{"id":1004,"date":"2018-02-23T12:07:50","date_gmt":"2018-02-23T12:07:50","guid":{"rendered":"https:\/\/www.newdelhihosting.co.in\/blog\/?p=1004"},"modified":"2018-02-23T13:26:20","modified_gmt":"2018-02-23T13:26:20","slug":"setup-automatic-security-updates-on-centos-7","status":"publish","type":"post","link":"https:\/\/www.newdelhihosting.co.in\/blog\/setup-automatic-security-updates-on-centos-7\/","title":{"rendered":"Setup Automatic Security Updates on CentOS 7"},"content":{"rendered":"

In this tutorial, we will discuss how configure a CentOS 7 server for automatic security updates. This will make sure the system automatically downloads packages and applies all security updates without any manual intervention.
\nStep1-Install yum-cron on CentOS 7<\/strong>
\nYum-cron<\/em> is a command-line tool to manage system and package updates on CentOS systems.<\/p>\n

The utility is available in the CentOS 7 repository. You can install it using the command below.<\/p>\n

 [root@newdelhihosting ~]# yum -y install yum-cron<\/pre>\n
After the installation is complete, start the yum-cron service, and then make sure it starts automatically at system boot from now on. All this can be done using the following commands:<\/p>\n
[root@newdelhihosting ~]# yum -y install yum-cron<\/strong>\r\nLoaded plugins: fastestmirror\r\nbase                                                     | 3.6 kB     00:00\r\ncentosplus                                               | 3.4 kB     00:00\r\nextras                                                   | 3.4 kB     00:00\r\nupdates                                                  | 3.4 kB     00:00\r\nDetermining fastest mirrors\r\n * base: centos.excellmedia.net\r\n * centosplus: centos.excellmedia.net\r\n * extras: centos.excellmedia.net\r\n * updates: centos.excellmedia.net\r\nResolving Dependencies\r\n--> Running transaction check\r\n---> Package yum-cron.noarch 0:3.4.3-154.el7.centos.1 will be installed\r\n--> Finished Dependency Resolution\r\n\r\nDependencies Resolved\r\n\r\n================================================================================\r\n Package        Arch         Version                        Repository     Size\r\n================================================================================\r\nInstalling:\r\n yum-cron       noarch       3.4.3-154.el7.centos.1         updates        62 k\r\n\r\nTransaction Summary\r\n================================================================================\r\nInstall  1 Package\r\n\r\nTotal download size: 62 k\r\nInstalled size: 51 k\r\nDownloading packages:\r\nyum-cron-3.4.3-154.el7.centos.1.noarch.rpm                 |  62 kB   00:00\r\nRunning transaction check\r\nRunning transaction test\r\nTransaction test succeeded\r\nRunning transaction\r\n  Installing : yum-cron-3.4.3-154.el7.centos.1.noarch                       1\/1\r\n  Verifying  : yum-cron-3.4.3-154.el7.centos.1.noarch                       1\/1\r\n\r\nInstalled:\r\n  yum-cron.noarch 0:3.4.3-154.el7.centos.1\r\n\r\nComplete!\r\n[root@newdelhihosting ~]# systemctl start yum-cron<\/strong>\r\n[root@newdelhihosting ~]# systemctl enable yum-cron\r\n<\/strong><\/pre>\n
Step2-Configure yum-Cron for automatic updates<\/p>\n
we need to configure it for automatic updates.,After installing the yum-cron package, By three kinds of updates by default, yum-cron provides : default update using yum upgrade command, minimal update, and security update.<\/p>\n
Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let’s begin.<\/p>\n
As a first step, go to the ‘yum’ configuration directory and edit the ‘yum-cron.conf’ file using the Vim editor.<\/p>\n
cd \/etc\/yum\r\nvim yum -cron.conf<\/pre>\n
In this tutorial, we are focusing only on security updates, so change the value from ‘default’ to ‘security’.<\/p>\n
update_cmd = security<\/pre>\n
Similarly, head to the line beginning with the ‘update_messages’ string, and make sure its value is ‘yes’.<\/p>\n
update_messages = yes<\/pre>\n
Then do the same for ‘download_updates’ and ‘apply_updates’ lines.<\/p>\n
download_updates = yes\r\napply_updates = yes<\/pre>\n
So whenever security update available, the system will be automatically download the required packages and apply all the updates.<\/p>\n
[commands]\r\n#  What kind of update to use:\r\n# default                            = yum upgrade\r\n# security                           = yum --security upgrade\r\n# security-severity:Critical         = yum --sec-severity=Critical upgrade\r\n# minimal                            = yum --bugfix update-minimal\r\n# minimal-security                   = yum --security update-minimal\r\n# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal\r\nupdate_cmd = security<\/strong>\r\n\r\n# Whether a message should be emitted when updates are available,\r\n# were downloaded, or applied.\r\nupdate_messages = yes<\/strong>\r\n\r\n# Whether updates should be downloaded when they are available.\r\ndownload_updates = yes<\/strong>\r\n\r\n# Whether updates should be applied when they are available.  Note\r\n# that download_updates must also be yes for the update to be applied.\r\napply_updates = yes\r\n<\/strong>\r\n<\/pre>\n
Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.<\/p>\n
So change the value of ’emit_via’ to ’email’ as shown below.<\/p>\n
emit_via = email<\/pre>\n
There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host.<\/p>\n
email_from=id@yourdomainname.com<\/pre>\n
emai_to=xxxx@gmail.com<\/pre>\n
[emitters]\r\n# Name to use for this system in messages that are emitted.  If\r\n# system_name is None, the hostname will be used.\r\nsystem_name = None<\/strong>\r\n\r\n# How to send messages.  Valid options are stdio and email.  If\r\n#\r\nemit_via includes stdio, messages will be sent to stdout; this is useful\r\n# to have cron send the messages.  If emit_via includes email, this\r\n# program will send email itself according to the configured options.\r\n# If emit_via is None or left blank, no messages will be sent.\r\nemit_via = email<\/strong>\r\n\r\n# The width, in characters, that messages that are emitted should be\r\n# formatted to.\r\noutput_width = 80\r\n\r\n\r\n[email]\r\n# The address to send email messages from.\r\n# NOTE: 'localhost' will be replaced with the value of system_name.\r\nemail_from = email_id@yourdomainname.com<\/strong>\r\n\r\n# List of addresses to send messages to.\r\nemail_to = xxxxx.com<\/strong>\r\n<\/pre>\n
The Final Step is restart the yum-cron service,which you can do using the following command<\/p>\n
systemctl restart yum-cron<\/pre>\n
At this stage,any security on the system will be automatically downloaded and applied using yum-cron on daily basis<\/p>\n
Step 3-Configure exclude Packages<\/strong><\/p>\n
we don’t want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that’ll let you disable updates for select packages.<\/p>\n
So the first step is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory<\/p>\n
cd \/etc\/yum\/\r\nnano yum-cron.conf<\/pre>\n
[base]\r\nexclude = mysql* kernel*<\/strong>\r\n# This section overrides yum.conf\r\n\r\n# Use this to filter Yum core messages\r\n# -4: critical\r\n# -3: critical+errors\r\n# -2: critical+errors+warnings (default)\r\ndebuglevel = -2\r\n\r\n# skip_broken = True\r\nmdpolicy = group:main\r\n\r\n# Uncomment to auto-import new gpg keys (dangerous)\r\n# assumeyes = True\r\n<\/pre>\n
So, in our case all packages name is begining with ‘mysql’ or ‘kernel’ will be disabled for automatic updates<\/p>\n
Step 4 -Check yum-cron logs<\/strong><\/p>\n
yum-cron uses a cronjob for automatic upates and all log for this cron is available under the ‘var\/log’ directory.<\/p>\n
So you need to head to the ‘var\/log’ directory to access the ‘cron’ log file<\/p>\n
cd \/var\/log\r\ncat cron | grep yum -daily<\/pre>\n
And in cases you want to see the packages that have been updated,you can check the yum.log file.<\/p>\n
cat yum.log |grep updated<\/pre>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, we will discuss how configure a CentOS 7 server for automatic security updates. This will make sure the system automatically downloads packages and applies all security updates without any manual intervention. Step1-Install yum-cron on CentOS 7 Yum-cron is a command-line tool to manage system and package updates on CentOS systems. The utility…<\/p>\n","protected":false},"author":1,"featured_media":1006,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[24,12],"tags":[],"class_list":["post-1004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos","category-vps"],"jetpack_featured_media_url":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-content\/uploads\/2018\/02\/security-updates-e1519387644275.png","_links":{"self":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/1004"}],"collection":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/comments?post=1004"}],"version-history":[{"count":1,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/1004\/revisions"}],"predecessor-version":[{"id":1007,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/1004\/revisions\/1007"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/media\/1006"}],"wp:attachment":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/media?parent=1004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/categories?post=1004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/tags?post=1004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}