnerabilities where no patch exists yet, giving you time to implement mitigations.

Combined Deployment: The Defense-in-Depth Approach

The most robust strategy combines all three tools:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#!/bin/bash
# /etc/cron.weekly/update-audit.sh
# Comprehensive update management audit

echo "=== Available Updates ===" 
apticron --cron

echo "=== Unattended-Upgrade Status ==="
unattended-upgrade --dry-run -v 2>&1 | tail -5

echo "=== Security Vulnerabilities ==="
debsecan --suite $(lsb_release -cs)

echo "=== Package Count ==="
echo "Installed: $(dpkg -l | grep '^ii' | wc -l)"
echo "Upgradable: $(apt list --upgradable 2>/dev/null | grep -v '^Listing' | wc -l)"

This combined approach gives you: proactive notification of available updates, automatic security patch installation, and independent vulnerability verification.

Why Self-Host Your Update Management?

Cloud providers offer managed update services, but self-hosted update management gives you full control over what gets installed, when, and how. You decide which packages are safe to auto-upgrade, which require testing first, and which should be blacklisted entirely.

For organizations managing dozens of servers across multiple environments, centralized update management is essential. Tools like Apticron, Unattended-Upgrades, and Debsecan are battle-tested, lightweight, and integrate with existing monitoring stacks.

For managing Debian package repositories across your infrastructure, see our complete guide to APT repository mirrors. If you need to manage dependency updates for your application code, check our dependency automation comparison. For automated Kubernetes node updates and restarts, our K8s automated update guide covers the container-native approach.

FAQ

Should I use apticron or unattended-upgrades?

Use apticron if you want to review updates before installing them — ideal for staging and development environments. Use unattended-upgrades for production servers where timely security patching is critical and you trust the Debian/Ubuntu security team to not break things.

Can unattended-upgrades break my server?

In rare cases, yes. Major version upgrades (e.g., PHP 8.1 to 8.2) or library ABI changes can cause service failures. This is why unattended-upgrades defaults to security-only updates and supports a package blacklist for critical services. Always test updates in staging first.

What does debsecan tell me that apticron does not?

Apticron tells you which packages have newer versions available in the repositories. Debsecan tells you which installed packages have known CVEs — even if no fix has been released yet. This distinction matters for zero-day vulnerabilities where you need to know you are exposed before a patch exists.

How do I prevent unattended-upgrades from upgrading the kernel?

Add the kernel packages to the blacklist in /etc/apt/apt.conf.d/50unattended-upgrades:

1
2
3
4

Unattended-Upgrade::Package-Blacklist {
    "linux-image-";
    "linux-headers-";
};

This prevents automatic kernel upgrades, which require a reboot to take effect.

Can I use these tools on non-Debian systems?

No — all three tools are Debian/Ubuntu-specific. For RHEL/CentOS, use yum-cron or dnf-automatic. For Arch Linux, use pacmatic or pkgfile. The concepts (notification vs auto-install vs vulnerability tracking) apply across all distributions.

How often should debsecan run?

Run debsecan daily on production servers and weekly on staging/development. The Debian security advisory database is updated frequently, and daily scans ensure you are alerted to new vulnerabilities within 24 hours.

Do I need both apticron and unattended-upgrades?

No — they serve overlapping purposes. If you use unattended-upgrades for automatic security patching, you do not need apticron for the same packages. However, apticron can still be useful for notifying you about non-security updates that unattended-upgrades skips.

Conclusion

Linux system update management is not a one-tool problem. Apticron gives you visibility, unattended-upgrades gives you automation, and debsecan gives you security assurance. The right combination depends on your risk tolerance, compliance requirements, and operational capacity. For most production environments, unattended-upgrades with a carefully curated blacklist is the baseline, augmented by debsecan for security audits and apticron for non-security update awareness.