Setup Automatic Security Updates on CentOS 7
In this tutorial, we will discuss how configure a CentOS 7 server for automatic security updates. This will make sure the system automatically downloads packages and applies all security updates without any manual intervention.
Step1-Install yum-cron on CentOS 7
Yum-cron is a command-line tool to manage system and package updates on CentOS systems.
The utility is available in the CentOS 7 repository. You can install it using the command below.
[root@newdelhihosting ~]# yum -y install yum-cron
After the installation is complete, start the yum-cron service, and then make sure it starts automatically at system boot from now on. All this can be done using the following commands:
[root@newdelhihosting ~]# yum -y install yum-cron Loaded plugins: fastestmirror base | 3.6 kB 00:00 centosplus | 3.4 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Determining fastest mirrors * base: centos.excellmedia.net * centosplus: centos.excellmedia.net * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package yum-cron.noarch 0:3.4.3-154.el7.centos.1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: yum-cron noarch 3.4.3-154.el7.centos.1 updates 62 k Transaction Summary ================================================================================ Install 1 Package Total download size: 62 k Installed size: 51 k Downloading packages: yum-cron-3.4.3-154.el7.centos.1.noarch.rpm | 62 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : yum-cron-3.4.3-154.el7.centos.1.noarch 1/1 Verifying : yum-cron-3.4.3-154.el7.centos.1.noarch 1/1 Installed: yum-cron.noarch 0:3.4.3-154.el7.centos.1 Complete! [root@newdelhihosting ~]# systemctl start yum-cron [root@newdelhihosting ~]# systemctl enable yum-cron
Step2-Configure yum-Cron for automatic updates
we need to configure it for automatic updates.,After installing the yum-cron package, By three kinds of updates by default, yum-cron provides : default update using yum upgrade command, minimal update, and security update.
Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let’s begin.
As a first step, go to the ‘yum’ configuration directory and edit the ‘yum-cron.conf’ file using the Vim editor.
cd /etc/yum vim yum -cron.conf
In this tutorial, we are focusing only on security updates, so change the value from ‘default’ to ‘security’.
update_cmd = security
Similarly, head to the line beginning with the ‘update_messages’ string, and make sure its value is ‘yes’.
update_messages = yes
Then do the same for ‘download_updates’ and ‘apply_updates’ lines.
download_updates = yes apply_updates = yes
So whenever security update available, the system will be automatically download the required packages and apply all the updates.
[commands] # What kind of update to use: # default = yum upgrade # security = yum --security upgrade # security-severity:Critical = yum --sec-severity=Critical upgrade # minimal = yum --bugfix update-minimal # minimal-security = yum --security update-minimal # minimal-security-severity:Critical = --sec-severity=Critical update-minimal update_cmd = security # Whether a message should be emitted when updates are available, # were downloaded, or applied. update_messages = yes # Whether updates should be downloaded when they are available. download_updates = yes # Whether updates should be applied when they are available. Note # that download_updates must also be yes for the update to be applied. apply_updates = yes
Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.
So change the value of ’emit_via’ to ’email’ as shown below.
emit_via = email
There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host.
email_from=id@yourdomainname.com
emai_to=xxxx@gmail.com
[emitters] # Name to use for this system in messages that are emitted. If # system_name is None, the hostname will be used. system_name = None # How to send messages. Valid options are stdio and email. If # emit_via includes stdio, messages will be sent to stdout; this is useful # to have cron send the messages. If emit_via includes email, this # program will send email itself according to the configured options. # If emit_via is None or left blank, no messages will be sent. emit_via = email # The width, in characters, that messages that are emitted should be # formatted to. output_width = 80 [email] # The address to send email messages from. # NOTE: 'localhost' will be replaced with the value of system_name. email_from = email_id@yourdomainname.com # List of addresses to send messages to. email_to = xxxxx.com
The Final Step is restart the yum-cron service,which you can do using the following command
systemctl restart yum-cron
At this stage,any security on the system will be automatically downloaded and applied using yum-cron on daily basis
Step 3-Configure exclude Packages
we don’t want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that’ll let you disable updates for select packages.
So the first step is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory
cd /etc/yum/ nano yum-cron.conf
[base] exclude = mysql* kernel* # This section overrides yum.conf # Use this to filter Yum core messages # -4: critical # -3: critical+errors # -2: critical+errors+warnings (default) debuglevel = -2 # skip_broken = True mdpolicy = group:main # Uncomment to auto-import new gpg keys (dangerous) # assumeyes = True
So, in our case all packages name is begining with ‘mysql’ or ‘kernel’ will be disabled for automatic updates
Step 4 -Check yum-cron logs
yum-cron uses a cronjob for automatic upates and all log for this cron is available under the ‘var/log’ directory.
So you need to head to the ‘var/log’ directory to access the ‘cron’ log file
cd /var/log cat cron | grep yum -daily
And in cases you want to see the packages that have been updated,you can check the yum.log file.
cat yum.log |grep updated