.

You don't have to manually install security updates on all your boxes. Debian has some recommended solutions here

You can configure automated security updates like this:

sudo apt update && sudo apt install unattended-upgrades -y

The frequency of unattended-upgrades is controlled by the settings in this file: /etc/apt/apt.conf.d/20auto-upgrades

Inside it we want to paste in the following:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

---

Meaning of the values

APT::Periodic::Update-Package-Lists "1"; → Updates the list of available packages daily (1 = every day).

APT::Periodic::Download-Upgradeable-Packages "1"; → Downloads upgradable packages daily.

APT::Periodic::Unattended-Upgrade "1"; → Actually runs unattended-upgrades daily.

APT::Periodic::AutocleanInterval "7"; → Cleans the local package cache once every 7 days.

Setting 0 as a value will disable that entry.

Want to check when it last ran, and what was installed?

You can check the log like this:

sudo cat /var/log/unattended-upgrades/unattended-upgrades.log