Keeping a RHEL 8 server patched against known vulnerabilities is one of the most impactful security practices an administrator can adopt. While manual dnf update runs give you full control, many servers benefit from automatic application of security-only patches without requiring human intervention. RHEL 8 provides the dnf-automatic package, which integrates with systemd timers to download and apply updates on a configurable schedule. This guide walks through installing, configuring, and verifying automatic security updates on RHEL 8.

Prerequisites

  • A running RHEL 8 server registered with Red Hat Subscription Manager (RHSM) or a configured DNF repository
  • Root or sudo access
  • An active subscription that includes security advisories (required for upgrade_type = security filtering)

Step 1 — Install dnf-automatic

The dnf-automatic package is available in the default RHEL 8 AppStream repository. Install it with:

sudo dnf install -y dnf-automatic

After installation, the package provides several systemd timer units and a configuration file at /etc/dnf/automatic.conf. List the available timers:

systemctl list-unit-files | grep dnf-automatic

You will see timers including dnf-automatic-install.timer (downloads and installs updates), dnf-automatic-download.timer (downloads only), and dnf-automatic-notifyonly.timer (notifies only). For automatic security patching, use dnf-automatic-install.timer.

Step 2 — Configure /etc/dnf/automatic.conf

Open the configuration file to customize behavior:

sudo vi /etc/dnf/automatic.conf

The most important settings are in the [commands] and [emitters] sections. Set the following values:

[commands]
# Only apply security updates (use "default" to apply all updates)
upgrade_type = security

# Download and apply updates automatically
apply_updates = yes

# Set to "yes" to reboot after updates if required (use carefully in production)
reboot = never

[emitters]
# Emit update notifications to the system journal and optionally email
emit_via = stdio

[email]
# Configure if you want email notifications (requires a working MTA)
email_from = root@localhost
email_to = [email protected]
email_host = localhost

Setting upgrade_type = security limits updates to packages covered by a Red Hat security advisory. Setting upgrade_type = default applies all available updates. For most production servers, security-only is the safer choice, as it minimizes unplanned package changes.

Step 3 — Enable and Start the dnf-automatic Timer

Enable and immediately start the install timer so it activates on the next scheduled window (by default, one hour after boot with a random delay):

sudo systemctl enable --now dnf-automatic-install.timer

Confirm the timer is active:

systemctl status dnf-automatic-install.timer

You should see Active: active (waiting) and the next trigger time listed under Trigger:.

Step 4 — Verify the Timer Schedule

Inspect the timer schedule to understand when updates will run and when the last run occurred:

systemctl list-timers dnf-automatic-install.timer

The output shows NEXT (next scheduled run), LEFT (time until next run), LAST (last execution time), and PASSED (time since last run). To manually trigger a run immediately for testing:

sudo systemctl start dnf-automatic-install.service

Check the journal for the outcome:

sudo journalctl -u dnf-automatic-install.service -n 50

Step 5 — Differentiate Security vs All Updates

To see which security updates are currently available before enabling automatic application, use dnf directly:

# List available security updates
sudo dnf updateinfo list security

# Show security advisory details
sudo dnf updateinfo list sec

# Count available security updates
sudo dnf check-update --security

The advisory type codes in updateinfo output: Security, Bugfix, and Enhancement. Only Security advisories are applied when upgrade_type = security. This prevents bugfix and enhancement packages from being applied automatically, giving you control over non-critical changes.

Step 6 — Configure Email Notifications

If your server has a working MTA (such as Postfix) configured to relay mail, enable email notifications in /etc/dnf/automatic.conf by changing emit_via:

[emitters]
emit_via = email, stdio

[email]
email_from = [email protected]
email_to = [email protected]
email_host = localhost

Test the notification by running the service manually and checking your mailbox. For servers without an MTA, emit_via = stdio writes output to the systemd journal, which is readable with journalctl.

Conclusion

You have installed dnf-automatic, configured it to apply security-only updates automatically via /etc/dnf/automatic.conf, enabled the dnf-automatic-install.timer, and learned how to verify timer status and inspect update logs. Your RHEL 8 server will now receive security patches without requiring manual intervention, reducing your exposure window to known CVEs.

Next steps: How to Create and Manage Swap Space on RHEL 8, How to Sync Time with Chrony on RHEL 8, and How to Harden SSH on RHEL 8.