Search Posts

Setup Automatic Security Updates on CentOS 7

In this tutorial, we will discuss how configure a CentOS 7 server for automatic security updates. This will make sure the system automatically downloads packages and applies all security updates without any manual intervention.
Step1-Install yum-cron on CentOS 7
Yum-cron is a command-line tool to manage system and package updates on CentOS systems.

The utility is available in the CentOS 7 repository. You can install it using the command below.

 [root@newdelhihosting ~]# yum -y install yum-cron

After the installation is complete, start the yum-cron service, and then make sure it starts automatically at system boot from now on. All this can be done using the following commands:

[root@newdelhihosting ~]# yum -y install yum-cron
Loaded plugins: fastestmirror
base                                                     | 3.6 kB     00:00
centosplus                                               | 3.4 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
Determining fastest mirrors
 * base:
 * centosplus:
 * extras:
 * updates:
Resolving Dependencies
--> Running transaction check
---> Package yum-cron.noarch 0:3.4.3-154.el7.centos.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package        Arch         Version                        Repository     Size
 yum-cron       noarch       3.4.3-154.el7.centos.1         updates        62 k

Transaction Summary
Install  1 Package

Total download size: 62 k
Installed size: 51 k
Downloading packages:
yum-cron-3.4.3-154.el7.centos.1.noarch.rpm                 |  62 kB   00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-cron-3.4.3-154.el7.centos.1.noarch                       1/1
  Verifying  : yum-cron-3.4.3-154.el7.centos.1.noarch                       1/1

  yum-cron.noarch 0:3.4.3-154.el7.centos.1

[root@newdelhihosting ~]# systemctl start yum-cron
[root@newdelhihosting ~]# systemctl enable yum-cron

Step2-Configure yum-Cron for automatic updates

we need to configure it for automatic updates.,After installing the yum-cron package, By three kinds of updates by default, yum-cron provides : default update using yum upgrade command, minimal update, and security update.

Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let’s begin.

As a first step, go to the ‘yum’ configuration directory and edit the ‘yum-cron.conf’ file using the Vim editor.

cd /etc/yum
vim yum -cron.conf

In this tutorial, we are focusing only on security updates, so change the value from ‘default’ to ‘security’.

update_cmd = security

Similarly, head to the line beginning with the ‘update_messages’ string, and make sure its value is ‘yes’.

update_messages = yes

Then do the same for ‘download_updates’ and ‘apply_updates’ lines.

download_updates = yes
apply_updates = yes

So whenever security update available, the system will be automatically download the required packages and apply all the updates.

#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = security

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes

# Whether updates should be downloaded when they are available.
download_updates = yes

# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.

So change the value of ’emit_via’ to ’email’ as shown below.

emit_via = email

There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host.
# Name to use for this system in messages that are emitted.  If
# system_name is None, the hostname will be used.
system_name = None

# How to send messages.  Valid options are stdio and email.  If
emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages.  If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = email

# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80

# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from =

# List of addresses to send messages to.
email_to =

The Final Step is restart the yum-cron service,which you can do using the following command

systemctl restart yum-cron

At this stage,any security on the system will be automatically downloaded and applied using yum-cron on daily basis

Step 3-Configure exclude Packages

we don’t want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that’ll let you disable updates for select packages.

So the first step is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory

cd /etc/yum/
nano yum-cron.conf
exclude = mysql* kernel*
# This section overrides yum.conf

# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

# skip_broken = True
mdpolicy = group:main

# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

So, in our case all packages name is begining with ‘mysql’ or ‘kernel’ will be disabled for automatic updates

Step 4 -Check yum-cron logs

yum-cron uses a cronjob for automatic upates and all log for this cron is available under the ‘var/log’ directory.

So you need to head to the ‘var/log’ directory to access the ‘cron’ log file

cd /var/log
cat cron | grep yum -daily

And in cases you want to see the packages that have been updated,you can check the yum.log file.

cat yum.log |grep updated

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial

Enjoy this blog? Please spread the word :)