What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A field-tested, step-by-step guide. How to Set Up Automatic Security Updates on Debian — prerequisites, the actual commands, verification, and links to related Debian topics.

SKYLINE Engineering @skyline

Published: Apr 7, 2026
Last updated: May 28, 2026
Reading time: 2 min

A patched server is a quiet server. unattended-upgrades on Debian installs security updates without your input — set it once, get patches forever. This guide walks through enabling it, scoping it to security-only, and proving it works.

Prerequisites

Debian 12 with sudo.
Outbound HTTPS to security.debian.org and deb.debian.org.

Step 1: Install

sudo apt update
sudo apt install -y unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
# Choose YES to enable automatic upgrades.

This drops /etc/apt/apt.conf.d/20auto-upgrades with the two flags that turn the feature on.

Step 2: Scope it to security only (recommended)

Edit /etc/apt/apt.conf.d/50unattended-upgrades. Uncomment the security origin and keep the rest off — you want predictable kernel ABIs, not surprise major-version jumps.

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    // optionally also:
    // "origin=Debian,codename=${distro_codename}-updates";
};

Unattended-Upgrade::Package-Blacklist {
    // pin packages you do NOT want auto-updated, e.g.:
    // "mysql-server";
    // "postgresql-15";
};

Unattended-Upgrade::Mail "ops@example.sa";
Unattended-Upgrade::MailReport "on-change";

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Step 3: Test in dry-run

sudo unattended-upgrade --dry-run --debug 2>&1 | tail -30

Watch for the line Allowed origins are: — that is what will actually be picked up.

Step 4: Confirm the systemd timer fires

sudo systemctl status unattended-upgrades.service
sudo systemctl list-timers apt-daily.timer apt-daily-upgrade.timer

apt-daily.timer refreshes the cache around 06:00 daily; apt-daily-upgrade.timer applies updates around 06:30.

Step 5: Mail alerts (optional)

If you set Unattended-Upgrade::Mail above, make sure a local MTA can deliver. bsd-mailx + msmtp is the lightweight choice:

sudo apt install -y bsd-mailx msmtp msmtp-mta
sudoedit /etc/msmtprc                # set smarthost, from, auth
echo "test" | mail -s "test" ops@example.sa

Verify

After a security advisory drops, the next morning you should see new entries in:

sudo less /var/log/unattended-upgrades/unattended-upgrades.log
sudo less /var/log/dpkg.log | grep -E 'install|upgrade' | tail -20
cat /var/run/reboot-required 2>/dev/null

Conclusion

Three minutes of configuration buys you years of timely security patches without paging anyone. Pair it with a Sunday morning reboot window and you have the cheapest infosec control on the market.

Next steps

Match the firewall to a default-deny posture — see UFW for specific ports.
Pin major services with the Package-Blacklist block above to avoid surprise restarts.
Review the Linux systemd guide to inspect timers.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Debian for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Server Infrastructure Dell, HPE, Huawei, VMware, Hyper-V, HCI IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.