Automatically check for Security Updates on CentOS or Scientific Linux?
We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port.
RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16.
Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate
, which updates RPMs daily. I don't think this handles Security Updates only, however.
CentOS does not support yum-plugin-security
.
I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated.
For those of us who maintain CentOS and SL systems, are there any tools which can:
- Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs.
- Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be
yum update-minimal --security
on the commandline?
I have considered using yum-plugin-changelog
to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?
Solution 1:
If you absolutely want to use yum security plugin
, there is a way to do this, although a little elaborate. But once you have it setup, it's all automated.
The only requirement is that you will need to have at-least one subscription to RHN. Which is a good investment IMO, but lets stick to the point.
- Once you have the subscription, you can use mrepo, or reposync, to setup an in house Yum repo, that mirrors CentOS repos. (or you could just use rsync).
- Then use the script attached to this mailing list post, to periodically connect to your RHN subscription, to download security packages info. Now you have two options.
- Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use
yum security
. - The other option is to use the
modifyrepo
command as shown here, to injectupdateinfo.xml
intorepomd.xml
. Before doing this, you will have to modify the perl script to change the Rpm MD5 sums inside the xml, from the RHN to Centos sums. And you will have to make sure if CentOS repos actually have all Rpms mentioned inupdateinfo.xml
, as they are behind RHN sometimes. But that's fine, you can ignore the updates CentOS hasn't caught up with, as there is little you can do about it, short of building them from SRPMs.
- Extract just the package names from the generated "updateinfo.xml" file. And use that information to "search" your servers for Rpms needing security or other updates, using puppet or cfengine, or ssh-in-a-for-loop. This is simpler, gives you everything you want, but you can't use
With option 2, you can install yum security
plugin on all clients, and it will work.
Edit: This also works for Redhat RHEL 5 and 6 machines. And is simpler than using a heavy weight solution like Spacewalk or Pulp.
Solution 2:
Scientific Linux can now list security updates from the commandline. Furthermore I can update a system to only apply security updates, which is better then the default ("Just update everything! Including bugfixes which you don't care about and which introduce regressions."
I have tested this on both Scientific Linux 6.1 and a 6.4. I'm not sure when this was officially announced, but I'll post more when I find out.
Here are some examples.
List a summary of security updates:
[root@node1 ~]# yum updateinfo
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
Updates Information Summary: available
4 Security notice(s)
1 important Security notice(s)
3 moderate Security notice(s)
2 Bugfix notice(s)
updateinfo summary done
root@node1 ~]# yum list-sec
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
SLSA-2013:1459-1 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-devel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1436-1 moderate/Sec. kernel-headers-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1457-1 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
SLSA-2013:1270-1 important/Sec. polkit-0.96-5.el6_4.x86_64
SLBA-2013:1486-1 bugfix selinux-policy-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix selinux-policy-3.7.19-195.el6_4.18.noarch
SLBA-2013:1486-1 bugfix selinux-policy-targeted-3.7.19-195.el6_4.13.noarch
SLBA-2013:1491-1 bugfix selinux-policy-targeted-3.7.19-195.el6_4.18.noarch
updateinfo list done
List by CVE:
[root@node2 ~]# yum list-sec cves
Loaded plugins: changelog, downloadonly, fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
* epel: mirrors.kernel.org
* sl6x: ftp.scientificlinux.org
* sl6x-security: ftp.scientificlinux.org
7404 packages excluded due to repository priority protections
CVE-2012-6085 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4351 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4402 moderate/Sec. gnupg2-2.0.14-6.el6_4.x86_64
CVE-2013-4162 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
CVE-2013-4299 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
CVE-2013-4162 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
CVE-2013-4299 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
CVE-2013-4242 moderate/Sec. libgcrypt-1.4.5-11.el6_4.x86_64
updateinfo list done
And then I can apply the minimal set of changes required to
[root@node1 ~]# yum update-minimal --security
Or, just patch everything:
[root@node1 ~]# yum --quiet --security check-update
gnutls.x86_64 2.8.5-14.el6_5 sl-security
libtasn1.x86_64 2.3-6.el6_5 sl-security
[root@node1 ~]# yum --quiet --security update
=================================================================================================================
Package Arch Version Repository Size
=================================================================================================================
Updating:
gnutls x86_64 2.8.5-14.el6_5 sl-security 345 k
libtasn1 x86_64 2.3-6.el6_5 sl-security 237 k
Transaction Summary
=================================================================================================================
Upgrade 2 Package(s)
Is this ok [y/N]: Y
[root@node1 ~]#
If I try this same command on a CentOS6 box, I don't get any results. I know for a fact that some of the '137 packages available' contain security fixes, because I received the errata notices yesterday via the CentOS mailinglists.
[root@node1 ~]# yum --security check-update
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirrors.usc.edu
* epel: mirrors.kernel.org
* extras: mirror.web-ster.com
* updates: mirrors.kernel.org
Limiting package lists to security relevant ones
No packages needed for security; 137 packages available
[root@node1 ~]#
Solution 3:
I had the same problem. I took a stab at creating some Python code to pull together Yum Updates and advisories from the steve-meier Errata site mentioned above (I filter it based on installed packages).
In case it helps, here is the source: https://github.com/wied03/centos-package-cron
Solution 4:
Scientific Linux (at least 6.2 and 6.3; I don't have any 6.1 systems left) not only supports yum-plugin-security
but the configuration file for for yum-autoupdate
, /etc/sysconfig/yum-autoupdate
, allows you enable only the installation of security updates.
# USE_YUMSEC
# This switches from using yum update to using yum-plugin-security
# true - run 'yum --security' update rather than 'yum update'
# false - defaults to traditional behavior running 'yum update' (default)
# + anything other than true defaults to false
#USE_YUMSEC="false"
USE_YUMSEC="true"