diff --git a/Dockerfile b/Dockerfile
index 5bd5e7a..2bceaca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,9 +10,13 @@ ENV SIGNAL_BUILD_STOP=99 \
     S6_VERSION=v1.18.1.5 \
     GOSS_VERSION=v0.2.4
 
-# Upgrade base packages, then clean packaging leftover
-RUN apt-get update && \
-    apt-get upgrade -yqq && \
+# Ensure scripts are available for use in next command
+COPY ./container/root/security_updates.sh / \
+     ./container/root/clean.sh /
+
+# - Upgrade base security packages, then clean packaging leftover
+RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
+    /bin/bash -e /security_updates.sh && \
     apt-get install -yqq \
       curl \
     && \
@@ -20,17 +24,13 @@ RUN apt-get update && \
     curl -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz -o /tmp/s6.tar.gz && \
     tar xzf /tmp/s6.tar.gz -C / && \
     rm /tmp/s6.tar.gz && \
-    # Add goss for local, serverspec-like testing \
+    # Add goss for local, serverspec-like testing
     curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSS_VERSION}/goss-linux-amd64 -o /usr/local/bin/goss && \
     chmod +x /usr/local/bin/goss && \
     apt-get remove --purge -yq \
         curl \
     && \
-    apt-get autoclean -y && \
-    apt-get autoremove -y && \
-    rm -rf /var/lib/{cache,log}/ && \
-    rm -rf /var/lib/apt/lists/*.lz4 && \
-    rm -rf /tmp/* /var/tmp/*
+    /bin/bash -e /clean.sh
 
 # Overlay the root filesystem from this repo
 COPY ./container/root /
diff --git a/README.md b/README.md
index 44c1b80..95dbd6c 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,13 @@ Provides base OS, patches and stable nginx for quick and easy spinup.
 ### Expectations
 
 To add a service to be monitored, simply create a service script: https://github.com/just-containers/s6-overlay#writing-a-service-script
-For programmatic switches, create the service in `/etc/services-available`, and symlink to `/etc/services.d` to enable
+For programmatic switches, create the service in `/etc/services-available`, and symlink to `/etc/services.d` to enable  
+
+### Security
+
+For Ubuntu-based variants, a convenience script is provided for security-only package updates. To run: 
+`/bin/bash -e /security_updates.sh`  
+
 
 ### Environment Variables
 
diff --git a/container/root/clean.sh b/container/root/clean.sh
new file mode 100644
index 0000000..d067912
--- /dev/null
+++ b/container/root/clean.sh
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+#-------------------------------------------------------------------
+# Performs cleanup, ensure unnecessary packages and package lists
+# are safely removed, without triggering Docker AUFS permission bug
+#-------------------------------------------------------------------
+
+apt-get autoclean -y && \
+apt-get autoremove -y && \
+rm -rf /var/lib/{cache,log}/ && \
+rm -rf /var/lib/apt/lists/*.lz4 && \
+rm -rf /tmp/* /var/tmp/*
diff --git a/container/root/security_updates.sh b/container/root/security_updates.sh
new file mode 100644
index 0000000..1ce2f0b
--- /dev/null
+++ b/container/root/security_updates.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+#-------------------------------------------------------------------
+# Upgrade just the packages listed as security, without affecting
+# any subsequent usages of apt-get
+#-------------------------------------------------------------------
+
+apt-get update && \
+grep security /etc/apt/sources.list > /tmp/security.list && \
+apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -yq && \
+rm /tmp/security.list