On Ubuntu systems, security updates are categorized into different priorities by Canonical's security team. The most critical ones are marked with these priority levels:

1. Required (essential security fixes)
2. Important (serious security fixes)
3. Standard (moderate security fixes)
4. Optional (minor security fixes)

Before making any changes, always do a dry run first:

sudo apt-get update && sudo apt-get upgrade -s | grep security

This will show you what security updates would be installed without actually making changes.

The most reliable method uses aptitude's search patterns:

sudo apt-get update
sudo apt-get upgrade -s | grep '^Inst.*security'

For a more precise approach with apt-get:

sudo apt-get --only-upgrade install $(apt-get upgrade -s | \
grep "^Inst" | grep -i security | \
awk '{print $2}' | tr '\n' ' ')

Configure automatic security updates by editing:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment and modify these lines:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // "${distro_id}:${distro_codename}-updates";
};

To check what security updates have been installed:

grep security /var/log/apt/history.log

Or for more detailed information:

apt-get changelog $(dpkg-query -W | awk '{print $1}') | \
grep -B4 'urgency=high' | grep 'urgency=high\|urgency=medium'

For more granular control, you can use aptitude:

sudo aptitude safe-upgrade '~U' '~ODebian-Security'

This will only upgrade packages from security repositories.

Set up a cron job to check daily:

0 3 * * * root apt-get update && apt-get upgrade -y -s | \
grep '^Inst.*security' | \
mail -s "Available Security Updates" admin@example.com

---

Ubuntu classifies updates into different priorities through its package repositories. The critical security updates are typically marked with these priorities:

• Required: Essential for system security
• Important: Security fixes for significant vulnerabilities
• Standard: Regular security updates

The most precise way to install only security updates is by combining apt-get with aptitude filtering:

sudo apt-get update && \
sudo apt-get upgrade -s | \
grep "^Inst.*security" | \
awk '{print $2}' | \
xargs sudo apt-get install

For automated security updates, configure the unattended-upgrades package:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Then edit the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Ensure these lines are present:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // "${distro_id}:${distro_codename}-updates";
};

Install this helpful tool:

sudo apt-get install apt-show-versions

Then check for security updates:

apt-show-versions | grep upgradable | grep security

Before applying, verify the updates are security-related:

sudo apt-get -s upgrade | grep -i security

Example output showing security updates only:

Inst openssl [1.1.1f-1ubuntu2.15] (1.1.1f-1ubuntu2.16 Ubuntu:20.04/focal-security [amd64])
Inst libssl1.1 [1.1.1f-1ubuntu2.15] (1.1.1f-1ubuntu2.16 Ubuntu:20.04/focal-security [amd64])

Create a preferences file for more control:

sudo nano /etc/apt/preferences.d/security-updates

Add these contents:

Package: *
Pin: release a=focal-security
Pin-Priority: 500

Package: *
Pin: release o=Ubuntu
Pin-Priority: 100

This configuration gives higher priority to security updates from the focal-security repository (Ubuntu 20.04 example).