Check and Install Security Updates on Centos 7 with Easy Steps

By Posted on

Check and Install Security Updates on Centos 7 with Easy Steps

Check and Install Security Updates on Centos 7 with Easy Steps

This guide intends to teach you to Check and Install Security Updates on Centos 7. Linux’s security updates are packages and system component updates that patch a security hole or improve the robustness of the system. Some of those updates are quite critical and should be applied almost immediately to protect your server from severe vulnerabilities such as the recently discovered Log4J exploit. Keeping your Centos 7 system secure is a fundamental aspect of server administration, and regularly applying security updates is a crucial step in this process. This article will detail how to Check and Install Security Updates on Centos 7, ensuring your system remains protected against emerging threats.

Now follow the steps below on the Orcacore website to update Security Patches on CentOS 7.

To update Security Patches on CentOS 7, you must log in to your server as a root or non-root user with sudo privileges and follow the steps below. To do this, you can follow our guide on Initial Server Setup with Centos 7.

update Security Patches on CentOS 7
Update Security Patches on CentOS 7

List Available Security Errata on Centos 7

Yum Security Plugin is available on the Centos 7. You can use the following command to list the available security errata. Red Hat Linux errata are package updates, bug fixes, and security patches for Red Hat Linux.

yum updateinfo list available

If you want to know the total number of security errata you need to download, you can use the command below:

yum updateinfo list available | wc -l
**Output**
6

List Security Update on Centos 7

At this point, you can get a list of all RPMs from the security update list without installing them by using the following command:

yum updateinfo list security all

To view all the RPMs from the currently installed security updates, run the following command:

yum updateinfo list security installed

To view all the security update lists together with detailed information on the issues they are applying, use the command below:

yum info-sec

You can get more information about any security update before applying the patch, you can use the command below:

yum updateinfo <mark>[Patch-ID]</mark>

To install a security patch for a particular advisory, you can use the following command:

yum update --advisory=<mark>[Patch-ID]</mark>

List Vulnerabilities with CVE on Centos 7

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. A CVE number uniquely identifies one vulnerability from the list. CVE provides a convenient, reliable way for vendors, enterprises, academics, and all other interested parties to exchange information about cybersecurity issues.

To get a full list of all reported CVEs that could impact your Centos system, run the following command:

yum updateinfo list cves

To install a security patch for a particular CVE, use the syntax below:

yum update --cve [CVE-ID]

Install all Available Security Updates on Centos 7

To install all the available security updates provided by Red Hat for your system, you can use the following command:

yum -y update --security

Note: This command will install the most recent version of any package that contains at least one security errata, and it can also install non-security errata if they provide a more recent version of the program.

If you want to install only packages with security errata use, run the command below:

yum update-minimal --security

Conclusion

Security patches in CentOS 7 are important for keeping your system safe from threats, meeting legal requirements, and ensuring servers and applications run smoothly. Regularly updating and applying patches is a good habit for managing your system. At this point, you have learned to Check and Install Security Updates on Centos 7.

Hope you enjoy it. You may also be interested in these articles:

Install ModSecurity with Apache on AlmaLinux 8

Fix Java Error – Failed To Validate Certificate For IPMI or KVM

Alternative Approaches to Managing Security Updates on CentOS 7

While the yum command and its security plugin provide a robust and direct way to manage security updates, alternative methods offer different levels of automation, control, and reporting. Here are two alternative approaches:

1. Using Ansible for Automated Security Updates

Ansible is a powerful automation tool that allows you to define and execute tasks across multiple servers. Using Ansible, you can automate the process of checking and installing security updates, ensuring consistency and reducing manual effort. This is especially useful when managing a large number of CentOS 7 servers.

Explanation:

Ansible works by defining tasks in YAML format within a "playbook." A playbook specifies the steps to be executed on target servers. For security updates, the playbook would typically involve:

  • Gathering facts about the system.
  • Running the yum command to check for available security updates.
  • Installing the security updates.
  • Rebooting the server if required (some updates may require a reboot to take effect).

Code Example (Ansible Playbook):

---
- hosts: all
  become: true
  tasks:
    - name: Check for security updates
      yum:
        update_only: true
        security: true
        list: updates
      register: security_updates

    - name: Install security updates
      yum:
        update_only: true
        security: true
      when: security_updates.updates

    - name: Check if a reboot is required
      shell: needs-restarting -r
      register: reboot_required
      ignore_errors: true # needs-restarting might not be available

    - name: Reboot the server
      reboot:
      when: reboot_required.rc == 0

How it Works:

  1. hosts: all: Specifies that the playbook should be executed on all hosts defined in your Ansible inventory.
  2. become: true: Enables privilege escalation (sudo) to run commands with root privileges.
  3. tasks:: Defines a list of tasks to be executed.
  4. yum module: This module interacts with the yum package manager.
    • update_only: true: Specifies that only updates should be considered, not new package installations.
    • security: true: Filters updates to include only security-related updates.
    • list: updates: Gathers a list of available updates and stores it in the security_updates variable.
  5. when: security_updates.updates: This conditional statement ensures that updates are only installed if there are updates available in the security_updates variable.
  6. needs-restarting -r: This command (from the yum-utils package, may need to be installed) checks if any running processes need to be restarted after the updates.
  7. reboot module: Reboots the server.
  8. when: reboot_required.rc == 0: Reboots only if needs-restarting returns 0, indicating a reboot is required.

Benefits:

  • Automation: Reduces manual effort and ensures consistent updates across all servers.
  • Centralized Management: Playbooks can be stored and version-controlled, providing a single source of truth for update configurations.
  • Scalability: Easily manage updates on a large number of servers simultaneously.
  • Reporting: Ansible provides detailed reports on the execution of playbooks, allowing you to track update status and identify any issues.

2. Using Unattended Upgrades with Configuration Management (e.g., Chef or Puppet)

While yum and Ansible are excellent choices, another approach is to integrate unattended upgrades with a configuration management tool like Chef or Puppet. These tools provide a more comprehensive approach to managing system configurations, including security updates.

Explanation:

Configuration management tools allow you to define the desired state of your systems. They then automatically enforce this state, ensuring consistency and compliance across your infrastructure. For security updates, this involves:

  • Defining a recipe or manifest that specifies the desired update policy (e.g., automatically install security updates).
  • Configuring the system to use unattended upgrades.
  • Monitoring the system to ensure that updates are being applied correctly.

Code Example (Puppet Manifest – simplified):

class security_updates {

  package { 'yum-cron':
    ensure => installed,
  }

  service { 'yum-cron':
    ensure  => running,
    enable  => true,
    require => Package['yum-cron'],
  }

  file { '/etc/yum/yum-cron.conf':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('security_updates/yum-cron.conf.erb'),
    require => Package['yum-cron'],
    notify  => Service['yum-cron'],
  }
}

yum-cron.conf.erb Template (Example):

[main]
update_cmd = default
random_sleep = 360
db_file = /var/cache/yum-cron/yum-cron.sqlite
debug_level = 10

[commands]
report = yes
download_updates = yes
apply_updates = yes
emit_via = email
email = root@example.com
email_from = yum-cron@example.com
email_host = localhost

How it Works:

  1. class security_updates: Defines a Puppet class that encapsulates the configuration for security updates.
  2. package { 'yum-cron' }: Ensures that the yum-cron package is installed. This package provides automated yum updates.
  3. service { 'yum-cron' }: Ensures that the yum-cron service is running and enabled at boot.
  4. file { '/etc/yum/yum-cron.conf' }: Manages the yum-cron.conf configuration file, using a template to define its content. The content => template(...) line pulls the configuration from the yum-cron.conf.erb file.
  5. content => template('security_updates/yum-cron.conf.erb'): Specifies that the content of the file should be generated from an ERB template. ERB allows you to dynamically generate configuration files based on variables and logic.
  6. require => Package['yum-cron']: Ensures that the yum-cron package is installed before the service and configuration file are managed.
  7. notify => Service['yum-cron']: Restarts the yum-cron service whenever the configuration file is changed.

Benefits:

  • Comprehensive Configuration Management: Integrates security updates into a broader configuration management strategy.
  • Desired State Enforcement: Ensures that systems always adhere to the defined update policy.
  • Centralized Control: Manage update configurations from a central server.
  • Reporting and Auditing: Provides detailed logs and reports on update activity.

Choosing the Right Approach:

The best approach for managing security updates depends on your specific needs and environment.

  • yum command and security plugin: Suitable for small environments or when manual control is required.
  • Ansible: A good choice for automating updates across a moderate to large number of servers.
  • Configuration Management Tools (Chef, Puppet): Ideal for large and complex environments where comprehensive configuration management is required.

By understanding these different approaches, you can choose the method that best suits your needs and ensure that your CentOS 7 systems remain secure. Regardless of the chosen method, regularly Check and Install Security Updates on Centos 7 is vital.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *